X-Git-Url: http://git.sourceforge.jp/view?p=nucleus-jp%2Fnucleus-jp-ancient.git;a=blobdiff_plain;f=utf8%2Fnucleus%2Flibs%2FCOMMENTS.php;h=d49f655479a172783a44452b931ec2b257e73f7f;hp=001b1751144c64347c06e7d35acf8c331fc8028e;hb=7a9ab741d74fc3e819af9b1e23a2bb6a28e00297;hpb=00caac4f47daa638a06ebe20b751a24bc8b8e1ec diff --git a/utf8/nucleus/libs/COMMENTS.php b/utf8/nucleus/libs/COMMENTS.php index 001b175..d49f655 100755 --- a/utf8/nucleus/libs/COMMENTS.php +++ b/utf8/nucleus/libs/COMMENTS.php @@ -2,7 +2,7 @@ /* * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/) - * Copyright (C) 2002-2007 The Nucleus Group + * Copyright (C) 2002-2010 The Nucleus Group * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -14,9 +14,9 @@ * A class representing the comments (all of them) for a certain post on a ceratin blog * * @license http://nucleuscms.org/license.txt GNU General Public License - * @copyright Copyright (C) 2002-2007 The Nucleus Group - * @version $Id: COMMENTS.php,v 1.9 2007-03-20 19:31:29 kmorimatsu Exp $ - * $NucleusJP: COMMENTS.php,v 1.8 2007/03/13 05:12:19 shizuki Exp $ + * @copyright Copyright (C) 2002-2010 The Nucleus Group + * @version $Id$ + * $NucleusJP: COMMENTS.php,v 1.9.2.1 2007/08/08 05:32:21 kimitake Exp $ */ if ( !function_exists('requestVar') ) exit; @@ -42,6 +42,7 @@ class COMMENTS { function COMMENTS($itemid) { $this->itemid = intval($itemid); } + /** * Used when parsing comments * @@ -84,7 +85,7 @@ class COMMENTS { . ' ORDER BY c.ctime'; $comments = sql_query($query); - $this->commentcount = mysql_num_rows($comments); + $this->commentcount = sql_num_rows($comments); } // if no result was found @@ -102,7 +103,7 @@ class COMMENTS { $parser->parse($template['COMMENTS_HEADER']); - while ( $comment = mysql_fetch_assoc($comments) ) { + while ( $comment = sql_fetch_assoc($comments) ) { $comment['timestamp'] = strtotime($comment['ctime']); $actions->setCurrentComment($comment); $actions->setHighlight($highlight); @@ -113,7 +114,7 @@ class COMMENTS { $parser->parse($template['COMMENTS_FOOTER']); - mysql_free_result($comments); + sql_free_result($comments); return $this->commentcount; } @@ -126,12 +127,14 @@ class COMMENTS { . ' FROM '.sql_table('comment').' as c' . ' WHERE c.citem='. $this->itemid; $res = sql_query($query); - $arr = mysql_fetch_row($res); + $arr = sql_fetch_row($res); return $arr[0]; } - + /** + * Adds a new comment to the database + */ function addComment($timestamp, $comment) { global $CONF, $member, $manager; @@ -246,7 +249,7 @@ class COMMENTS { $item =& $manager->getItem($this->itemid, 0, 0); $mailto_title = _NOTIFY_NC_TITLE . ' ' . strip_tags($item['title']) . ' (' . $this->itemid . ')'; - $frommail = $member->getNotifyFromMailAddress($comment['userid']); + $frommail = $member->getNotifyFromMailAddress($comment['email']); $notify =& new NOTIFICATION($settings->getNotifyAddress()); $notify->notify($mailto_title, $mailto_msg , $frommail); @@ -256,62 +259,88 @@ class COMMENTS { $manager->notify('PreAddComment',array('comment' => &$comment, 'spamcheck' => &$spamcheck)); - $name = addslashes($comment['user']); - $url = addslashes($comment['userid']); - $email = addslashes($comment['email']); - $body = addslashes($comment['body']); - $host = addslashes($comment['host']); - $ip = addslashes($comment['ip']); + $name = sql_real_escape_string($comment['user']); + $url = sql_real_escape_string($comment['userid']); + $email = sql_real_escape_string($comment['email']); + $body = sql_real_escape_string($comment['body']); + $host = sql_real_escape_string($comment['host']); + $ip = sql_real_escape_string($comment['ip']); $memberid = intval($comment['memberid']); $timestamp = date('Y-m-d H:i:s', $comment['timestamp']); $itemid = $this->itemid; + $qSql = 'SELECT COUNT(*) AS result ' + . 'FROM ' . sql_table('comment') + . ' WHERE ' + . 'cmail = "' . $url . '"' + . ' AND cmember = "' . $memberid . '"' + . ' AND cbody = "' . $body . '"' + . ' AND citem = "' . $itemid . '"' + . ' AND cblog = "' . $blogid . '"'; + $result = (integer) quickQuery($qSql); + if ($result > 0) { + return _ERROR_BADACTION; + } + $query = 'INSERT INTO '.sql_table('comment').' (CUSER, CMAIL, CEMAIL, CMEMBER, CBODY, CITEM, CTIME, CHOST, CIP, CBLOG) ' . "VALUES ('$name', '$url', '$email', $memberid, '$body', $itemid, '$timestamp', '$host', '$ip', '$blogid')"; sql_query($query); // post add comment - $commentid = mysql_insert_id(); + $commentid = sql_insert_id(); $manager->notify('PostAddComment',array('comment' => &$comment, 'commentid' => &$commentid, 'spamcheck' => &$spamcheck)); // succeeded ! return true; } - - function isValidComment($comment, & $spamcheck) { + /** + * Checks if a comment is valid and call plugins + * that can check if the comment is a spam comment + */ + function isValidComment(&$comment, & $spamcheck) { global $member, $manager; - + // check if there exists a item for this date $item =& $manager->getItem($this->itemid,0,0); - - if (!$item) + + if (!$item) { return _ERROR_NOSUCHITEM; - - if ($item['closed']) + } + + if ($item['closed']) { return _ERROR_ITEMCLOSED; - + } + + # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0 + # original eregi comparison: eregi('[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}', $comment['body']) != FALSE + // don't allow words that are too long - if (eregi('[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}',$comment['body']) != false) + if (preg_match('/[a-zA-Z0-9|\.,;:!\?=\/\\\\]{90,90}/', $comment['body']) != 0) + { return _ERROR_COMMENT_LONGWORD; - + } + // check lengths of comment - if (strlen($comment['body'])<3) + if (strlen($comment['body'])<3) { return _ERROR_COMMENT_NOCOMMENT; - - if (strlen($comment['body'])>5000) + } + + if (strlen($comment['body'])>5000) { return _ERROR_COMMENT_TOOLONG; - + } + // only check username if no member logged in - if (!$member->isLoggedIn()) + if (!$member->isLoggedIn()) { if (strlen($comment['user'])<2) return _ERROR_COMMENT_NOUSERNAME; - - if ((strlen($comment['email']) != 0) && !(isValidMailAddress($comment['email']))) { + } + + if ((strlen($comment['email']) != 0) && !(isValidMailAddress(trim($comment['email']) ) ) ) return _ERROR_BADMAILADDRESS; } - + // let plugins do verification (any plugin which thinks the comment is invalid // can change 'error' to something other than '1') $result = 1;