Context Navigation

source: trunk/plog-admin/plog-feedback.php @ 569

Revision 569, 11.3 KB checked in by sidtheduck, 2 years ago (diff)
+ Fix for ticket #185 - special characters in album name + Fix for ticket #181 - Edit comment form + Fix for ticket #180 - Manage Feedback notification issues + Fix for possible SQL injection vulnerability found by security tester (Thanks James of GulfTech?!) + Redirect to plog-upload if already logged in and navigating to plog-admin/index.php

Line
1	<?php
2	// load configuration variables from database, plog-globals, & plog-includes/plog-functions
3	require_once(dirname(dirname(__FILE__))."/plog-load-config.php");
4	require(PLOGGER_DIR."plog-admin/plog-admin.php");
5	require_once(PLOGGER_DIR."plog-admin/plog-admin-functions.php");
6
7	global $inHead;
8
9	$inHead = '<script src="js/ajax_editing.js" type="text/javascript"></script>';
10
11	$output = "\n\t" . '<h1>'. plog_tr("Manage Feedback") . '</h1>' . "\n";
12
13	if (isset($_REQUEST['action'])) {
14	if ($_REQUEST['action'] == "approve-delete") {
15	// here we will determine if we need to perform an approved or delete action.
16	$num_items = 0;
17
18	// perform the delete function on the selected items
19	if (isset($_REQUEST['delete_checked'])) {
20	if (isset($_REQUEST['selected'])) {
21	foreach($_REQUEST['selected'] as $del_id) {
22	// lets build the query string
23	$del_id = intval($del_id);
24
25	$query = "DELETE FROM ".TABLE_PREFIX."comments WHERE `id`= '".$del_id."'";
26	$result = run_query($query);
27
28	$num_items++;
29	}
30
31	$output .= "\n\t".'<p class="actions">'.sprintf(plog_tr('You have deleted %d comment(s) successfully.'),$num_items).'</p>';
32
33	} else{
34	$output .= "\n\t".'<p class="errors">'.plog_tr('Nothing selected to delete!').'</p>';
35	}
36	} else if (isset($_REQUEST['approve_checked'])) {
37	// set the approval bit to 1 for all selected comments
38
39	if (isset($_REQUEST['selected'])) {
40	foreach($_REQUEST['selected'] as $appr_id) {
41	// lets build the query string
42	$appr_id = intval($appr_id);
43
44	$query = "UPDATE ".TABLE_PREFIX."comments SET `approved` = 1 WHERE `id`= '".$appr_id."'";
45	$result = run_query($query);
46
47	$num_items++;
48	}
49
50	$output .= "\n\t<p class=\"actions\">" . sprintf(plog_tr('You have approved %d comment(s) successfully.'),$num_items) . "</p>";
51	} else {
52	$output .= "\n\t<p class=\"errors\">". plog_tr('Nothing selected to approve!') . "</p>";
53	}
54	}
55	} else if ($_REQUEST['action'] == "edit-comment") {
56	// show the edit form
57	$output .= edit_comment_form($_REQUEST['pid']);
58	$edit_page = 1;
59	} else if ($_REQUEST['action'] == "update-comment") {
60	if (!isset($_REQUEST['cancel'])) {
61	// update comment in database
62	$result = update_comment($_POST['pid'],$_POST['author'],$_POST['email'],$_POST['url'],$_POST['comment']);
63	if (isset($result['errors'])) {
64	$output .= "\n\t" . '<p class="errors">' . $result['errors'] . '</p>';
65	} else if (isset($result['output'])) {
66	$output .= "\n\t" . '<p class="actions">' . $result['output'] . '</p>';
67	}
68	}
69	}
70	}
71
72	if (!isset($edit_page)) {
73	// lets iterate through all the content and build a table
74	// set the default level if nothing is specified
75
76	// handle pagination
77	// lets determine the limit filter based on current page and number of results per page
78	if (isset($_REQUEST['entries_per_page'])) {
79	$_SESSION['entries_per_page'] = $_REQUEST['entries_per_page'];
80	} else if (!isset($_SESSION['entries_per_page'])){
81	$_SESSION['entries_per_page'] = 20;
82	}
83
84	$plog_page = isset($_REQUEST['plog_page']) ? $_REQUEST['plog_page'] : 1; // default to the first page
85
86	$first_item = ($plog_page - 1) * $_SESSION['entries_per_page'];
87	if ($first_item < 0) {
88	$first_item = 0;
89	}
90	$limit = "LIMIT ".$first_item.", ".$_SESSION['entries_per_page'];
91
92	// lets generate the pagination menu as well
93	$recordCount = "SELECT count(*) AS num_comments FROM ".TABLE_PREFIX."comments WHERE `approved` = 1";
94	$totalRowsResult = mysql_query($recordCount);
95	$num_comments = mysql_result($totalRowsResult,"num_comments");
96
97	$query = "SELECT COUNT(*) as in_moderation from ".TABLE_PREFIX."comments WHERE `approved` = 0";
98	$mod_result = run_query($query);
99	$num_comments_im = mysql_result($mod_result, "in_moderation");
100
101	// filter based on whether were looking at approved comments or unmoderated comments
102	if (isset($_REQUEST['moderate']) && $_REQUEST['moderate'] == 1) {
103	$approved = 0;
104	$moderate = 1;
105	} else {
106	$approved = 1;
107	$moderate = 0;
108	}
109	$output .= "\n\t\t" . '<form id="contentList" action="'.$_SERVER['PHP_SELF'].'?moderate='.$moderate.'" method="post">';
110
111	if ($approved) {
112	$pagination_menu = generate_pagination("admin", "feedback", $plog_page, $num_comments, $_SESSION['entries_per_page']);
113	} else {
114	$pagination_menu = generate_pagination("admin", "feedback", $plog_page, $num_comments_im, $_SESSION['entries_per_page'], array("moderate" => 1));
115	}
116	$pagination_menu = "\n\t\t" . '<div class="pagination">'.$pagination_menu.'</div>';
117
118	// generate javascript init function for ajax editing
119	$query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `unix_date` from ".TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit;
120	$result = run_query($query);
121
122	if (mysql_num_rows($result) > 0) {
123	$output .= "\n\t\t" . '<script type="text/javascript">';
124	$output .= "\n\t\t\tEvent.observe(window, 'load', init, false);";
125	$output .= "\n\t\t\tfunction init() {";
126
127	while($row = mysql_fetch_assoc($result)) {
128	$output .= "\n\t\t\tmakeEditable('comment-comment-".$row['id']."');
129	makeEditable('comment-author-".$row['id']."');
130	makeEditable('comment-url-".$row['id']."');
131	makeEditable('comment-email-".$row['id']."');";
132	}
133
134	$output .= "\n\t\t\t}";
135	$output .= "\n\t\t</script>";
136	}
137
138	$query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `unix_date` from ".TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit;
139	$result = run_query($query);
140
141	$empty = 0;
142	$allowedCommentKeys = array("unix_date", "author", "email", "url", "comment");
143	if ($result) {
144	if (mysql_num_rows($result) == 0) {
145	if ($approved) {
146	$output .= "\n\t\t" . '<p class="actions">' . plog_tr('You have no user comments on your gallery.') . '</p>';
147	} else {
148	$output .= "\n\t\t" . '<p class="actions">' . plog_tr('You have no comments waiting for approval.') . '</p>';
149	}
150	$empty = 1;
151	}
152	if ($approved) {
153	if ($num_comments_im > 0) {
154	$output.= "\n\t\t" . '<p class="actions">' . sprintf(plog_tr('You have %d comment(s) waiting for approval.'),$num_comments_im) . ' <a href="plog-feedback.php?moderate=1">' . plog_tr('Click here') . '</a> to review and approve/delete the moderated comment(s).</p>';
155	}
156	}
157
158	$counter = 0;
159	$allowedCommentKeys = array("unix_date", "author", "email", "url", "comment");
160
161	while($row = mysql_fetch_assoc($result)) {
162	// if we're on our first iteration, dump the header
163	if ($counter == 0) {
164	if ($approved) {
165	$output .= "\n\n\t\t" . '<table style="width: 100%;">
166	<tr>
167	<td>' . sprintf(plog_tr('You have <strong>%d</strong> user comment(s).'),$num_comments) . '</td>';
168	} else {
169	$output .= "\n\n\t\t" . '<table style="width: 100%;">
170	<tr>
171	<td>' . sprintf(plog_tr('You have <strong>%d</strong> user comment(s) awaiting approval.'),$num_comments_im) . '</td>';
172	}
173
174	// output view entries pagination control
175	$output .= "\n\t\t\t\t" . '<td align="right">'.generate_pagination_view_menu().'
176	</td>
177	</tr>
178	</table>';
179
180	if (!$empty) { $output .= $pagination_menu; }
181
182	$output .= "\n\n\t\t" . '<table style="width: 100%;" cellpadding="4">
183	<tr class="header">
184	<th class="table-header-left"></th>
185	<th class="table-header-middle">' . plog_tr('Thumb') . '</th>';
186
187	foreach ($row as $name => $value) {
188	if (in_array($name, $allowedCommentKeys)) {
189	$output .= "\n\t\t\t\t<th class=\"table-header-middle\">". plog_tr(ucfirst($name)) ."</th>";
190	}
191	}
192
193	$output .= "\n\t\t\t\t" . '<th class="table-header-right">' . plog_tr('Actions') . '</th>
194	</tr>';
195	}
196
197	if ($counter%2 == 0) {
198	$table_row_color = "color-1";
199	} else {
200	$table_row_color = "color-2";
201	}
202
203	// start a new table row (alternating colors)
204	$output .= "\n\t\t\t".'<tr class="'.$table_row_color.'">';
205
206	// give the row a checkbox
207	$output .= "\n\t\t\t\t" . '<td><input type="checkbox" name="selected[]" value="'.$row['id'].'" /></td>';
208
209	// give the row a thumbnail, we need to look up the parent picture for the comment
210	$picture = get_picture_by_id($row['parent_id']);
211	$thumbpath = generate_thumb($picture['path'], $picture['id'], THUMB_SMALL);
212
213	// generate XHTML with thumbnail and link to picture view.
214	$imgtag = '<img src="'.$thumbpath.'" title="'.$picture['caption'].'" alt="'.$picture['caption'].'" />';
215	$output .= "\n\t\t\t\t" . '<td><div class="img-shadow"><a href="'.generate_thumb($picture['path'], $picture['id'], THUMB_LARGE).'" rel="lightbox" title="'.plogger_get_picture_caption().'">'.$imgtag.'</a></div></td>';
216
217	foreach ($row as $key => $value) {
218	$value = htmlspecialchars($value);
219	$value = SmartStripSlashes($value);
220
221	if ($key == "unix_date") {
222	$output .= "\n\t\t\t\t" . '<td>'.date($config['date_format'], $value).'</td>';
223	} else if ($key == "allow_comments") {
224	if ($value) {
225	$output .= "\n\t\t\t\t<td>". plog_tr('Yes') . "</td>";
226	} else {
227	$output .= "\n\t\t\t\t<td>" . plog_tr('No') . "</td>";
228	}
229	}
230	//else if ($key == "ip") {
231	// $output .= "<td>" . @gethostbyaddr($value) . "</td>";
232	//}
233	else {
234	if (in_array($key, $allowedCommentKeys))
235	$output .= "\n\t\t\t\t".'<td><p id="comment-'.$key.'-'.$row['id'].'">'.$value.' </p></td>';
236	}
237	}
238
239	// $output .= our actions panel
240	$query = "?action=edit-comment&pid=$row[id]";
241	$output .= "\n\t\t\t\t" . '<td>
242	<div>
243	<a href="'.$_SERVER['PHP_SELF'].$query.'&entries_per_page='.$_SESSION['entries_per_page'].'&moderate='.$moderate.'"><img src="'.$config['gallery_url'].'plog-admin/images/edit.gif" alt="'.plog_tr('Edit').'" title="'.plog_tr('Edit').'" /></a>
244	<a href="'.$_SERVER['PHP_SELF'].'?action=approve-delete&delete_checked=1&selected[]='.$row['id'].'&moderate='.$moderate.'" onclick="return confirm(\'' . plog_tr('Are you sure you want to delete this comment?') . '\');"><img src="'.$config['gallery_url'].'plog-admin/images/x.gif" alt="'.plog_tr('Delete').'" title="'.plog_tr('Delete').'" /></a>';
245
246	if (!$approved){
247	$output .= "\n\t\t\t\t\t\t".'<a href="'.$_SERVER['PHP_SELF'].'?action=approve-delete&approve_checked=1&selected[]='.$row['id'].'&moderate=1" onclick="return confirm(\''.plog_tr('Are you sure you want to approve this comment?').'\');"><img src="'.$config['gallery_url'].'plog-admin/images/new_file.gif" alt="'.plog_tr('Approve').'" title="'.plog_tr('Approve').'" /></a>';
248	}
249
250	$output .= "\n\t\t\t\t\t</div>\n\t\t\t\t</td>\n\t\t\t</tr>";
251	$counter++;
252	}
253
254	if ($counter > 0) {
255	$output .= "\n\t\t\t" . '<tr class="footer">
256	<td colspan="9"></td>
257	</tr>
258	</table>';
259	}
260	}
261
262	if (!$empty) {
263	$output .= "\n\n\t\t" . '<div><a href="#" onclick="checkAll(document.getElementById(\'contentList\')); return false;">' . plog_tr('Invert Checkbox Selection') . '</a></div>
264	'.$pagination_menu;
265	}
266
267	$output .= "\n\n\t\t" . '<div>
268	<input type="hidden" name="action" value="approve-delete" />
269	<input class="submit" type="submit" name="delete_checked" onclick="return confirm(\''. plog_tr('Are you sure you want to delete the selected comments?') . '\');" value="' . plog_tr('Delete Checked') . '" />';
270
271	if (!$approved) {
272	$output .= "\n\t\t\t" . '<input class="submit" type="submit" name="approve_checked" onclick="return confirm(\'' . plog_tr('Are you sure you want to approve the selected comments?') . '\');" value="' . plog_tr('Approve Checked') . '" />';
273	}
274
275	$output .= "\n\n\t\t" . '</div>' . "\n\t\t" . '</form>'. "\n";
276	}
277
278	display($output, "feedback");
279
280	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: