source: trunk/plog-comment.php @ 590

Revision 590, 4.8 KB checked in by sidtheduck, 19 months ago (diff)

Large commit based on work with Kim Parsell and myself
Should be ready for a release candidate after this commit.
Items worked on:

  • Large overhaul for code cleanup and syntax standardization
  • Security fixes for folder permissions on all server environments (now all directories should be set to 0755 and all files set to 0644)
  • Works compeletely with safe_mode restrictions using FTP commands
  • Beginnings of plugin usage (no architecture yet, but start of code standardization and addon code)
  • Fixing comments and adding security
  • More error messages
  • Minor fixes to upgrade and install process
  • Should fix tickets #188, #206, #194, #195, #197, #201, #203, #204, #89, #174, #200
  • Many other minor edits that I can't remember now (hopefully future commits will be much smaller and deal with individual issues, enhancements, or bugs)
Line 
1<?php
2// this is our comment script, it simply writes the comment information
3// to our database and links it to the picture using the pictures id
4
5include_once(dirname(__FILE__).'/plog-load-config.php');
6
7// Loosely validate url string format without actually checking the link (cause that takes time)
8function is_valid_url($url) {
9        if (preg_match('#^http\\:\\/\\/[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+#i', $url)) {
10                return 'http';
11        } else if (preg_match('#^[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+#i', $url)) {
12                return 'nohttp';
13        } else {
14                return 'badurl';
15        }
16}
17
18function is_valid_email($email) {
19        // Based on the is_email function from Wordpress with some additional checks
20        // check that there is an @, a dot, no double dots, does not start with a dot, or have a dot next to the @ symbol
21        if (strpos($email, '@') !== false && strpos($email, '.') !== false && strpos($email, '..') === false && $email[0] != '.' && $email[strrpos($email, '@')-1] != '.') {
22                // check for the correct syntax
23                if (preg_match("/^([a-z0-9+_]|\\-|\\.)+@(([a-z0-9_]|\\-)+\\.)+[a-z]{2,}\$/i", $email)) {
24                        return true;
25                } else {
26                        return false;
27                }
28        } else {
29                return false;
30        }
31}
32
33// set up our error arrays
34$errors = array();
35$error_field = array();
36
37// set up all the necessary variables
38$parent_id = intval($_POST['parent']);
39$author = $email = $url = $comment = '';
40
41$pic = get_picture_by_id($parent_id);
42
43// check for a redirect, referrer, or default back to the generic Plogger URL
44if (isset($_POST['redirect'])) {
45        $redirect = $_POST['redirect'];
46} else if (isset($_SERVER['HTTP_REFERRER']) && !empty($_SERVER['HTTP_REFERRER'])) {
47        $redirect = $_SERVER['HTTP_REFERRER'];
48} else {
49        $redirect = generate_url('picture', $parent_id);
50}
51
52if ($config['allow_comments'] && $pic['allow_comments']) {
53        if (isset($_POST['plogger-token']) && $_POST['plogger-token'] === $_SESSION['plogger-token']) {
54                // verify the author / name
55                if (isset($_POST['author']) && $_POST['author'] != '') {
56                        $author = strip_tags(SmartStripSlashes($_POST['author']));
57                } else {
58                        $author = '';
59                        $errors[] = plog_tr('Author name is missing.');
60                        $error_field[] = 'author';
61                }
62                // verify the email
63                if (isset($_POST['email']) && $_POST['email'] != '') {
64                        if (is_valid_email(strip_tags(SmartStripSlashes($_POST['email'])))) {
65                                $email = SmartStripSlashes($_POST['email']);
66                        } else {
67                                $email = '';
68                                $errors[] = plog_tr('The email address you entered does not appear to be valid.');
69                                $error_field[] = 'email';
70                        }
71                } else {
72                        $email = '';
73                        $errors[] = plog_tr('You forgot to enter an email.');
74                        $error_field[] = 'email';
75                }
76                // verify the website url if set
77                if (isset($_POST['url']) && $_POST['url'] != '') {
78                        if (is_valid_url($_POST['url']) == 'http') {
79                                $url = $_POST['url'];
80                        } else if (is_valid_url($_POST['url']) == 'nohttp') {
81                                $url = 'http://'.$_POST['url'];
82                        } else {
83                                $url = '';
84                                $errors[] = plog_tr('The website URL you entered does not appear to be valid.');
85                                $error_field[] = 'url';
86                        }
87                } else {
88                        $url = '';
89                }
90                // verify the comment
91                if (isset($_POST['comment']) && $_POST['comment'] != '') {
92                        // should we strip tags out for now and put limited allowability in later?
93                        $comment = strip_tags(SmartStripSlashes($_POST['comment']));
94                } else {
95                        $comment = '';
96                        $errors[] = plog_tr('You forgot to enter a comment.');
97                        $error_field[] = 'comment';
98                }
99
100                // If the captcha is required, check it here
101                if (isset($_SESSION['require_captcha']) && $_SESSION['require_captcha'] === true) {
102                        if (!isset($_POST['captcha']) || !isset($_SESSION['captcha']) || $_POST['captcha'] != $_SESSION['captcha']) {
103                                $errors[] = plog_tr('CAPTCHA check failed.');
104                                $error_field[] = 'captcha';
105                        }
106                }
107
108                if (empty($errors)) {
109                        $rv = add_comment($parent_id, $author, $email, $url, $comment);
110                        // we're done with this so empty it out to stop double posts
111                        unset($_POST);
112                        if (isset($rv['errors'])) {
113                                $errors = $rv['errors'];
114                        } else if ($config['comments_moderate']) {
115                                $_SESSION['comment_moderated'] = 1;
116                        }
117                }
118                unset($_SESSION['plogger-token']);
119        } else {
120                // missing form token
121                $errors = array(plog_tr('Spam token missing or does not match!'));
122        }
123} else {
124        // comments are not on
125        $errors = array(plog_tr('Comments are disabled. You are unable to add a comment!'));
126}
127
128if (!empty($errors)) {
129        // set the errors for form display
130        $_SESSION['comment_post_error'] = $errors;
131        // set the session form variables so users don't have to re-enter their information
132        $_SESSION['plogger-form'] = array(
133                'author' => $author,
134                'email' => $email,
135                'url' => $url,
136                'comment' => $comment
137        );
138        $_SESSION['plogger-form-error'] = $error_field;
139} else {
140        // clear out the session form variables if no errors
141        unset($_SESSION['plogger-form']);
142        unset($_SESSION['plogger-form-error']);
143}
144close_db();
145// redirect back
146header('Location: '.$redirect);
147
148?>
Note: See TracBrowser for help on using the repository browser.