/*
* Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)
- * Copyright (C) 2002-2007 The Nucleus Group
+ * Copyright (C) 2002-2010 The Nucleus Group
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* A class representing the comments (all of them) for a certain post on a ceratin blog
*
* @license http://nucleuscms.org/license.txt GNU General Public License
- * @copyright Copyright (C) 2002-2007 The Nucleus Group
- * @version $Id: COMMENTS.php,v 1.9 2007-03-20 19:31:29 kmorimatsu Exp $
- * $NucleusJP: COMMENTS.php,v 1.8 2007/03/13 05:12:19 shizuki Exp $
+ * @copyright Copyright (C) 2002-2010 The Nucleus Group
+ * @version $Id$
+ * $NucleusJP: COMMENTS.php,v 1.9.2.1 2007/08/08 05:32:21 kimitake Exp $
*/
if ( !function_exists('requestVar') ) exit;
function COMMENTS($itemid) {
$this->itemid = intval($itemid);
}
+
/**
* Used when parsing comments
*
. ' ORDER BY c.ctime';
$comments = sql_query($query);
- $this->commentcount = mysql_num_rows($comments);
+ $this->commentcount = sql_num_rows($comments);
}
// if no result was found
$parser->parse($template['COMMENTS_HEADER']);
- while ( $comment = mysql_fetch_assoc($comments) ) {
+ while ( $comment = sql_fetch_assoc($comments) ) {
$comment['timestamp'] = strtotime($comment['ctime']);
$actions->setCurrentComment($comment);
$actions->setHighlight($highlight);
$parser->parse($template['COMMENTS_FOOTER']);
- mysql_free_result($comments);
+ sql_free_result($comments);
return $this->commentcount;
}
. ' FROM '.sql_table('comment').' as c'
. ' WHERE c.citem='. $this->itemid;
$res = sql_query($query);
- $arr = mysql_fetch_row($res);
+ $arr = sql_fetch_row($res);
return $arr[0];
}
-
+ /**
+ * Adds a new comment to the database
+ */
function addComment($timestamp, $comment) {
global $CONF, $member, $manager;
$item =& $manager->getItem($this->itemid, 0, 0);
$mailto_title = _NOTIFY_NC_TITLE . ' ' . strip_tags($item['title']) . ' (' . $this->itemid . ')';
- $frommail = $member->getNotifyFromMailAddress($comment['userid']);
+ $frommail = $member->getNotifyFromMailAddress($comment['email']);
$notify =& new NOTIFICATION($settings->getNotifyAddress());
$notify->notify($mailto_title, $mailto_msg , $frommail);
$manager->notify('PreAddComment',array('comment' => &$comment, 'spamcheck' => &$spamcheck));
- $name = addslashes($comment['user']);
- $url = addslashes($comment['userid']);
- $email = addslashes($comment['email']);
- $body = addslashes($comment['body']);
- $host = addslashes($comment['host']);
- $ip = addslashes($comment['ip']);
+ $name = sql_real_escape_string($comment['user']);
+ $url = sql_real_escape_string($comment['userid']);
+ $email = sql_real_escape_string($comment['email']);
+ $body = sql_real_escape_string($comment['body']);
+ $host = sql_real_escape_string($comment['host']);
+ $ip = sql_real_escape_string($comment['ip']);
$memberid = intval($comment['memberid']);
$timestamp = date('Y-m-d H:i:s', $comment['timestamp']);
$itemid = $this->itemid;
+ $qSql = 'SELECT COUNT(*) AS result '
+ . 'FROM ' . sql_table('comment')
+ . ' WHERE '
+ . 'cmail = "' . $url . '"'
+ . ' AND cmember = "' . $memberid . '"'
+ . ' AND cbody = "' . $body . '"'
+ . ' AND citem = "' . $itemid . '"'
+ . ' AND cblog = "' . $blogid . '"';
+ $result = (integer) quickQuery($qSql);
+ if ($result > 0) {
+ return _ERROR_BADACTION;
+ }
+
$query = 'INSERT INTO '.sql_table('comment').' (CUSER, CMAIL, CEMAIL, CMEMBER, CBODY, CITEM, CTIME, CHOST, CIP, CBLOG) '
. "VALUES ('$name', '$url', '$email', $memberid, '$body', $itemid, '$timestamp', '$host', '$ip', '$blogid')";
sql_query($query);
// post add comment
- $commentid = mysql_insert_id();
+ $commentid = sql_insert_id();
$manager->notify('PostAddComment',array('comment' => &$comment, 'commentid' => &$commentid, 'spamcheck' => &$spamcheck));
// succeeded !
return true;
}
-
- function isValidComment($comment, & $spamcheck) {
+ /**
+ * Checks if a comment is valid and call plugins
+ * that can check if the comment is a spam comment
+ */
+ function isValidComment(&$comment, & $spamcheck) {
global $member, $manager;
-
+
// check if there exists a item for this date
$item =& $manager->getItem($this->itemid,0,0);
-
- if (!$item)
+
+ if (!$item) {
return _ERROR_NOSUCHITEM;
-
- if ($item['closed'])
+ }
+
+ if ($item['closed']) {
return _ERROR_ITEMCLOSED;
-
+ }
+
+ # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0
+ # original eregi comparison: eregi('[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}', $comment['body']) != FALSE
+
// don't allow words that are too long
- if (eregi('[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}',$comment['body']) != false)
+ if (preg_match('/[a-zA-Z0-9|\.,;:!\?=\/\\\\]{90,90}/', $comment['body']) != 0)
+ {
return _ERROR_COMMENT_LONGWORD;
-
+ }
+
// check lengths of comment
- if (strlen($comment['body'])<3)
+ if (strlen($comment['body'])<3) {
return _ERROR_COMMENT_NOCOMMENT;
-
- if (strlen($comment['body'])>5000)
+ }
+
+ if (strlen($comment['body'])>5000) {
return _ERROR_COMMENT_TOOLONG;
-
+ }
+
// only check username if no member logged in
- if (!$member->isLoggedIn())
+ if (!$member->isLoggedIn()) {
if (strlen($comment['user'])<2)
return _ERROR_COMMENT_NOUSERNAME;
-
- if ((strlen($comment['email']) != 0) && !(isValidMailAddress($comment['email']))) {
+ }
+
+ if ((strlen($comment['email']) != 0) && !(isValidMailAddress(trim($comment['email']) ) ) )
return _ERROR_BADMAILADDRESS;
}
-
+
// let plugins do verification (any plugin which thinks the comment is invalid
// can change 'error' to something other than '1')
$result = 1;