OSDN Git Service

Add some codes from 3.61. Currently files under /nucleus/libs and /nucleus/libs/sql...
authorsakamocchi <sakamocchi@1ca29b6e-896d-4ea0-84a5-967f57386b96>
Fri, 31 Dec 2010 17:48:22 +0000 (17:48 +0000)
committersakamocchi <sakamocchi@1ca29b6e-896d-4ea0-84a5-967f57386b96>
Fri, 31 Dec 2010 17:48:22 +0000 (17:48 +0000)
git-svn-id: https://svn.sourceforge.jp/svnroot/nucleus-jp/nucleus-jp/trunk@1081 1ca29b6e-896d-4ea0-84a5-967f57386b96

31 files changed:
utf8/install/index.php
utf8/nucleus/libs/ACTION.php
utf8/nucleus/libs/ACTIONLOG.php
utf8/nucleus/libs/ACTIONS.php
utf8/nucleus/libs/ADMIN.php
utf8/nucleus/libs/BAN.php
utf8/nucleus/libs/BLOG.php
utf8/nucleus/libs/BODYACTIONS.php
utf8/nucleus/libs/COMMENT.php
utf8/nucleus/libs/COMMENTACTIONS.php
utf8/nucleus/libs/COMMENTS.php
utf8/nucleus/libs/ITEM.php
utf8/nucleus/libs/ITEMACTIONS.php
utf8/nucleus/libs/KARMA.php
utf8/nucleus/libs/MANAGER.php
utf8/nucleus/libs/MEDIA.php
utf8/nucleus/libs/MEMBER.php
utf8/nucleus/libs/PAGEFACTORY.php
utf8/nucleus/libs/PLUGIN.php
utf8/nucleus/libs/PLUGINADMIN.php
utf8/nucleus/libs/SEARCH.php
utf8/nucleus/libs/SKIN.php
utf8/nucleus/libs/TEMPLATE.php
utf8/nucleus/libs/backup.php
utf8/nucleus/libs/globalfunctions.php
utf8/nucleus/libs/mysql.php
utf8/nucleus/libs/showlist.php
utf8/nucleus/libs/sql/mysql.php
utf8/nucleus/upgrades/upgrade1.5.php
utf8/nucleus/upgrades/upgrade2.0.php
utf8/nucleus/upgrades/upgrade2.5.php

index 57fc872..b1c60a1 100755 (executable)
@@ -737,11 +737,11 @@ function doInstall() {
 \r
        // 7. update GOD member\r
        $query = 'UPDATE ' . tableName('nucleus_member')\r
 \r
        // 7. update GOD member\r
        $query = 'UPDATE ' . tableName('nucleus_member')\r
-                  . " SET mname         = '" . addslashes($user_name) . "',"\r
-                  . " mrealname         = '" . addslashes($user_realname) . "',"\r
-                  . " mpassword         = '" . md5(addslashes($user_password) ) . "',"\r
-                  . " murl               = '" . addslashes($config_indexurl) . "',"\r
-                  . " memail           = '" . addslashes($user_email) . "',"\r
+                  . " SET mname         = '" . sql_real_escape_string($user_name) . "',"\r
+                  . " mrealname         = '" . sql_real_escape_string($user_realname) . "',"\r
+                  . " mpassword         = '" . md5(sql_real_escape_string($user_password) ) . "',"\r
+                  . " murl               = '" . sql_real_escape_string($config_indexurl) . "',"\r
+                  . " memail           = '" . sql_real_escape_string($user_email) . "',"\r
                   . " madmin           = 1,"\r
                   . " mcanlogin         = 1"\r
                   . " WHERE"\r
                   . " madmin           = 1,"\r
                   . " mcanlogin         = 1"\r
                   . " WHERE"\r
@@ -751,9 +751,9 @@ function doInstall() {
 \r
        // 8. update weblog settings\r
        $query = 'UPDATE ' . tableName('nucleus_blog')\r
 \r
        // 8. update weblog settings\r
        $query = 'UPDATE ' . tableName('nucleus_blog')\r
-                  . " SET bname  = '" . addslashes($blog_name) . "',"\r
-                  . " bshortname = '" . addslashes($blog_shortname) . "',"\r
-                  . " burl        = '" . addslashes($config_indexurl) . "'"\r
+                  . " SET bname  = '" . sql_real_escape_string($blog_name) . "',"\r
+                  . " bshortname = '" . sql_real_escape_string($blog_shortname) . "',"\r
+                  . " burl        = '" . sql_real_escape_string($config_indexurl) . "'"\r
                   . " WHERE"\r
                   . " bnumber  = 1";\r
 \r
                   . " WHERE"\r
                   . " bnumber  = 1";\r
 \r
@@ -996,7 +996,7 @@ function installCustomPlugs(&$manager) {
 \r
        foreach ($aConfPlugsToInstall as $plugName) {\r
                // do this before calling getPlugin (in case the plugin id is used there)\r
 \r
        foreach ($aConfPlugsToInstall as $plugName) {\r
                // do this before calling getPlugin (in case the plugin id is used there)\r
-               $query = 'INSERT INTO ' . sql_table('plugin') . ' (porder, pfile) VALUES (' . (++$numCurrent) . ', "' . addslashes($plugName) . '")';\r
+               $query = 'INSERT INTO ' . sql_table('plugin') . ' (porder, pfile) VALUES (' . (++$numCurrent) . ', "' . sql_real_escape_string($plugName) . '")';\r
                sql_query($query);\r
 \r
                // get and install the plugin\r
                sql_query($query);\r
 \r
                // get and install the plugin\r
@@ -1005,7 +1005,7 @@ function installCustomPlugs(&$manager) {
                $plugin->plugid = $numCurrent;\r
 \r
                if (!$plugin) {\r
                $plugin->plugid = $numCurrent;\r
 \r
                if (!$plugin) {\r
-                       sql_query('DELETE FROM ' . sql_table('plugin') . ' WHERE pfile=\'' . addslashes($plugName) . '\'');\r
+                       sql_query('DELETE FROM ' . sql_table('plugin') . ' WHERE pfile=\'' . sql_real_escape_string($plugName) . '\'');\r
                        $numCurrent--;\r
                        array_push($aErrors, _ERROR22 . $plugName);\r
                        continue;\r
                        $numCurrent--;\r
                        array_push($aErrors, _ERROR22 . $plugName);\r
                        continue;\r
@@ -1124,8 +1124,8 @@ function doCheckFiles() {
 \r
 function updateConfig($name, $val) {\r
        global $MYSQL_CONN;\r
 \r
 function updateConfig($name, $val) {\r
        global $MYSQL_CONN;\r
-       $name = addslashes($name);\r
-       $val  = trim(addslashes($val) );\r
+       $name = sql_real_escape_string($name);\r
+       $val  = trim(sql_real_escape_string($val) );\r
 \r
        $query = 'UPDATE ' . tableName('nucleus_config')\r
                   . " SET   value = '$val'"\r
 \r
        $query = 'UPDATE ' . tableName('nucleus_config')\r
                   . " SET   value = '$val'"\r
index b8c8732..ea5c3c8 100755 (executable)
  */
 class ACTION
 {
  */
 class ACTION
 {
-    /**
-     *  Constructor for an new ACTION object
-     */
-    function ACTION()
-    {
-        // do nothing
-    }
-
-    /**
-     *  Calls functions that handle an action called from action.php
-     */
-    function doAction($action)
-    {
-        switch($action) {
-            case 'autodraft':
-                return $this->autoDraft();
-                break;
-            case 'updateticket':
-                return $this->updateTicket();
-                break;
-            case 'addcomment':
-                return $this->addComment();
-                break;
-            case 'sendmessage':
-                return $this->sendMessage();
-                break;
-            case 'createaccount':
-                return $this->createAccount();
-                break;
-            case 'forgotpassword':
-                return $this->forgotPassword();
-                break;
-            case 'votepositive':
-                return $this->doKarma('pos');
-                break;
-            case 'votenegative':
-                return $this->doKarma('neg');
-                break;
-            case 'plugin':
-                return $this->callPlugin();
-                break;
-            default:
-                doError(_ERROR_BADACTION);
-        }
-    }
-
-    /**
-     *  Adds a new comment to an item (if IP isn't banned)
-     */
-    function addComment() {
-        global $CONF, $errormessage, $manager;
-
-        $post['itemid'] =   intPostVar('itemid');
-        $post['user'] =     postVar('user');
-        $post['userid'] =   postVar('userid');
-        $post['email'] =   postVar('email');
-        $post['body'] =     postVar('body');
-
-        // set cookies when required
-        $remember = intPostVar('remember');
-        if ($remember == 1) {
-            $lifetime = time()+2592000;
-            setcookie($CONF['CookiePrefix'] . 'comment_user',$post['user'],$lifetime,'/','',0);
-            setcookie($CONF['CookiePrefix'] . 'comment_userid', $post['userid'],$lifetime,'/','',0);
-            setcookie($CONF['CookiePrefix'] . 'comment_email',  $post['email'], $lifetime,'/','',0);
-        }
-
-        $comments = new COMMENTS($post['itemid']);
-
-        $blogid = getBlogIDFromItemID($post['itemid']);
-        $this->checkban($blogid);
-        $blog =& $manager->getBlog($blogid);
-
-        // note: PreAddComment and PostAddComment gets called somewhere inside addComment
-        $errormessage = $comments->addComment($blog->getCorrectTime(),$post);
-
-        if ($errormessage == '1') {
-            // redirect when adding comments succeeded
-            if (postVar('url')) {
-                redirect(postVar('url'));
-            } else {
-                $url = createItemLink($post['itemid']);
-                redirect($url);
-            }
-        } else {
-            // else, show error message using default skin for blog
-            return array(
-                'message' => $errormessage,
-                'skinid' => $blog->getDefaultSkin()
-            );
-        }
-
-        exit;
-    }
-
-    /**
-     *  Sends a message from the current member to the member given as argument
-     */
-    function sendMessage() {
-        global $CONF, $member;
-
-        $error = $this->validateMessage();
-        if ($error != '')
-            return array('message' => $error);
-
-        if (!$member->isLoggedIn()) {
-            $fromMail = postVar('frommail');
-            $fromName = _MMAIL_FROMANON;
-        } else {
-            $fromMail = $member->getEmail();
-            $fromName = $member->getDisplayName();
-        }
-
-        $tomem = new MEMBER();
-        $tomem->readFromId(postVar('memberid'));
-
-        $message  = _MMAIL_MSG . ' ' . $fromName . "\n"
-              . '(' . _MMAIL_FROMNUC. ' ' . $CONF['IndexURL'] .") \n\n"
-              . _MMAIL_MAIL . " \n\n"
-              . postVar('message');
-        $message .= getMailFooter();
-
-        $title = _MMAIL_TITLE . ' ' . $fromName;
-        mb_language('ja');
-        mb_internal_encoding(_CHARSET);
-        @mb_send_mail($tomem->getEmail(), $title, $message, "From: ". $fromMail);
-
-        if (postVar('url')) {
-            redirect(postVar('url'));
-        } else {
-            $CONF['MemberURL'] = $CONF['IndexURL'];
-            if ($CONF['URLMode'] == 'pathinfo')
-            {
-                $url = createLink('member', array('memberid' => $tomem->getID(), 'name' => $tomem->getDisplayName()));
-            }
-            else
-            {
-                $url = $CONF['IndexURL'] . createMemberLink($tomem->getID());
-            }
-            redirect($url);
-        }
-        exit;
-    }
-
-    /**
-     *  Checks if a mail to a member is allowed
-     *  Returns a string with the error message if the mail is disallowed
-     */
-    function validateMessage() {
-        global $CONF, $member, $manager;
-
-        if (!$CONF['AllowMemberMail'])
-            return _ERROR_MEMBERMAILDISABLED;
-
-        if (!$member->isLoggedIn() && !$CONF['NonmemberMail'])
-            return _ERROR_DISALLOWED;
-
-        if (!$member->isLoggedIn() && (!isValidMailAddress(postVar('frommail'))))
-            return _ERROR_BADMAILADDRESS;
-
-        // let plugins do verification (any plugin which thinks the comment is invalid
-        // can change 'error' to something other than '')
-        $result = '';
-        $manager->notify('ValidateForm', array('type' => 'membermail', 'error' => &$result));
-
-        return $result;
-
-    }
-
-    /**
-     *  Creates a new user account
-     */
-    function createAccount() {
-        global $CONF, $manager;
-
-        if (!$CONF['AllowMemberCreate'])
-            doError(_ERROR_MEMBERCREATEDISABLED);
-
-        // evaluate content from FormExtra
-        $result = 1;
-        $data = array('type' => 'membermail', 'error' => &$result);
-        $manager->notify('ValidateForm', &$data);
-
-        if ($result!=1) {
-            return $result;
-        }
-        else {
-
-            // even though the member can not log in, set some random initial password. One never knows.
-            srand((double)microtime()*1000000);
-            $initialPwd = md5(uniqid(rand(), true));
-
-            // create member (non admin/can not login/no notes/random string as password)
-            $name = shorten(postVar('name'), 32, '');
-            $r = MEMBER::create($name, postVar('realname'), $initialPwd, postVar('email'), postVar('url'), 0, 0, '');
-
-            if ($r != 1) {
-                return $r;
-            }
-
-            // send message containing password.
-            $newmem = new MEMBER();
-            $newmem->readFromName($name);
-            $newmem->sendActivationLink('register');
-
-            $manager->notify('PostRegister',array('member' => &$newmem));
-
-            if (postVar('desturl')) {
-                redirect(postVar('desturl'));
-            } else {
-                // header has been already sent, so deleted the line below
-                //header ("Content-Type: text/html; charset="._CHARSET);
-                echo _MSG_ACTIVATION_SENT;
-                echo '<br /><br />Return to <a href="'.$CONF['IndexURL'].'" title="'.$CONF['SiteName'].'">'.$CONF['SiteName'].'</a>';
-                echo "\n</body>\n</html>";
-            }
-            exit;
-        }
-    }
-
-    /**
-     *  Sends a new password
-     */
-    function forgotPassword() {
-        $membername = trim(postVar('name'));
-
-        if (!MEMBER::exists($membername))
-            doError(_ERROR_NOSUCHMEMBER);
-        $mem = MEMBER::createFromName($membername);
-
-        /* below keeps regular users from resetting passwords using forgot password feature
-             Removing for now until clear why it is required.*/
-        /*if (!$mem->canLogin())
-            doError(_ERROR_NOLOGON_NOACTIVATE);*/
-
-        // check if e-mail address is correct
-        if (!($mem->getEmail() == postVar('email')))
-            doError(_ERROR_INCORRECTEMAIL);
-
-        // send activation link
-        $mem->sendActivationLink('forgot');
-
-        if (postVar('url')) {
-            redirect(postVar('url'));
-        } else {
-            header ("Content-Type: text/html; charset="._CHARSET);
-            echo _MSG_ACTIVATION_SENT;
-            echo '<br /><br />Return to <a href="'.$CONF['IndexURL'].'" title="'.$CONF['SiteName'].'">'.$CONF['SiteName'].'</a>';
-        }
-        exit;
-    }
-
-    /**
-     *  Handle karma votes
-     */
-    function doKarma($type) {
-        global $itemid, $member, $CONF, $manager;
-
-        // check if itemid exists
-        if (!$manager->existsItem($itemid,0,0))
-            doError(_ERROR_NOSUCHITEM);
-
-        $blogid = getBlogIDFromItemID($itemid);
-        $this->checkban($blogid);
-
-        $karma =& $manager->getKarma($itemid);
-
-        // check if not already voted
-        if (!$karma->isVoteAllowed(serverVar('REMOTE_ADDR')))
-            doError(_ERROR_VOTEDBEFORE);
-
-        // check if item does allow voting
-        $item =& $manager->getItem($itemid,0,0);
-        if ($item['closed'])
-            doError(_ERROR_ITEMCLOSED);
-
-        switch($type) {
-            case 'pos':
-                $karma->votePositive();
-                break;
-            case 'neg':
-                $karma->voteNegative();
-                break;
-        }
+       /**
+        *  Constructor for an new ACTION object
+        */
+       function ACTION()
+       {
+               // do nothing
+       }
+
+       /**
+        *  Calls functions that handle an action called from action.php
+        */
+       function doAction($action)
+       {
+               switch($action) {
+                       case 'autodraft':
+                               return $this->autoDraft();
+                               break;
+                       case 'updateticket':
+                               return $this->updateTicket();
+                               break;
+                       case 'addcomment':
+                               return $this->addComment();
+                               break;
+                       case 'sendmessage':
+                               return $this->sendMessage();
+                               break;
+                       case 'createaccount':
+                               return $this->createAccount();
+                               break;
+                       case 'forgotpassword':
+                               return $this->forgotPassword();
+                               break;
+                       case 'votepositive':
+                               return $this->doKarma('pos');
+                               break;
+                       case 'votenegative':
+                               return $this->doKarma('neg');
+                               break;
+                       case 'plugin':
+                               return $this->callPlugin();
+                               break;
+                       default:
+                               doError(_ERROR_BADACTION);
+               }
+       }
+
+       /**
+        *  Adds a new comment to an item (if IP isn't banned)
+        */
+       function addComment() {
+               global $CONF, $errormessage, $manager;
+
+               $post['itemid'] =   intPostVar('itemid');
+               $post['user'] =  postVar('user');
+               $post['userid'] =   postVar('userid');
+               $post['email'] =   postVar('email');
+               $post['body'] =  postVar('body');
+
+               // set cookies when required
+               $remember = intPostVar('remember');
+               if ($remember == 1) {
+                       $lifetime = time()+2592000;
+                       setcookie($CONF['CookiePrefix'] . 'comment_user',$post['user'],$lifetime,'/','',0);
+                       setcookie($CONF['CookiePrefix'] . 'comment_userid', $post['userid'],$lifetime,'/','',0);
+                       setcookie($CONF['CookiePrefix'] . 'comment_email',  $post['email'], $lifetime,'/','',0);
+               }
+
+               $comments = new COMMENTS($post['itemid']);
+
+               $blogid = getBlogIDFromItemID($post['itemid']);
+               $this->checkban($blogid);
+               $blog =& $manager->getBlog($blogid);
+
+               // note: PreAddComment and PostAddComment gets called somewhere inside addComment
+               $errormessage = $comments->addComment($blog->getCorrectTime(),$post);
+
+               if ($errormessage == '1') {
+                       // redirect when adding comments succeeded
+                       if (postVar('url')) {
+                               redirect(postVar('url'));
+                       } else {
+                               $url = createItemLink($post['itemid']);
+                               redirect($url);
+                       }
+               } else {
+                       // else, show error message using default skin for blog
+                       return array(
+                               'message' => $errormessage,
+                               'skinid' => $blog->getDefaultSkin()
+                       );
+               }
+
+               exit;
+       }
+
+       /**
+        *  Sends a message from the current member to the member given as argument
+        */
+       function sendMessage() {
+               global $CONF, $member;
+
+               $error = $this->validateMessage();
+               if ($error != '')
+                       return array('message' => $error);
+
+               if (!$member->isLoggedIn()) {
+                       $fromMail = postVar('frommail');
+                       $fromName = _MMAIL_FROMANON;
+               } else {
+                       $fromMail = $member->getEmail();
+                       $fromName = $member->getDisplayName();
+               }
+
+               $tomem = new MEMBER();
+               $tomem->readFromId(postVar('memberid'));
+
+               $message  = _MMAIL_MSG . ' ' . $fromName . "\n"
+                         . '(' . _MMAIL_FROMNUC. ' ' . $CONF['IndexURL'] .") \n\n"
+                         . _MMAIL_MAIL . " \n\n"
+                         . postVar('message');
+               $message .= getMailFooter();
+
+               $title = _MMAIL_TITLE . ' ' . $fromName;
+               mb_language('ja');
+               mb_internal_encoding(_CHARSET);
+               @mb_send_mail($tomem->getEmail(), $title, $message, "From: ". $fromMail);
+
+               if (postVar('url')) {
+                       redirect(postVar('url'));
+               } else {
+                       $CONF['MemberURL'] = $CONF['IndexURL'];
+                       if ($CONF['URLMode'] == 'pathinfo')
+                       {
+                               $url = createLink('member', array('memberid' => $tomem->getID(), 'name' => $tomem->getDisplayName()));
+                       }
+                       else
+                       {
+                               $url = $CONF['IndexURL'] . createMemberLink($tomem->getID());
+                       }
+                       redirect($url);
+               }
+               exit;
+       }
+
+       /**
+        *  Checks if a mail to a member is allowed
+        *  Returns a string with the error message if the mail is disallowed
+        */
+       function validateMessage() {
+               global $CONF, $member, $manager;
+
+               if (!$CONF['AllowMemberMail'])
+                       return _ERROR_MEMBERMAILDISABLED;
+
+               if (!$member->isLoggedIn() && !$CONF['NonmemberMail'])
+                       return _ERROR_DISALLOWED;
+
+               if (!$member->isLoggedIn() && (!isValidMailAddress(postVar('frommail'))))
+                       return _ERROR_BADMAILADDRESS;
+
+               // let plugins do verification (any plugin which thinks the comment is invalid
+               // can change 'error' to something other than '')
+               $result = '';
+               $manager->notify('ValidateForm', array('type' => 'membermail', 'error' => &$result));
+
+               return $result;
+
+       }
+
+       /**
+        *  Creates a new user account
+        */
+       function createAccount() {
+               global $CONF, $manager;
+
+               if (!$CONF['AllowMemberCreate'])
+                       doError(_ERROR_MEMBERCREATEDISABLED);
+
+               // evaluate content from FormExtra
+               $result = 1;
+               $data = array('type' => 'membermail', 'error' => &$result);
+               $manager->notify('ValidateForm', &$data);
+
+               if ($result!=1) {
+                       return $result;
+               }
+               else {
+
+                       // even though the member can not log in, set some random initial password. One never knows.
+                       srand((double)microtime()*1000000);
+                       $initialPwd = md5(uniqid(rand(), true));
+
+                       // create member (non admin/can not login/no notes/random string as password)
+                       $name = shorten(postVar('name'), 32, '');
+                       $r = MEMBER::create($name, postVar('realname'), $initialPwd, postVar('email'), postVar('url'), 0, 0, '');
+
+                       if ($r != 1) {
+                               return $r;
+                       }
+
+                       // send message containing password.
+                       $newmem = new MEMBER();
+                       $newmem->readFromName($name);
+                       $newmem->sendActivationLink('register');
+
+                       $manager->notify('PostRegister',array('member' => &$newmem));
+
+                       if (postVar('desturl')) {
+                               redirect(postVar('desturl'));
+                       } else {
+                               // header has been already sent, so deleted the line below
+                               //header ("Content-Type: text/html; charset="._CHARSET);
+                               echo _MSG_ACTIVATION_SENT;
+                               echo '<br /><br />Return to <a href="'.$CONF['IndexURL'].'" title="'.$CONF['SiteName'].'">'.$CONF['SiteName'].'</a>';
+                               echo "\n</body>\n</html>";
+                       }
+                       exit;
+               }
+       }
+
+       /**
+        *  Sends a new password
+        */
+       function forgotPassword() {
+               $membername = trim(postVar('name'));
+
+               if (!MEMBER::exists($membername))
+                       doError(_ERROR_NOSUCHMEMBER);
+               $mem = MEMBER::createFromName($membername);
+
+               /* below keeps regular users from resetting passwords using forgot password feature
+                        Removing for now until clear why it is required.*/
+               /*if (!$mem->canLogin())
+                       doError(_ERROR_NOLOGON_NOACTIVATE);*/
+
+               // check if e-mail address is correct
+               if (!($mem->getEmail() == postVar('email')))
+                       doError(_ERROR_INCORRECTEMAIL);
+
+               // send activation link
+               $mem->sendActivationLink('forgot');
+
+               if (postVar('url')) {
+                       redirect(postVar('url'));
+               } else {
+                       header ("Content-Type: text/html; charset="._CHARSET);
+                       echo _MSG_ACTIVATION_SENT;
+                       echo '<br /><br />Return to <a href="'.$CONF['IndexURL'].'" title="'.$CONF['SiteName'].'">'.$CONF['SiteName'].'</a>';
+               }
+               exit;
+       }
+
+       /**
+        *  Handle karma votes
+        */
+       function doKarma($type) {
+               global $itemid, $member, $CONF, $manager;
+
+               // check if itemid exists
+               if (!$manager->existsItem($itemid,0,0))
+                       doError(_ERROR_NOSUCHITEM);
+
+               $blogid = getBlogIDFromItemID($itemid);
+               $this->checkban($blogid);
+
+               $karma =& $manager->getKarma($itemid);
+
+               // check if not already voted
+               if (!$karma->isVoteAllowed(serverVar('REMOTE_ADDR')))
+                       doError(_ERROR_VOTEDBEFORE);
+
+               // check if item does allow voting
+               $item =& $manager->getItem($itemid,0,0);
+               if ($item['closed'])
+                       doError(_ERROR_ITEMCLOSED);
+
+               switch($type) {
+                       case 'pos':
+                               $karma->votePositive();
+                               break;
+                       case 'neg':
+                               $karma->voteNegative();
+                               break;
+               }
 
 //             $blogid = getBlogIDFromItemID($itemid);
 
 //             $blogid = getBlogIDFromItemID($itemid);
-        $blog =& $manager->getBlog($blogid);
-
-        // send email to notification address, if any
-        if ($blog->getNotifyAddress() && $blog->notifyOnVote()) {
-
-            $mailto_msg = _NOTIFY_KV_MSG . ' ' . $itemid . "\n";
-            $itemLink = createItemLink(intval($itemid));
-            $temp = parse_url($itemLink);
-            if (!$temp['scheme']) {
-                $itemLink = $CONF['IndexURL'] . $itemLink;
-            }
-            $mailto_msg .= $itemLink . "\n\n";
-            if ($member->isLoggedIn()) {
-                $mailto_msg .= _NOTIFY_MEMBER . ' ' . $member->getDisplayName() . ' (ID=' . $member->getID() . ")\n";
-            }
-            $mailto_msg .= _NOTIFY_IP . ' ' . serverVar('REMOTE_ADDR') . "\n";
-            $mailto_msg .= _NOTIFY_HOST . ' ' .  gethostbyaddr(serverVar('REMOTE_ADDR'))  . "\n";
-            $mailto_msg .= _NOTIFY_VOTE . "\n " . $type . "\n";
-            $mailto_msg .= getMailFooter();
-
-            $mailto_title = _NOTIFY_KV_TITLE . ' ' . strip_tags($item['title']) . ' (' . $itemid . ')';
-
-            $frommail = $member->getNotifyFromMailAddress();
-
-            $notify = new NOTIFICATION($blog->getNotifyAddress());
-            $notify->notify($mailto_title, $mailto_msg , $frommail);
-        }
-
-
-        $refererUrl = serverVar('HTTP_REFERER');
-        if ($refererUrl) {
-            $url = $refererUrl;
-        } else {
+               $blog =& $manager->getBlog($blogid);
+
+               // send email to notification address, if any
+               if ($blog->getNotifyAddress() && $blog->notifyOnVote()) {
+
+                       $mailto_msg = _NOTIFY_KV_MSG . ' ' . $itemid . "\n";
+                       $itemLink = createItemLink(intval($itemid));
+                       $temp = parse_url($itemLink);
+                       if (!$temp['scheme']) {
+                               $itemLink = $CONF['IndexURL'] . $itemLink;
+                       }
+                       $mailto_msg .= $itemLink . "\n\n";
+                       if ($member->isLoggedIn()) {
+                               $mailto_msg .= _NOTIFY_MEMBER . ' ' . $member->getDisplayName() . ' (ID=' . $member->getID() . ")\n";
+                       }
+                       $mailto_msg .= _NOTIFY_IP . ' ' . serverVar('REMOTE_ADDR') . "\n";
+                       $mailto_msg .= _NOTIFY_HOST . ' ' .  gethostbyaddr(serverVar('REMOTE_ADDR'))  . "\n";
+                       $mailto_msg .= _NOTIFY_VOTE . "\n " . $type . "\n";
+                       $mailto_msg .= getMailFooter();
+
+                       $mailto_title = _NOTIFY_KV_TITLE . ' ' . strip_tags($item['title']) . ' (' . $itemid . ')';
+
+                       $frommail = $member->getNotifyFromMailAddress();
+
+                       $notify = new NOTIFICATION($blog->getNotifyAddress());
+                       $notify->notify($mailto_title, $mailto_msg , $frommail);
+               }
+
+
+               $refererUrl = serverVar('HTTP_REFERER');
+               if ($refererUrl) {
+                       $url = $refererUrl;
+               } else {
 //                     $url = $CONF['IndexURL'] . 'index.php?itemid=' . $itemid;
 //                     $url = $CONF['IndexURL'] . 'index.php?itemid=' . $itemid;
-            $url = $itemLink;
-        }
-
-        redirect($url);
-        exit;
-    }
-
-    /**
-      * Calls a plugin action
-      */
-    function callPlugin() {
-        global $manager;
-
-        $pluginName = 'NP_' . requestVar('name');
-        $actionType = requestVar('type');
-
-        // 1: check if plugin is installed
-        if (!$manager->pluginInstalled($pluginName))
-            doError(_ERROR_NOSUCHPLUGIN);
-
-        // 2: call plugin
-        $pluginObject =& $manager->getPlugin($pluginName);
-        if ($pluginObject)
-            $error = $pluginObject->doAction($actionType);
-        else
-            $error = 'Could not load plugin (see actionlog)';
-
-        // doAction returns error when:
-        // - an error occurred (duh)
-        // - no actions are allowed (doAction is not implemented)
-        if ($error)
-            doError($error);
-
-        exit;
-
-    }
-
-    /**
-     *  Checks if an IP or IP range is banned
-     */
-    function checkban($blogid) {
-        // check if banned
-        $ban = BAN::isBanned($blogid, serverVar('REMOTE_ADDR'));
-        if ($ban != 0) {
-            doError(_ERROR_BANNED1 . $ban->iprange . _ERROR_BANNED2 . $ban->message . _ERROR_BANNED3);
-        }
-
-    }
-
-    /**
-     * Gets a new ticket
-     */
-    function updateTicket() {
-        global $manager;
-        if ($manager->checkTicket()) {
-            echo $manager->getNewTicket();
-        }
-        else {
-            echo _ERROR . ':' . _ERROR_BADTICKET;
-        }
-        return false;
-    }
-
-    /**
-     * Handles AutoSaveDraft
-     */
-    function autoDraft() {
-        global $manager;
-        if ($manager->checkTicket()) {
-            $manager->loadClass('ITEM');
-            $info = ITEM::createDraftFromRequest();
-            if ($info['status'] == 'error') {
-                echo $info['message'];
-            }
-            else {
-                echo $info['draftid'];
-            }
-        }
-        else {
-            echo _ERROR . ':' . _ERROR_BADTICKET;
-        }
-        return false;
-    }
-
-
+                       $url = $itemLink;
+               }
+
+               redirect($url);
+               exit;
+       }
+
+       /**
+         * Calls a plugin action
+         */
+       function callPlugin() {
+               global $manager;
+
+               $pluginName = 'NP_' . requestVar('name');
+               $actionType = requestVar('type');
+
+               // 1: check if plugin is installed
+               if (!$manager->pluginInstalled($pluginName))
+                       doError(_ERROR_NOSUCHPLUGIN);
+
+               // 2: call plugin
+               $pluginObject =& $manager->getPlugin($pluginName);
+               if ($pluginObject)
+                       $error = $pluginObject->doAction($actionType);
+               else
+                       $error = 'Could not load plugin (see actionlog)';
+
+               // doAction returns error when:
+               // - an error occurred (duh)
+               // - no actions are allowed (doAction is not implemented)
+               if ($error)
+                       doError($error);
+
+               exit;
+
+       }
+
+       /**
+        *  Checks if an IP or IP range is banned
+        */
+       function checkban($blogid) {
+               // check if banned
+               $ban = BAN::isBanned($blogid, serverVar('REMOTE_ADDR'));
+               if ($ban != 0) {
+                       doError(_ERROR_BANNED1 . $ban->iprange . _ERROR_BANNED2 . $ban->message . _ERROR_BANNED3);
+               }
+
+       }
+
+       /**
+        * Gets a new ticket
+        */
+       function updateTicket() {
+               global $manager;
+               if ($manager->checkTicket()) {
+                       echo $manager->getNewTicket();
+               }
+               else {
+                       echo _ERROR . ':' . _ERROR_BADTICKET;
+               }
+               return false;
+       }
+
+       /**
+        * Handles AutoSaveDraft
+        */
+       function autoDraft() {
+               global $manager;
+               if ($manager->checkTicket()) {
+                       $manager->loadClass('ITEM');
+                       $info = ITEM::createDraftFromRequest();
+                       if ($info['status'] == 'error') {
+                               echo $info['message'];
+                       }
+                       else {
+                               echo $info['draftid'];
+                       }
+               }
+               else {
+                       echo _ERROR . ':' . _ERROR_BADTICKET;
+               }
+               return false;
+       }
 }
 }
-
 ?>
\ No newline at end of file
 ?>
\ No newline at end of file
index bbe318e..56c7d7a 100755 (executable)
@@ -37,7 +37,7 @@ class ACTIONLOG {
                if ($member && $member->isLoggedIn())
                        $message = "[" . $member->getDisplayName() . "] " . $message;
 
                if ($member && $member->isLoggedIn())
                        $message = "[" . $member->getDisplayName() . "] " . $message;
 
-               $message = addslashes($message);                // add slashes
+               $message = sql_real_escape_string($message);            // add slashes
                $timestamp = date("Y-m-d H:i:s",time());        // format timestamp
                $query = "INSERT INTO " . sql_table('actionlog') . " (timestamp, message) VALUES ('$timestamp', '$message')";
 
                $timestamp = date("Y-m-d H:i:s",time());        // format timestamp
                $query = "INSERT INTO " . sql_table('actionlog') . " (timestamp, message) VALUES ('$timestamp', '$message')";
 
index afe58bf..2d713b0 100644 (file)
@@ -283,24 +283,45 @@ class ACTIONS extends BaseActions {
         *              When present, the output will be a full <a href...> link. When empty,
         *              only a raw link will be outputted
         */
         *              When present, the output will be a full <a href...> link. When empty,
         *              only a raw link will be outputted
         */
-       function _searchlink($maxresults, $startpos, $direction, $linktext = '') {
+       function _searchlink($maxresults, $startpos, $direction, $linktext = '', $recount = '') {
                global $CONF, $blog, $query, $amount;
                // TODO: Move request uri to linkparams. this is ugly. sorry for that.
                $startpos       = intval($startpos);            // will be 0 when empty.
                global $CONF, $blog, $query, $amount;
                // TODO: Move request uri to linkparams. this is ugly. sorry for that.
                $startpos       = intval($startpos);            // will be 0 when empty.
+               $path                   = $parsed['path'];
                $parsed         = parse_url(serverVar('REQUEST_URI'));
                $parsed         = $parsed['query'];
                $parsed         = parse_url(serverVar('REQUEST_URI'));
                $parsed         = $parsed['query'];
-               $url            = '';
+               $url                    = '';
 
                switch ($direction) {
                        case 'prev':
                                if ( intval($startpos) - intval($maxresults) >= 0) {
                                        $startpos       = intval($startpos) - intval($maxresults);
 
                switch ($direction) {
                        case 'prev':
                                if ( intval($startpos) - intval($maxresults) >= 0) {
                                        $startpos       = intval($startpos) - intval($maxresults);
-                                       $url            = $CONF['SearchURL'].'?'.alterQueryStr($parsed,'startpos',$startpos);
+                                       //$url          = $CONF['SearchURL'].'?'.alterQueryStr($parsed,'startpos',$startpos);
+                                       switch ($this->skintype)
+                                       {
+                                               case 'index':
+                                                       $url = $path;
+                                                       break;
+                                               case 'search':
+                                                       $url = $CONF['SearchURL'];
+                                                       break;
+                                       }
+                                       $url .= '?'.alterQueryStr($parsed,'startpos',$startpos);
                                }
                                break;
                        case 'next':
                                }
                                break;
                        case 'next':
-                               $iAmountOnPage = $this->amountfound;
-                               if ($iAmountOnPage == 0)
+                               global $navigationItems;
+                               if (!isset($navigationItems)) $navigationItems = 0;
+                               
+                               if ($recount)
+                                       $iAmountOnPage = 0;
+                               else 
+                                       $iAmountOnPage = $this->amountfound;
+                               
+                               if (intval($navigationItems) > 0) {
+                                       $iAmountOnPage = intval($navigationItems) - intval($startpos);
+                               }
+                               elseif ($iAmountOnPage == 0)
                                {
                                        // [%nextlink%] or [%prevlink%] probably called before [%blog%] or [%searchresults%]
                                        // try a count query
                                {
                                        // [%nextlink%] or [%prevlink%] probably called before [%blog%] or [%searchresults%]
                                        // try a count query
@@ -310,7 +331,9 @@ class ACTIONS extends BaseActions {
                                                        $sqlquery = $blog->getSqlBlog('', 'count');
                                                        break;
                                                case 'search':
                                                        $sqlquery = $blog->getSqlBlog('', 'count');
                                                        break;
                                                case 'search':
+                                                       $unused_highlight = '';
                                                        $sqlquery = $blog->getSqlSearch($query, $amount, $unused_highlight, 'count');
                                                        $sqlquery = $blog->getSqlSearch($query, $amount, $unused_highlight, 'count');
+                                                       $url = $CONF['SearchURL'];
                                                        break;
                                        }
                                        if ($sqlquery)
                                                        break;
                                        }
                                        if ($sqlquery)
@@ -318,8 +341,10 @@ class ACTIONS extends BaseActions {
                                }
                                if (intval($iAmountOnPage) >= intval($maxresults)) {
                                        $startpos       = intval($startpos) + intval($maxresults);
                                }
                                if (intval($iAmountOnPage) >= intval($maxresults)) {
                                        $startpos       = intval($startpos) + intval($maxresults);
-                                       $url            = $CONF['SearchURL'].'?'.alterQueryStr($parsed,'startpos',$startpos);
+                                       //$url          = $CONF['SearchURL'].'?'.alterQueryStr($parsed,'startpos',$startpos);
+                                       $url            .= '?'.alterQueryStr($parsed,'startpos',$startpos);
                                }
                                }
+                               else $url       = '';
                                break;
                        default:
                                break;
                                break;
                        default:
                                break;
@@ -602,7 +627,11 @@ class ACTIONS extends BaseActions {
         */
        function parse_categorylist($template, $blogname = '') {
                global $blog, $manager;
         */
        function parse_categorylist($template, $blogname = '') {
                global $blog, $manager;
-
+               
+               // when no blog found
+               if (($blogName == '') && (!is_object($blog)))
+                       return 0;
+                       
                if ($blogname == '') {
                        $this->_preBlogContent('categorylist',$blog);
                        $blog->showCategoryList($template);
                if ($blogname == '') {
                        $this->_preBlogContent('categorylist',$blog);
                        $blog->showCategoryList($template);
@@ -643,7 +672,12 @@ class ACTIONS extends BaseActions {
                        $this->doForm('commentform-closed');
                        return;
                }
                        $this->doForm('commentform-closed');
                        return;
                }
-
+               
+               if (!$blog->isPublic() && !$member->isLoggedIn()) {
+                       $this->doForm('commentform-closedtopublic');
+                       return;
+               }
+               
                if (!$destinationurl)
                {
                        $destinationurl = createLink(
                if (!$destinationurl)
                {
                        $destinationurl = createLink(
@@ -868,7 +902,7 @@ class ACTIONS extends BaseActions {
         * (includes a member info thingie)      
         */
        function parse_member($what) {
         * (includes a member info thingie)      
         */
        function parse_member($what) {
-               global $memberinfo, $member;
+               global $memberinfo, $member, $CONF;
 
                // 1. only allow the member-details-page specific variables on member pages
                if ($this->skintype == 'member') {
 
                // 1. only allow the member-details-page specific variables on member pages
                if ($this->skintype == 'member') {
@@ -917,11 +951,16 @@ class ACTIONS extends BaseActions {
                                case 'yourid':
                                        echo $member->getID();
                                        break;
                                case 'yourid':
                                        echo $member->getID();
                                        break;
+                               case 'yourprofileurl':
+                                       if ($CONF['URLMode'] == 'pathinfo')
+                                               echo createMemberLink($member->getID());
+                                       else
+                                               echo $CONF['IndexURL'] . createMemberLink($member->getID());
+                                       break;
                        }
                }
                        }
                }
-
        }
        }
-
+       
        /**
         * Parse skinvar membermailform
         */
        /**
         * Parse skinvar membermailform
         */
@@ -1000,12 +1039,12 @@ class ACTIONS extends BaseActions {
        /**
         * Parse skinvar nextlink
         */
        /**
         * Parse skinvar nextlink
         */
-       function parse_nextlink($linktext = '', $amount = 10) {
+       function parse_nextlink($linktext = '', $amount = 10, $recount = '') {
                global $itemidnext, $archivenext, $startpos;
                if ($this->skintype == 'item')
                        $this->_itemlink($itemidnext, $linktext);
                else if ($this->skintype == 'search' || $this->skintype == 'index')
                global $itemidnext, $archivenext, $startpos;
                if ($this->skintype == 'item')
                        $this->_itemlink($itemidnext, $linktext);
                else if ($this->skintype == 'search' || $this->skintype == 'index')
-                       $this->_searchlink($amount, $startpos, 'next', $linktext);
+                       $this->_searchlink($amount, $startpos, 'next', $linktext, $recount);
                else
                        $this->_archivelink($archivenext, $linktext);
        }
                else
                        $this->_archivelink($archivenext, $linktext);
        }
index 0ea39ce..6b6e536 100755 (executable)
@@ -346,7 +346,7 @@ class ADMIN {
                           . ' WHERE iblog=bnumber and iauthor=mnumber and icat=catid and iblog=' . $blogid;\r
 \r
                if ($search)\r
                           . ' WHERE iblog=bnumber and iauthor=mnumber and icat=catid and iblog=' . $blogid;\r
 \r
                if ($search)\r
-                       $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
+                       $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
 \r
                // non-blog-admins can only edit/delete their own items\r
                if (!$member->blogAdminRights($blogid))\r
 \r
                // non-blog-admins can only edit/delete their own items\r
                if (!$member->blogAdminRights($blogid))\r
@@ -913,7 +913,7 @@ class ADMIN {
                           . ' WHERE iauthor='. $member->getID() .' and iauthor=mnumber and iblog=bnumber and icat=catid';\r
 \r
                if ($search)\r
                           . ' WHERE iauthor='. $member->getID() .' and iauthor=mnumber and iblog=bnumber and icat=catid';\r
 \r
                if ($search)\r
-                       $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
+                       $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
 \r
                $query .= ' ORDER BY itime DESC'\r
                                . " LIMIT $start,$amount";\r
 \r
                $query .= ' ORDER BY itime DESC'\r
                                . " LIMIT $start,$amount";\r
@@ -969,7 +969,7 @@ class ADMIN {
                $query = 'SELECT cbody, cuser, cmail, cemail, mname, ctime, chost, cnumber, cip, citem FROM ' . sql_table('comment') . ' LEFT OUTER JOIN ' . sql_table('member') . ' ON mnumber = cmember WHERE citem = ' . $itemid;\r
 \r
                if ($search)\r
                $query = 'SELECT cbody, cuser, cmail, cemail, mname, ctime, chost, cnumber, cip, citem FROM ' . sql_table('comment') . ' LEFT OUTER JOIN ' . sql_table('member') . ' ON mnumber = cmember WHERE citem = ' . $itemid;\r
 \r
                if ($search)\r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
                $query .= ' ORDER BY ctime ASC'\r
                                . " LIMIT $start,$amount";\r
 \r
                $query .= ' ORDER BY ctime ASC'\r
                                . " LIMIT $start,$amount";\r
@@ -1011,7 +1011,7 @@ class ADMIN {
                $query =  'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cmember=' . $member->getID();\r
 \r
                if ($search)\r
                $query =  'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cmember=' . $member->getID();\r
 \r
                if ($search)\r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
                $query .= ' ORDER BY ctime DESC'\r
                                . " LIMIT $start,$amount";\r
 \r
                $query .= ' ORDER BY ctime DESC'\r
                                . " LIMIT $start,$amount";\r
@@ -1067,7 +1067,7 @@ class ADMIN {
                $query =  'SELECT cbody, cuser, cemail, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cblog=' . intval($blogid);\r
 \r
                if ($search != '')\r
                $query =  'SELECT cbody, cuser, cemail, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cblog=' . intval($blogid);\r
 \r
                if ($search != '')\r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
 \r
                $query .= ' ORDER BY ctime DESC'\r
 \r
 \r
                $query .= ' ORDER BY ctime DESC'\r
@@ -1469,9 +1469,11 @@ class ADMIN {
 \r
                // change <br /> to \n\r
                $comment['body'] = str_replace('<br />','',$comment['body']);\r
 \r
                // change <br /> to \n\r
                $comment['body'] = str_replace('<br />','',$comment['body']);\r
-\r
-               $comment['body'] = eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>","\\1",$comment['body']);\r
-\r
+               \r
+               // replaced eregi_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0\r
+               /* original eregi_replace: eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>", "\\1", $comment['body']) */\r
+               $comment['body'] = preg_replace("#<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>#I", "\\1", $comment['body']);\r
+               \r
                $this->pagehead();\r
 \r
                ?>\r
                $this->pagehead();\r
 \r
                ?>\r
@@ -1538,18 +1540,25 @@ class ADMIN {
                $url = postVar('url');\r
                $email = postVar('email');\r
                $body = postVar('body');\r
                $url = postVar('url');\r
                $email = postVar('email');\r
                $body = postVar('body');\r
-\r
+               \r
+               # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+               # original eregi: eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}", $body) != FALSE\r
+               # important note that '\' must be matched with '\\\\' in preg* expressions\r
                // intercept words that are too long\r
                // intercept words that are too long\r
-               if (eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}",$body) != false)\r
+               if (preg_match('#[a-zA-Z0-9|\.,;:!\?=\/\\\\]{90,90}#', $body) != FALSE)\r
+               {\r
                        $this->error(_ERROR_COMMENT_LONGWORD);\r
                        $this->error(_ERROR_COMMENT_LONGWORD);\r
-\r
+               }\r
+               \r
                // check length\r
                // check length\r
-               if (strlen($body)<3)\r
+               if (strlen($body) < 3) {\r
                        $this->error(_ERROR_COMMENT_NOCOMMENT);\r
                        $this->error(_ERROR_COMMENT_NOCOMMENT);\r
+               }\r
                if (strlen($body)>5000)\r
                if (strlen($body)>5000)\r
+               {\r
                        $this->error(_ERROR_COMMENT_TOOLONG);\r
                        $this->error(_ERROR_COMMENT_TOOLONG);\r
-\r
-\r
+               }\r
+               \r
                // prepare body\r
                $body = COMMENT::prepareBody($body);\r
 \r
                // prepare body\r
                $body = COMMENT::prepareBody($body);\r
 \r
@@ -1557,7 +1566,7 @@ class ADMIN {
                $manager->notify('PreUpdateComment',array('body' => &$body));\r
 \r
                $query =  'UPDATE '.sql_table('comment')\r
                $manager->notify('PreUpdateComment',array('body' => &$body));\r
 \r
                $query =  'UPDATE '.sql_table('comment')\r
-                          . " SET cmail = '" . addslashes($url) . "', cemail = '" . addslashes($email) . "', cbody = '" . addslashes($body) . "'"\r
+                          . " SET cmail = '" . sql_real_escape_string($url) . "', cemail = '" . sql_real_escape_string($email) . "', cbody = '" . sql_real_escape_string($body) . "'"\r
                           . " WHERE cnumber=" . $commentid;\r
                sql_query($query);\r
 \r
                           . " WHERE cnumber=" . $commentid;\r
                sql_query($query);\r
 \r
@@ -1833,17 +1842,23 @@ class ADMIN {
                                <?php                      // show a dropdown list of all available languages\r
                                global $DIR_LANG;\r
                                $dirhandle = opendir($DIR_LANG);\r
                                <?php                      // show a dropdown list of all available languages\r
                                global $DIR_LANG;\r
                                $dirhandle = opendir($DIR_LANG);\r
-                               while ($filename = readdir($dirhandle)) {\r
-                                       if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+                               while ($filename = readdir($dirhandle))\r
+                               {\r
+                                       # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+                                       # original ereg: ereg("^(.*)\.php$", $filename, $matches)\r
+                                       if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+                                       {\r
                                                $name = $matches[1];\r
                                                $name = $matches[1];\r
-                                               echo "<option value='$name'";\r
-                                               if ($name == $mem->getLanguage())\r
-                                                       echo " selected='selected'";\r
+                                               echo "<option value=\"$name\"";\r
+                                               if ($name == $mem->getLanguage() )\r
+                                               {\r
+                                                       echo " selected=\"selected\"";\r
+                                               }\r
                                                echo ">$name</option>";\r
                                        }\r
                                }\r
                                closedir($dirhandle);\r
                                                echo ">$name</option>";\r
                                        }\r
                                }\r
                                closedir($dirhandle);\r
-\r
+                               \r
                                ?>\r
                                </select>\r
 \r
                                ?>\r
                                </select>\r
 \r
@@ -1897,10 +1912,13 @@ class ADMIN {
                $email            = strip_tags(postVar('email'));\r
                $url                    = strip_tags(postVar('url'));\r
 \r
                $email            = strip_tags(postVar('email'));\r
                $url                    = strip_tags(postVar('url'));\r
 \r
-               // Sometimes user didn't prefix the URL with http://, this cause a malformed URL. Let's fix it.\r
-               if (!eregi("^https?://", $url))\r
-                       $url = "http://".$url;\r
-\r
+               # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+               # original eregi: !eregi("^https?://", $url)\r
+               // begin if: sometimes user didn't prefix the URL with http:// or https://, this cause a malformed URL. Let's fix it.\r
+               if (!preg_match('#^https?://#', $url) )\r
+               {\r
+                       $url = "http://" . $url;\r
+               }\r
                $admin            = postVar('admin');\r
                $canlogin          = postVar('canlogin');\r
                $notes            = strip_tags(postVar('notes'));\r
                $admin            = postVar('admin');\r
                $canlogin          = postVar('canlogin');\r
                $notes            = strip_tags(postVar('notes'));\r
@@ -2174,15 +2192,16 @@ class ADMIN {
 \r
                if ($password && (strlen($password) < 6))\r
                        return $this->_showActivationPage($key, _ERROR_PASSWORDTOOSHORT);\r
 \r
                if ($password && (strlen($password) < 6))\r
                        return $this->_showActivationPage($key, _ERROR_PASSWORDTOOSHORT);\r
-\r
-               $pwdvalid = true;\r
-               $pwderror = '';\r
-               global $manager;\r
-               $manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
-               if (!$pwdvalid) {\r
-                       return $this->_showActivationPage($key,$pwderror);\r
+               \r
+               if ($password) {\r
+                       $pwdvalid = true;\r
+                       $pwderror = '';\r
+                       global $manager;\r
+                       $manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
+                       if (!$pwdvalid) {\r
+                               return $this->_showActivationPage($key,$pwderror);\r
+                       }\r
                }\r
                }\r
-\r
                $error = '';\r
                $manager->notify('ValidateForm', array('type' => 'activation', 'member' => $mem, 'error' => &$error));\r
                if ($error != '')\r
                $error = '';\r
                $manager->notify('ValidateForm', array('type' => 'activation', 'member' => $mem, 'error' => &$error));\r
                if ($error != '')\r
@@ -2506,7 +2525,7 @@ class ADMIN {
                 <td><?php $this->input_yesno('reqemail',$blog->emailRequired(),72); ?></td>\r
          </tr><tr>\r
                        <td><?php echo _EBLOG_NOTIFY?> <?php help('blognotify'); ?></td>\r
                 <td><?php $this->input_yesno('reqemail',$blog->emailRequired(),72); ?></td>\r
          </tr><tr>\r
                        <td><?php echo _EBLOG_NOTIFY?> <?php help('blognotify'); ?></td>\r
-                       <td><input name="notify" tabindex="80" maxlength="60" size="40" value="<?php echo  htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
+                       <td><input name="notify" tabindex="80" maxlength="128" size="40" value="<?php echo  htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_NOTIFY_ON?></td>\r
                        <td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_NOTIFY_ON?></td>\r
                        <td>\r
@@ -2629,7 +2648,7 @@ class ADMIN {
                if (!isValidCategoryName($cname))\r
                        $this->error(_ERROR_BADCATEGORYNAME);\r
 \r
                if (!isValidCategoryName($cname))\r
                        $this->error(_ERROR_BADCATEGORYNAME);\r
 \r
-               $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid);\r
+               $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid);\r
                $res = sql_query($query);\r
                if (sql_num_rows($res) > 0)\r
                        $this->error(_ERROR_DUPCATEGORYNAME);\r
                $res = sql_query($query);\r
                if (sql_num_rows($res) > 0)\r
                        $this->error(_ERROR_DUPCATEGORYNAME);\r
@@ -2719,14 +2738,14 @@ class ADMIN {
                if (!isValidCategoryName($cname))\r
                        $this->error(_ERROR_BADCATEGORYNAME);\r
 \r
                if (!isValidCategoryName($cname))\r
                        $this->error(_ERROR_BADCATEGORYNAME);\r
 \r
-               $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
+               $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
                $res = sql_query($query);\r
                if (sql_num_rows($res) > 0)\r
                        $this->error(_ERROR_DUPCATEGORYNAME);\r
 \r
                $query =  'UPDATE '.sql_table('category').' SET'\r
                $res = sql_query($query);\r
                if (sql_num_rows($res) > 0)\r
                        $this->error(_ERROR_DUPCATEGORYNAME);\r
 \r
                $query =  'UPDATE '.sql_table('category').' SET'\r
-                          . " cname='" . addslashes($cname) . "',"\r
-                          . " cdesc='" . addslashes($cdesc) . "'"\r
+                          . " cname='" . sql_real_escape_string($cname) . "',"\r
+                          . " cdesc='" . sql_real_escape_string($cdesc) . "'"\r
                           . " WHERE catid=" . $catid;\r
 \r
                sql_query($query);\r
                           . " WHERE catid=" . $catid;\r
 \r
                sql_query($query);\r
@@ -3155,7 +3174,7 @@ class ADMIN {
 \r
                /* unlink comments from memberid */\r
                if ($memberid) {\r
 \r
                /* unlink comments from memberid */\r
                if ($memberid) {\r
-                       $query = 'UPDATE ' . sql_table('comment') . ' SET cmember="0", cuser="'. addslashes($mem->getDisplayName())\r
+                       $query = 'UPDATE ' . sql_table('comment') . ' SET cmember="0", cuser="'. sql_real_escape_string($mem->getDisplayName())\r
                                   .'" WHERE cmember='.$memberid;\r
                        sql_query($query);\r
                }\r
                                   .'" WHERE cmember='.$memberid;\r
                        sql_query($query);\r
                }\r
@@ -3295,11 +3314,11 @@ class ADMIN {
 \r
 \r
                // add slashes for sql queries\r
 \r
 \r
                // add slashes for sql queries\r
-               $bname     = addslashes($bname);\r
-               $bshortname  = addslashes($bshortname);\r
-               $btimeoffset = addslashes($btimeoffset);\r
-               $bdesc     = addslashes($bdesc);\r
-               $bdefskin       = addslashes($bdefskin);\r
+               $bname     = sql_real_escape_string($bname);\r
+               $bshortname  = sql_real_escape_string($bshortname);\r
+               $btimeoffset = sql_real_escape_string($btimeoffset);\r
+               $bdesc     = sql_real_escape_string($bdesc);\r
+               $bdefskin       = sql_real_escape_string($bdefskin);\r
 \r
                // create blog\r
                $query = 'INSERT INTO '.sql_table('blog')." (bname, bshortname, bdesc, btimeoffset, bdefskin) VALUES ('$bname', '$bshortname', '$bdesc', '$btimeoffset', '$bdefskin')";\r
 \r
                // create blog\r
                $query = 'INSERT INTO '.sql_table('blog')." (bname, bshortname, bdesc, btimeoffset, bdefskin) VALUES ('$bname', '$bshortname', '$bdesc', '$btimeoffset', '$bdefskin')";\r
@@ -3308,11 +3327,10 @@ class ADMIN {
                $blog   =& $manager->getBlog($blogid);\r
 \r
                // create new category\r
                $blog   =& $manager->getBlog($blogid);\r
 \r
                // create new category\r
-\r
-\r
+               $catdefname = (defined('_EBLOGDEFAULTCATEGORY_NAME') ? _EBLOGDEFAULTCATEGORY_NAME : 'General');\r
+               $catdefdesc = (defined('_EBLOGDEFAULTCATEGORY_DESC') ? _EBLOGDEFAULTCATEGORY_DESC : 'Items that do not fit in other categories');\r
                $sql = 'INSERT INTO %s (cblog, cname, cdesc) VALUES (%d, "%s", "%s")';\r
                $sql = 'INSERT INTO %s (cblog, cname, cdesc) VALUES (%d, "%s", "%s")';\r
-               sql_query(sprintf($sql, sql_table('category'), $blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC));\r
-\r
+               sql_query(sprintf($sql, sql_table('category'), $blogid, $catdefname, $catdefdesc));\r
 //             sql_query('INSERT INTO '.sql_table('category')." (cblog, cname, cdesc) VALUES ($blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC)");\r
                $catid = sql_insert_id();\r
 \r
 //             sql_query('INSERT INTO '.sql_table('category')." (cblog, cname, cdesc) VALUES ($blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC)");\r
                $catid = sql_insert_id();\r
 \r
@@ -3324,15 +3342,15 @@ class ADMIN {
                $memberid = $member->getID();\r
                $query = 'INSERT INTO '.sql_table('team')." (tmember, tblog, tadmin) VALUES ($memberid, $blogid, 1)";\r
                sql_query($query);\r
                $memberid = $member->getID();\r
                $query = 'INSERT INTO '.sql_table('team')." (tmember, tblog, tadmin) VALUES ($memberid, $blogid, 1)";\r
                sql_query($query);\r
-\r
-\r
-\r
-\r
-\r
-\r
-               $blog->additem($blog->getDefaultCategory(),_EBLOG_FIRSTITEM_TITLE,_EBLOG_FIRSTITEM_BODY,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
-\r
-\r
+               \r
+               $itemdeftitle = (defined('_EBLOG_FIRSTITEM_TITLE') ? _EBLOG_FIRSTITEM_TITLE : 'First Item');\r
+               $itemdefbody = (defined('_EBLOG_FIRSTITEM_BODY') ? _EBLOG_FIRSTITEM_BODY : 'This is the first item in your weblog. Feel free to delete it.');\r
+               \r
+               $blog->additem($blog->getDefaultCategory(),$itemdeftitle,$itemdefbody,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+               //$blog->additem($blog->getDefaultCategory(),_EBLOG_FIRSTITEM_TITLE,_EBLOG_FIRSTITEM_BODY,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+               \r
+               \r
+               \r
                $manager->notify(\r
                        'PostAddBlog',\r
                        array(\r
                $manager->notify(\r
                        'PostAddBlog',\r
                        array(\r
@@ -3762,7 +3780,7 @@ selector();
                $member->isAdmin() or $this->disallow();\r
 \r
                $extrahead = '<script type="text/javascript" src="javascript/templateEdit.js"></script>';\r
                $member->isAdmin() or $this->disallow();\r
 \r
                $extrahead = '<script type="text/javascript" src="javascript/templateEdit.js"></script>';\r
-               $extrahead .= '<script type="text/javascript">setTemplateEditText("'.addslashes(_EDITTEMPLATE_EMPTY).'");</script>';\r
+               $extrahead .= '<script type="text/javascript">setTemplateEditText("'.sql_real_escape_string(_EDITTEMPLATE_EMPTY).'");</script>';\r
 \r
                $this->pagehead($extrahead);\r
 \r
 \r
                $this->pagehead($extrahead);\r
 \r
@@ -3934,8 +3952,8 @@ selector();
                        $this->error(_ERROR_DUPTEMPLATENAME);\r
 \r
 \r
                        $this->error(_ERROR_DUPTEMPLATENAME);\r
 \r
 \r
-               $name = addslashes($name);\r
-               $desc = addslashes($desc);\r
+               $name = sql_real_escape_string($name);\r
+               $desc = sql_real_escape_string($desc);\r
 \r
                // 1. Remove all template parts\r
                $query = 'DELETE FROM '.sql_table('template').' WHERE tdesc=' . $templateid;\r
 \r
                // 1. Remove all template parts\r
                $query = 'DELETE FROM '.sql_table('template').' WHERE tdesc=' . $templateid;\r
@@ -4001,8 +4019,8 @@ selector();
         * @todo document this\r
         */\r
        function addToTemplate($id, $partname, $content) {\r
         * @todo document this\r
         */\r
        function addToTemplate($id, $partname, $content) {\r
-               $partname = addslashes($partname);\r
-               $content = addslashes($content);\r
+               $partname = sql_real_escape_string($partname);\r
+               $content = sql_real_escape_string($content);\r
 \r
                $id = intval($id);\r
 \r
 \r
                $id = intval($id);\r
 \r
@@ -4638,7 +4656,7 @@ selector();
                $newid = intval($newid);\r
                $content = $skin->getContent($type);\r
                if ($content) {\r
                $newid = intval($newid);\r
                $content = $skin->getContent($type);\r
                if ($content) {\r
-                       $query = 'INSERT INTO '.sql_table('skin')." (sdesc, scontent, stype) VALUES ($newid,'". addslashes($content)."', '". addslashes($type)."')";\r
+                       $query = 'INSERT INTO '.sql_table('skin')." (sdesc, scontent, stype) VALUES ($newid,'". sql_real_escape_string($content)."', '". sql_real_escape_string($type)."')";\r
                        sql_query($query);\r
                }\r
        }\r
                        sql_query($query);\r
                }\r
        }\r
@@ -4720,12 +4738,18 @@ selector();
                                <?php                      // show a dropdown list of all available languages\r
                                global $DIR_LANG;\r
                                $dirhandle = opendir($DIR_LANG);\r
                                <?php                      // show a dropdown list of all available languages\r
                                global $DIR_LANG;\r
                                $dirhandle = opendir($DIR_LANG);\r
-                               while ($filename = readdir($dirhandle)) {\r
-                                       if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+                               while ($filename = readdir($dirhandle) )\r
+                               {\r
+                                       # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+                                       # original ereg: ereg("^(.*)\.php$",$filename,$matches)\r
+                                       if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+                                       {\r
                                                $name = $matches[1];\r
                                                $name = $matches[1];\r
-                                               echo "<option value='$name'";\r
+                                               echo "<option value=\"$name\"";\r
                                                if ($name == $CONF['Language'])\r
                                                if ($name == $CONF['Language'])\r
-                                                       echo " selected='selected'";\r
+                                               {\r
+                                                       echo " selected=\"selected\"";\r
+                                               }\r
                                                echo ">$name</option>";\r
                                        }\r
                                }\r
                                                echo ">$name</option>";\r
                                        }\r
                                }\r
@@ -5129,8 +5153,8 @@ selector();
         * @todo document this\r
         */\r
        function updateConfig($name, $val) {\r
         * @todo document this\r
         */\r
        function updateConfig($name, $val) {\r
-               $name = addslashes($name);\r
-               $val = trim(addslashes($val));\r
+               $name = sql_real_escape_string($name);\r
+               $val = trim(sql_real_escape_string($val));\r
 \r
                $query = 'UPDATE '.sql_table('config')\r
                           . " SET value='$val'"\r
 \r
                $query = 'UPDATE '.sql_table('config')\r
                           . " SET value='$val'"\r
@@ -5180,7 +5204,8 @@ selector();
 \r
                $baseUrl = htmlspecialchars($CONF['AdminURL']);\r
 \r
 \r
                $baseUrl = htmlspecialchars($CONF['AdminURL']);\r
 \r
-               ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r
+               ?>\r
+               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r
                <html <?php echo _HTML_XML_NAME_SPACE_AND_LANG_CODE; ?>>\r
                <head>\r
                        <meta http-equiv="Content-Type" content="text/html; charset=<?php echo _CHARSET ?>" />\r
                <html <?php echo _HTML_XML_NAME_SPACE_AND_LANG_CODE; ?>>\r
                <head>\r
                        <meta http-equiv="Content-Type" content="text/html; charset=<?php echo _CHARSET ?>" />\r
@@ -5901,23 +5926,31 @@ selector();
                        </div></form>\r
 \r
                        <h3><?php echo _PLUGS_TITLE_NEW?></h3>\r
                        </div></form>\r
 \r
                        <h3><?php echo _PLUGS_TITLE_NEW?></h3>\r
-\r
-                       <?php                      // find a list of possibly non-installed plugins\r
+                       \r
+                       <?php\r
+                       // find a list of possibly non-installed plugins\r
                                $candidates = array();\r
                                global $DIR_PLUGINS;\r
                                $dirhandle = opendir($DIR_PLUGINS);\r
                                $candidates = array();\r
                                global $DIR_PLUGINS;\r
                                $dirhandle = opendir($DIR_PLUGINS);\r
-                               while ($filename = readdir($dirhandle)) {\r
-                                       if (ereg('^NP_(.*)\.php$',$filename,$matches)) {\r
+                               while ($filename = readdir($dirhandle) )\r
+                               {\r
+                                       # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+                                       # original ereg: ereg('^NP_(.*)\.php$',$filename,$matches)\r
+                                       if (preg_match('#^NP_(.*)\.php$#', $filename, $matches) )\r
+                                       {\r
                                                $name = $matches[1];\r
                                                // only show in list when not yet installed\r
                                                $name = $matches[1];\r
                                                // only show in list when not yet installed\r
-                                               $res = sql_query('SELECT * FROM '.sql_table('plugin').' WHERE pfile="NP_'.addslashes($name).'"');\r
+                                               $res = sql_query('SELECT * FROM ' . sql_table('plugin') . ' WHERE `pfile` = "NP_' . sql_real_escape_string($name) . '"');\r
                                                if (sql_num_rows($res) == 0)\r
                                                if (sql_num_rows($res) == 0)\r
-                                                       array_push($candidates,$name);\r
+                                               {\r
+                                                       array_push($candidates, $name);\r
+                                               }\r
                                        }\r
                                }\r
                                closedir($dirhandle);\r
                                        }\r
                                }\r
                                closedir($dirhandle);\r
-\r
-                               if (sizeof($candidates) > 0) {\r
+                               \r
+                               if (sizeof($candidates) > 0)\r
+                               {\r
                        ?>\r
 \r
                        <p><?php echo _PLUGS_ADD_TEXT?></p>\r
                        ?>\r
 \r
                        <p><?php echo _PLUGS_ADD_TEXT?></p>\r
@@ -5927,14 +5960,20 @@ selector();
                                <input type='hidden' name='action' value='pluginadd' />\r
                                <?php $manager->addTicketHidden() ?>\r
                                <select name="filename" tabindex="30">\r
                                <input type='hidden' name='action' value='pluginadd' />\r
                                <?php $manager->addTicketHidden() ?>\r
                                <select name="filename" tabindex="30">\r
-                               <?php                              foreach($candidates as $name)\r
-                                               echo '<option value="NP_',$name,'">',htmlspecialchars($name),'</option>';\r
+                               <?php   \r
+                               foreach($candidates as $name)\r
+                               {\r
+                                       echo '<option value="NP_',$name,'">',htmlspecialchars($name),'</option>';\r
+                               }\r
                                ?>\r
                                </select>\r
                                <input type='submit' tabindex="40" value='<?php echo _PLUGS_BTN_INSTALL?>' />\r
                        </div></form>\r
 \r
                                ?>\r
                                </select>\r
                                <input type='submit' tabindex="40" value='<?php echo _PLUGS_BTN_INSTALL?>' />\r
                        </div></form>\r
 \r
-               <?php              } else {     // sizeof(candidates) == 0\r
+               <?php\r
+                               }\r
+                               else\r
+                               {\r
                                echo '<p>',_PLUGS_NOCANDIDATES,'</p>';\r
                        }\r
 \r
                                echo '<p>',_PLUGS_NOCANDIDATES,'</p>';\r
                        }\r
 \r
@@ -5969,7 +6008,7 @@ selector();
                if (($plug->supportsFeature('HelpPage') > 0) && (@file_exists($helpFile))) {\r
                        @readfile($helpFile);\r
                } else {\r
                if (($plug->supportsFeature('HelpPage') > 0) && (@file_exists($helpFile))) {\r
                        @readfile($helpFile);\r
                } else {\r
-                       echo '<p>' . _ERROR .': ', _ERROR_PLUGNOHELPFILE,'</p>';\r
+                       echo '<p>Error: ', _ERROR_PLUGNOHELPFILE,'</p>';\r
                        echo '<p><a href="index.php?action=pluginlist">(',_BACK,')</a></p>';\r
                }\r
 \r
                        echo '<p><a href="index.php?action=pluginlist">(',_BACK,')</a></p>';\r
                }\r
 \r
@@ -6008,7 +6047,7 @@ selector();
                );\r
 \r
                // do this before calling getPlugin (in case the plugin id is used there)\r
                );\r
 \r
                // do this before calling getPlugin (in case the plugin id is used there)\r
-               $query = 'INSERT INTO '.sql_table('plugin').' (porder, pfile) VALUES ('.$newOrder.',"'.addslashes($name).'")';\r
+               $query = 'INSERT INTO '.sql_table('plugin').' (porder, pfile) VALUES ('.$newOrder.',"'.sql_real_escape_string($name).'")';\r
                sql_query($query);\r
                $iPid = sql_insert_id();\r
 \r
                sql_query($query);\r
                $iPid = sql_insert_id();\r
 \r
@@ -6094,7 +6133,7 @@ selector();
                        {\r
                                $eventList = $plug->getEventList();\r
                                foreach ($eventList as $eventName)\r
                        {\r
                                $eventList = $plug->getEventList();\r
                                foreach ($eventList as $eventName)\r
-                                       sql_query('INSERT INTO '.sql_table('plugin_event').' (pid, event) VALUES ('.$pid.', \''.addslashes($eventName).'\')');\r
+                                       sql_query('INSERT INTO '.sql_table('plugin_event').' (pid, event) VALUES ('.$pid.', \''.sql_real_escape_string($eventName).'\')');\r
                        }\r
                }\r
 \r
                        }\r
                }\r
 \r
@@ -6399,7 +6438,7 @@ selector();
 \r
                // get list of oids per pid\r
                $query = 'SELECT * FROM ' . sql_table('plugin_option_desc') . ',' . sql_table('plugin')\r
 \r
                // get list of oids per pid\r
                $query = 'SELECT * FROM ' . sql_table('plugin_option_desc') . ',' . sql_table('plugin')\r
-                          . ' WHERE opid=pid and ocontext=\''.addslashes($context).'\' ORDER BY porder, oid ASC';\r
+                          . ' WHERE opid=pid and ocontext=\''.sql_real_escape_string($context).'\' ORDER BY porder, oid ASC';\r
                $res = sql_query($query);\r
                $aOptions = array();\r
                while ($o = sql_fetch_object($res)) {\r
                $res = sql_query($query);\r
                $aOptions = array();\r
                while ($o = sql_fetch_object($res)) {\r
@@ -6432,22 +6471,19 @@ selector();
                        // new plugin?\r
                        if ($iPrevPid != $aOption['pid']) {\r
                                $iPrevPid = $aOption['pid'];\r
                        // new plugin?\r
                        if ($iPrevPid != $aOption['pid']) {\r
                                $iPrevPid = $aOption['pid'];\r
-\r
-\r
-\r
+                               if (!defined('_PLUGIN_OPTIONS_TITLE')) {\r
+                                       define('_PLUGIN_OPTIONS_TITLE', 'Options for %s');\r
+                               }\r
                                echo '<tr><th colspan="2">'.sprintf(_PLUGIN_OPTIONS_TITLE, htmlspecialchars($aOption['pfile'], ENT_QUOTES)).'</th></tr>';\r
                        }\r
                                echo '<tr><th colspan="2">'.sprintf(_PLUGIN_OPTIONS_TITLE, htmlspecialchars($aOption['pfile'], ENT_QUOTES)).'</th></tr>';\r
                        }\r
-\r
+                       \r
                        $meta = NucleusPlugin::getOptionMeta($aOption['typeinfo']);\r
                        if (@$meta['access'] != 'hidden') {\r
                                echo '<tr>';\r
                                listplug_plugOptionRow($aOption);\r
                                echo '</tr>';\r
                        }\r
                        $meta = NucleusPlugin::getOptionMeta($aOption['typeinfo']);\r
                        if (@$meta['access'] != 'hidden') {\r
                                echo '<tr>';\r
                                listplug_plugOptionRow($aOption);\r
                                echo '</tr>';\r
                        }\r
-\r
                }\r
                }\r
-\r
-\r
        }\r
 \r
        /**\r
        }\r
 \r
        /**\r
index d7271b0..972f33b 100755 (executable)
@@ -57,7 +57,7 @@ class BAN {
                );
 
                $query = 'INSERT INTO '.sql_table('ban')." (blogid, iprange, reason) VALUES "
                );
 
                $query = 'INSERT INTO '.sql_table('ban')." (blogid, iprange, reason) VALUES "
-                          . "($blogid,'".addslashes($iprange)."','".addslashes($reason)."')";
+                          . "($blogid,'".sql_real_escape_string($iprange)."','".sql_real_escape_string($reason)."')";
                $res = sql_query($query);
 
                $manager->notify(
                $res = sql_query($query);
 
                $manager->notify(
@@ -82,7 +82,7 @@ class BAN {
 
                $manager->notify('PreDeleteBan', array('blogid' => $blogid, 'range' => $iprange));
 
 
                $manager->notify('PreDeleteBan', array('blogid' => $blogid, 'range' => $iprange));
 
-               $query = 'DELETE FROM '.sql_table('ban')." WHERE blogid=$blogid and iprange='" .addslashes($iprange). "'";
+               $query = 'DELETE FROM '.sql_table('ban')." WHERE blogid=$blogid and iprange='" .sql_real_escape_string($iprange). "'";
                sql_query($query);
 
                $result = (sql_affected_rows() > 0);
                sql_query($query);
 
                $result = (sql_affected_rows() > 0);
index 18af84b..a922e1e 100755 (executable)
@@ -25,1273 +25,1285 @@ require_once dirname(__FILE__) . '/ITEMACTIONS.php';
 
 class BLOG {
 
 
 class BLOG {
 
-    // blog id
-    var $blogid;
-
-    // ID of currently selected category
-    var $selectedcatid;
-
-    // After creating an object of the blog class, contains true if the BLOG object is
-    // valid (the blog exists)
-    var $isValid;
-
-    // associative array, containing all blogsettings (use the get/set functions instead)
-    var $settings;
-
-    /**
-     * Creates a new BLOG object for the given blog
-     *
-     * @param $id blogid
-     */
-    function BLOG($id) {
-        $this->blogid = intval($id);
-        $this->readSettings();
-
-        // try to set catid
-        // (the parse functions in SKIN.php will override this, so it's mainly useless)
-        global $catid;
-        $this->setSelectedCategory($catid);
-    }
-
-    /**
-     * Shows the given amount of items for this blog
-     *
-     * @param $template
-     *      String representing the template _NAME_ (!)
-     * @param $amountEntries
-     *      amount of entries to show
-     * @param $startpos
-     *      offset from where items should be shown (e.g. 5 = start at fifth item)
-     * @returns int
-     *      amount of items shown
-     */
-    function readLog($template, $amountEntries, $offset = 0, $startpos = 0) {
-        return $this->readLogAmount($template,$amountEntries,'','',1,1,$offset, $startpos);
-    }
-
-    /**
-     * Shows an archive for a given month
-     *
-     * @param $year
-     *      year
-     * @param $month
-     *      month
-     * @param $template
-     *      String representing the template name to be used
-     */
-    function showArchive($templatename, $year, $month = 0, $day = 0) {
-
-        // create extra where clause for select query
-        if ($day == 0 && $month != 0) {
-            $timestamp_start = mktime(0,0,0,$month,1,$year);
-            $timestamp_end = mktime(0,0,0,$month+1,1,$year);  // also works when $month==12
-        } elseif ($month == 0) {
-            $timestamp_start = mktime(0,0,0,1,1,$year);
-            $timestamp_end = mktime(0,0,0,12,31,$year);  // also works when $month==12
-        } else {
-            $timestamp_start = mktime(0,0,0,$month,$day,$year);
-            $timestamp_end = mktime(0,0,0,$month,$day+1,$year);
-        }
-        $extra_query = ' and i.itime>=' . mysqldate($timestamp_start)
-                     . ' and i.itime<' . mysqldate($timestamp_end);
-
-
-        $this->readLogAmount($templatename,0,$extra_query,'',1,1);
-
-    }
-
-
-    // sets/gets current category (only when category exists)
-    function setSelectedCategory($catid) {
-        if ($this->isValidCategory($catid) || (intval($catid) == 0))
-            $this->selectedcatid = intval($catid);
-    }
-
-    function setSelectedCategoryByName($catname) {
-        $this->setSelectedCategory($this->getCategoryIdFromName($catname));
-    }
-
-    function getSelectedCategory() {
-        return $this->selectedcatid;
-    }
-
-    /**
-     * Shows the given amount of items for this blog
-     *
-     * @param $template
-     *      String representing the template _NAME_ (!)
-     * @param $amountEntries
-     *      amount of entries to show (0 = no limit)
-     * @param $extraQuery
-     *      extra conditions to be added to the query
-     * @param $highlight
-     *      contains a query that should be highlighted
-     * @param $comments
-     *      1=show comments 0=don't show comments
-     * @param $dateheads
-     *      1=show dateheads 0=don't show dateheads
-     * @param $offset
-     *      offset
-     * @returns int
-     *      amount of items shown
-     */
-    function readLogAmount($template, $amountEntries, $extraQuery, $highlight, $comments, $dateheads, $offset = 0, $startpos = 0) {
-
-        $query = $this->getSqlBlog($extraQuery);
-
-        if ($amountEntries > 0) {
-                // $offset zou moeten worden:
-                // (($startpos / $amountentries) + 1) * $offset ... later testen ...
-               $query .= ' LIMIT ' . intval($startpos + $offset).',' . intval($amountEntries);
-        }
-        return $this->showUsingQuery($template, $query, $highlight, $comments, $dateheads);
-    }
-
-    function showUsingQuery($templateName, $query, $highlight = '', $comments = 0, $dateheads = 1) {
-        global $CONF, $manager;
-
-        $lastVisit = cookieVar($CONF['CookiePrefix'] .'lastVisit');
-        if ($lastVisit != 0)
-            $lastVisit = $this->getCorrectTime($lastVisit);
-
-        // set templatename as global variable (so plugins can access it)
-        global $currentTemplateName;
-        $currentTemplateName = $templateName;
-
-        $template =& $manager->getTemplate($templateName);
-
-        // create parser object & action handler
-        $actions =& new ITEMACTIONS($this);
-        $parser =& new PARSER($actions->getDefinedActions(),$actions);
-        $actions->setTemplate($template);
-        $actions->setHighlight($highlight);
-        $actions->setLastVisit($lastVisit);
-        $actions->setParser($parser);
-        $actions->setShowComments($comments);
-
-        // execute query
-        $items = sql_query($query);
-
-        // loop over all items
-        $old_date = 0;
-        while ($item = sql_fetch_object($items)) {
-
-            $item->timestamp = strtotime($item->itime); // string timestamp -> unix timestamp
-
-            // action handler needs to know the item we're handling
-            $actions->setCurrentItem($item);
-
-            // add date header if needed
-            if ($dateheads) {
-                $new_date = date('dFY',$item->timestamp);
-                if ($new_date != $old_date) {
-                    // unless this is the first time, write date footer
-                    $timestamp = $item->timestamp;
-                    if ($old_date != 0) {
-                        $oldTS = strtotime($old_date);
-                        $manager->notify('PreDateFoot',array('blog' => &$this, 'timestamp' => $oldTS));
-                        $tmp_footer = strftime(isset($template['DATE_FOOTER'])?$template['DATE_FOOTER']:'', $oldTS);
-                        $parser->parse($tmp_footer);
-                        $manager->notify('PostDateFoot',array('blog' => &$this, 'timestamp' => $oldTS));
-                    }
-                    $manager->notify('PreDateHead',array('blog' => &$this, 'timestamp' => $timestamp));
-                    // note, to use templatvars in the dateheader, the %-characters need to be doubled in
-                    // order to be preserved by strftime
-                    $tmp_header = strftime((isset($template['DATE_HEADER']) ? $template['DATE_HEADER'] : null), $timestamp);
-                    $parser->parse($tmp_header);
-                    $manager->notify('PostDateHead',array('blog' => &$this, 'timestamp' => $timestamp));
-                }
-                $old_date = $new_date;
-            }
-
-            // parse item
-            $parser->parse($template['ITEM_HEADER']);
-            $manager->notify('PreItem', array('blog' => &$this, 'item' => &$item));
-            $parser->parse($template['ITEM']);
-            $manager->notify('PostItem', array('blog' => &$this, 'item' => &$item));
-            $parser->parse($template['ITEM_FOOTER']);
-
-        }
-
-        $numrows = sql_num_rows($items);
-
-        // add another date footer if there was at least one item
-        if (($numrows > 0) && $dateheads) {
-            $manager->notify('PreDateFoot',array('blog' => &$this, 'timestamp' => strtotime($old_date)));
-            $parser->parse($template['DATE_FOOTER']);
-            $manager->notify('PostDateFoot',array('blog' => &$this, 'timestamp' => strtotime($old_date)));
-        }
-
-        sql_free_result($items);    // free memory
-
-        return $numrows;
-
-    }
-
-    function showOneitem($itemid, $template, $highlight) {
-        $extraQuery = ' and inumber=' . intval($itemid);
-
-        return $this->readLogAmount($template, 1, $extraQuery, $highlight, 0, 0);
-    }
-
-
-    /**
-      * Adds an item to this blog
-      */
-    function additem($catid, $title, $body, $more, $blogid, $authorid, $timestamp, $closed, $draft, $posted='1') {
-        global $manager;
-
-        $blogid     = intval($blogid);
-        $authorid   = intval($authorid);
-        $title      = $title;
-        $body       = $body;
-        $more       = $more;
-        $catid      = intval($catid);
-
-        // convert newlines to <br />
-        if ($this->convertBreaks()) {
-            $body = addBreaks($body);
-            $more = addBreaks($more);
-        }
+       // blog id
+       var $blogid;
+
+       // ID of currently selected category
+       var $selectedcatid;
+
+       // After creating an object of the blog class, contains true if the BLOG object is
+       // valid (the blog exists)
+       var $isValid;
+
+       // associative array, containing all blogsettings (use the get/set functions instead)
+       var $settings;
+
+       /**
+        * Creates a new BLOG object for the given blog
+        *
+        * @param $id blogid
+        */
+       function BLOG($id) {
+               $this->blogid = intval($id);
+               $this->readSettings();
+
+               // try to set catid
+               // (the parse functions in SKIN.php will override this, so it's mainly useless)
+               global $catid;
+               $this->setSelectedCategory($catid);
+       }
+
+       /**
+        * Shows the given amount of items for this blog
+        *
+        * @param $template
+        *        String representing the template _NAME_ (!)
+        * @param $amountEntries
+        *        amount of entries to show
+        * @param $startpos
+        *        offset from where items should be shown (e.g. 5 = start at fifth item)
+        * @returns int
+        *        amount of items shown
+        */
+       function readLog($template, $amountEntries, $offset = 0, $startpos = 0) {
+               return $this->readLogAmount($template,$amountEntries,'','',1,1,$offset, $startpos);
+       }
+
+       /**
+        * Shows an archive for a given month
+        *
+        * @param $year
+        *        year
+        * @param $month
+        *        month
+        * @param $template
+        *        String representing the template name to be used
+        */
+       function showArchive($templatename, $year, $month = 0, $day = 0) {
+
+               // create extra where clause for select query
+               if ($day == 0 && $month != 0) {
+                       $timestamp_start = mktime(0,0,0,$month,1,$year);
+                       $timestamp_end = mktime(0,0,0,$month+1,1,$year);  // also works when $month==12
+               } elseif ($month == 0) {
+                       $timestamp_start = mktime(0,0,0,1,1,$year);
+                       $timestamp_end = mktime(0,0,0,12,31,$year);  // also works when $month==12
+               } else {
+                       $timestamp_start = mktime(0,0,0,$month,$day,$year);
+                       $timestamp_end = mktime(0,0,0,$month,$day+1,$year);
+               }
+               $extra_query = ' and i.itime>=' . mysqldate($timestamp_start)
+                                        . ' and i.itime<' . mysqldate($timestamp_end);
+
+
+               $this->readLogAmount($templatename,0,$extra_query,'',1,1);
+
+       }
+
+
+       // sets/gets current category (only when category exists)
+       function setSelectedCategory($catid) {
+               if ($this->isValidCategory($catid) || (intval($catid) == 0))
+                       $this->selectedcatid = intval($catid);
+       }
+
+       function setSelectedCategoryByName($catname) {
+               $this->setSelectedCategory($this->getCategoryIdFromName($catname));
+       }
+
+       function getSelectedCategory() {
+               return $this->selectedcatid;
+       }
+
+       /**
+        * Shows the given amount of items for this blog
+        *
+        * @param $template
+        *        String representing the template _NAME_ (!)
+        * @param $amountEntries
+        *        amount of entries to show (0 = no limit)
+        * @param $extraQuery
+        *        extra conditions to be added to the query
+        * @param $highlight
+        *        contains a query that should be highlighted
+        * @param $comments
+        *        1=show comments 0=don't show comments
+        * @param $dateheads
+        *        1=show dateheads 0=don't show dateheads
+        * @param $offset
+        *        offset
+        * @returns int
+        *        amount of items shown
+        */
+       function readLogAmount($template, $amountEntries, $extraQuery, $highlight, $comments, $dateheads, $offset = 0, $startpos = 0) {
+
+               $query = $this->getSqlBlog($extraQuery);
+
+               if ($amountEntries > 0) {
+                               // $offset zou moeten worden:
+                               // (($startpos / $amountentries) + 1) * $offset ... later testen ...
+                          $query .= ' LIMIT ' . intval($startpos + $offset).',' . intval($amountEntries);
+               }
+               return $this->showUsingQuery($template, $query, $highlight, $comments, $dateheads);
+       }
+
+       function showUsingQuery($templateName, $query, $highlight = '', $comments = 0, $dateheads = 1) {
+               global $CONF, $manager;
+
+               $lastVisit = cookieVar($CONF['CookiePrefix'] .'lastVisit');
+               if ($lastVisit != 0)
+                       $lastVisit = $this->getCorrectTime($lastVisit);
+
+               // set templatename as global variable (so plugins can access it)
+               global $currentTemplateName;
+               $currentTemplateName = $templateName;
+
+               $template =& $manager->getTemplate($templateName);
+
+               // create parser object & action handler
+               $actions =& new ITEMACTIONS($this);
+               $parser =& new PARSER($actions->getDefinedActions(),$actions);
+               $actions->setTemplate($template);
+               $actions->setHighlight($highlight);
+               $actions->setLastVisit($lastVisit);
+               $actions->setParser($parser);
+               $actions->setShowComments($comments);
+
+               // execute query
+               $items = sql_query($query);
+
+               // loop over all items
+               $old_date = 0;
+               while ($item = sql_fetch_object($items)) {
+
+                       $item->timestamp = strtotime($item->itime); // string timestamp -> unix timestamp
+
+                       // action handler needs to know the item we're handling
+                       $actions->setCurrentItem($item);
+
+                       // add date header if needed
+                       if ($dateheads) {
+                               $new_date = date('dFY',$item->timestamp);
+                               if ($new_date != $old_date) {
+                                       // unless this is the first time, write date footer
+                                       $timestamp = $item->timestamp;
+                                       if ($old_date != 0) {
+                                               $oldTS = strtotime($old_date);
+                                               $manager->notify('PreDateFoot',array('blog' => &$this, 'timestamp' => $oldTS));
+                                               $tmp_footer = strftime(isset($template['DATE_FOOTER'])?$template['DATE_FOOTER']:'', $oldTS);
+                                               $parser->parse($tmp_footer);
+                                               $manager->notify('PostDateFoot',array('blog' => &$this, 'timestamp' => $oldTS));
+                                       }
+                                       $manager->notify('PreDateHead',array('blog' => &$this, 'timestamp' => $timestamp));
+                                       // note, to use templatvars in the dateheader, the %-characters need to be doubled in
+                                       // order to be preserved by strftime
+                                       $tmp_header = strftime((isset($template['DATE_HEADER']) ? $template['DATE_HEADER'] : null), $timestamp);
+                                       $parser->parse($tmp_header);
+                                       $manager->notify('PostDateHead',array('blog' => &$this, 'timestamp' => $timestamp));
+                               }
+                               $old_date = $new_date;
+                       }
+
+                       // parse item
+                       $parser->parse($template['ITEM_HEADER']);
+                       $manager->notify('PreItem', array('blog' => &$this, 'item' => &$item));
+                       $parser->parse($template['ITEM']);
+                       $manager->notify('PostItem', array('blog' => &$this, 'item' => &$item));
+                       $parser->parse($template['ITEM_FOOTER']);
+
+               }
+
+               $numrows = sql_num_rows($items);
+
+               // add another date footer if there was at least one item
+               if (($numrows > 0) && $dateheads) {
+                       $manager->notify('PreDateFoot',array('blog' => &$this, 'timestamp' => strtotime($old_date)));
+                       $parser->parse($template['DATE_FOOTER']);
+                       $manager->notify('PostDateFoot',array('blog' => &$this, 'timestamp' => strtotime($old_date)));
+               }
+
+               sql_free_result($items);        // free memory
+
+               return $numrows;
+
+       }
+
+       function showOneitem($itemid, $template, $highlight) {
+               $extraQuery = ' and inumber=' . intval($itemid);
+
+               return $this->readLogAmount($template, 1, $extraQuery, $highlight, 0, 0);
+       }
+
+
+       /**
+         * Adds an item to this blog
+         */
+       function additem($catid, $title, $body, $more, $blogid, $authorid, $timestamp, $closed, $draft, $posted='1') {
+               global $manager;
+
+               $blogid  = intval($blogid);
+               $authorid   = intval($authorid);
+               $title    = $title;
+               $body      = $body;
+               $more      = $more;
+               $catid    = intval($catid);
+
+               // convert newlines to <br />
+               if ($this->convertBreaks()) {
+                       $body = addBreaks($body);
+                       $more = addBreaks($more);
+               }
 
 
-        if ($closed != '1') $closed = '0';
-        if ($draft != '0') $draft = '1';
+               if ($closed != '1') $closed = '0';
+               if ($draft != '0') $draft = '1';
 
 
-        if (!$this->isValidCategory($catid))
-            $catid = $this->getDefaultCategory();
-
-        if ($timestamp > $this->getCorrectTime())
-            $isFuture = 1;
-
-        $timestamp = date('Y-m-d H:i:s',$timestamp);
+               if (!$this->isValidCategory($catid))
+                       $catid = $this->getDefaultCategory();
+
+               if ($timestamp > $this->getCorrectTime())
+                       $isFuture = 1;
+
+               $timestamp = date('Y-m-d H:i:s',$timestamp);
 
 
-        $manager->notify('PreAddItem',array('title' => &$title, 'body' => &$body, 'more' => &$more, 'blog' => &$this, 'authorid' => &$authorid, 'timestamp' => &$timestamp, 'closed' => &$closed, 'draft' => &$draft, 'catid' => &$catid));
+               $manager->notify('PreAddItem',array('title' => &$title, 'body' => &$body, 'more' => &$more, 'blog' => &$this, 'authorid' => &$authorid, 'timestamp' => &$timestamp, 'closed' => &$closed, 'draft' => &$draft, 'catid' => &$catid));
 
 
-        $title = addslashes($title);
-        $body = addslashes($body);
-        $more = addslashes($more);
+               $title = sql_real_escape_string($title);
+               $body = sql_real_escape_string($body);
+               $more = sql_real_escape_string($more);
 
 
-        $query = 'INSERT INTO '.sql_table('item').' (ITITLE, IBODY, IMORE, IBLOG, IAUTHOR, ITIME, ICLOSED, IDRAFT, ICAT, IPOSTED) '
-               . "VALUES ('$title', '$body', '$more', $blogid, $authorid, '$timestamp', $closed, $draft, $catid, $posted)";
-        sql_query($query);
-        $itemid = sql_insert_id();
+               $query = 'INSERT INTO '.sql_table('item').' (ITITLE, IBODY, IMORE, IBLOG, IAUTHOR, ITIME, ICLOSED, IDRAFT, ICAT, IPOSTED) '
+                          . "VALUES ('$title', '$body', '$more', $blogid, $authorid, '$timestamp', $closed, $draft, $catid, $posted)";
+               sql_query($query);
+               $itemid = sql_insert_id();
 
 
-        $manager->notify('PostAddItem',array('itemid' => $itemid));
+               $manager->notify('PostAddItem',array('itemid' => $itemid));
 
 
-        if (!$draft)
-            $this->updateUpdateFile();
+               if (!$draft)
+                       $this->updateUpdateFile();
 
 
-        // send notification mail
-        if (!$draft && !$isFuture && $this->getNotifyAddress() && $this->notifyOnNewItem())
-            $this->sendNewItemNotification($itemid, stripslashes($title), stripslashes($body));
+               // send notification mail
+               if (!$draft && !$isFuture && $this->getNotifyAddress() && $this->notifyOnNewItem())
+                       $this->sendNewItemNotification($itemid, stripslashes($title), stripslashes($body));
 
 
-        return $itemid;
-    }
+               return $itemid;
+       }
 
 
-    function sendNewItemNotification($itemid, $title, $body) {
-        global $CONF, $member;
+       function sendNewItemNotification($itemid, $title, $body) {
+               global $CONF, $member;
 
 
-        // create text version of html post
-        $ascii = toAscii($body);
+               // create text version of html post
+               $ascii = toAscii($body);
 
 
-        $mailto_msg = _NOTIFY_NI_MSG . " \n";
+               $mailto_msg = _NOTIFY_NI_MSG . " \n";
 //             $mailto_msg .= $CONF['IndexURL'] . 'index.php?itemid=' . $itemid . "\n\n";
 //             $mailto_msg .= $CONF['IndexURL'] . 'index.php?itemid=' . $itemid . "\n\n";
-        $temp = parse_url($CONF['Self']);
-        if ($temp['scheme']) {
-            $mailto_msg .= createItemLink($itemid) . "\n\n";
-        } else {
-            $tempurl = $this->getURL();
-            if (substr($tempurl, -1) == '/' || substr($tempurl, -4) == '.php') {
-                $mailto_msg .= $tempurl . '?itemid=' . $itemid . "\n\n";
-            } else {
-                $mailto_msg .= $tempurl . '/?itemid=' . $itemid . "\n\n";
-            }
-        }
-        $mailto_msg .= _NOTIFY_TITLE . ' ' . strip_tags($title) . "\n";
-        $mailto_msg .= _NOTIFY_CONTENTS . "\n " . $ascii . "\n";
-        $mailto_msg .= getMailFooter();
-
-        $mailto_title = $this->getName() . ': ' . _NOTIFY_NI_TITLE;
-
-        $frommail = $member->getNotifyFromMailAddress();
-
-        $notify =& new NOTIFICATION($this->getNotifyAddress());
-        $notify->notify($mailto_title, $mailto_msg , $frommail);
-
-
-
-    }
-
-
-    /**
-      * Creates a new category for this blog
-      *
-      * @param $catName
-      *     name of the new category. When empty, a name is generated automatically
-      *     (starting with newcat)
-      * @param $catDescription
-      *     description of the new category. Defaults to 'New Category'
-      *
-      * @returns
-      *     the new category-id in case of success.
-      *     0 on failure
-      */
-    function createNewCategory($catName = '', $catDescription = _CREATED_NEW_CATEGORY_DESC) {
-        global $member, $manager;
-
-        if ($member->blogAdminRights($this->getID())) {
-            // generate
-            if ($catName == '')
-            {
-                $catName = _CREATED_NEW_CATEGORY_NAME;
-                $i = 1;
-
-                $res = sql_query('SELECT * FROM '.sql_table('category')." WHERE cname='".$catName.$i."' and cblog=".$this->getID());
-                while (sql_num_rows($res) > 0)
-                {
-                    $i++;
-                    $res = sql_query('SELECT * FROM '.sql_table('category')." WHERE cname='".$catName.$i."' and cblog=".$this->getID());
-                }
-
-                $catName = $catName . $i;
-            }
-
-            $manager->notify(
-                'PreAddCategory',
-                array(
-                    'blog' => &$this,
-                    'name' => &$catName,
-                    'description' => $catDescription
-                )
-            );
-
-            $query = 'INSERT INTO '.sql_table('category').' (cblog, cname, cdesc) VALUES (' . $this->getID() . ", '" . addslashes($catName) . "', '" . addslashes($catDescription) . "')";
-            sql_query($query);
-            $catid = sql_insert_id();
-
-            $manager->notify(
-                'PostAddCategory',
-                array(
-                    'blog' => &$this,
-                    'name' => $catName,
-                    'description' => $catDescription,
-                    'catid' => $catid
-                )
-            );
-
-            return $catid;
-        } else {
-            return 0;
-        }
-
-    }
-
-
-    /**
-     * Searches all months of this blog for the given query
-     *
-     * @param $query
-     *      search query
-     * @param $template
-     *      template to be used (__NAME__ of the template)
-     * @param $amountMonths
-     *      max amount of months to be search (0 = all)
-     * @param $maxresults
-     *      max number of results to show
-     * @param $startpos
-     *      offset
-     * @returns
-     *      amount of hits found
-     */
-    function search($query, $template, $amountMonths, $maxresults, $startpos) {
-        global $CONF, $manager;
-
-        $highlight  = '';
-        $sqlquery   = $this->getSqlSearch($query, $amountMonths, $highlight);
-
-        if ($sqlquery == '')
-        {
-            // no query -> show everything
-            $extraquery = '';
-            $amountfound = $this->readLogAmount($template, $maxresults, $extraQuery, $query, 1, 1);
-        } else {
-
-            // add LIMIT to query (to split search results into pages)
-            if (intval($maxresults > 0))
-                $sqlquery .= ' LIMIT ' . intval($startpos).',' . intval($maxresults);
-
-            // show results
-            $amountfound = $this->showUsingQuery($template, $sqlquery, $highlight, 1, 1);
-
-            // when no results were found, show a message
-            if ($amountfound == 0)
-            {
-                $template =& $manager->getTemplate($template);
-                $vars = array(
-                    'query'     => htmlspecialchars($query),
-                    'blogid'    => $this->getID()
-                );
-                echo TEMPLATE::fill($template['SEARCH_NOTHINGFOUND'],$vars);
-            }
-        }
-
-        return $amountfound;
-    }
-
-    /**
-     * Returns an SQL query to use for a search query
-     *
-     * @param $query
-     *      search query
-     * @param $amountMonths
-     *      amount of months to search back. Default = 0 = unlimited
-     * @param $mode
-     *      either empty, or 'count'. In this case, the query will be a SELECT COUNT(*) query
-     * @returns $highlight
-     *      words to highlight (out parameter)
-     * @returns
-     *      either a full SQL query, or an empty string (if querystring empty)
-     * @note
-     *      No LIMIT clause is added. (caller should add this if multiple pages are requested)
-     */
-    function getSqlSearch($query, $amountMonths = 0, &$highlight, $mode = '')
-    {
-        $searchclass =& new SEARCH($query);
-
-        $highlight    = $searchclass->inclusive;
-
-        // if querystring is empty, return empty string
-        if ($searchclass->inclusive == '')
-            return '';
-
-
-        $where  = $searchclass->boolean_sql_where('ititle,ibody,imore');
-        $select = $searchclass->boolean_sql_select('ititle,ibody,imore');
-
-        // get list of blogs to search
-        $blogs      = $searchclass->blogs;      // array containing blogs that always need to be included
-        $blogs[]    = $this->getID();           // also search current blog (duh)
-        $blogs      = array_unique($blogs);     // remove duplicates
-        $selectblogs = '';
-        if (count($blogs) > 0)
-            $selectblogs = ' and i.iblog in (' . implode(',', $blogs) . ')';
-
-        if ($mode == '')
-        {
-            $query = 'SELECT i.inumber as itemid, i.ititle as title, i.ibody as body, m.mname as author, m.mrealname as authorname, i.itime, i.imore as more, m.mnumber as authorid, m.memail as authormail, m.murl as authorurl, c.cname as category, i.icat as catid, i.iclosed as closed';
-            if ($select)
-                $query .= ', '.$select. ' as score ';
-        } else {
-            $query = 'SELECT COUNT(*) as result ';
-        }
-
-        $query .= ' FROM '.sql_table('item').' as i, '.sql_table('member').' as m, '.sql_table('category').' as c'
-               . ' WHERE i.iauthor=m.mnumber'
-               . ' and i.icat=c.catid'
-               . ' and i.idraft=0'  // exclude drafts
-               . $selectblogs
-                    // don't show future items
-               . ' and i.itime<=' . mysqldate($this->getCorrectTime())
-               . ' and '.$where;
-
-        // take into account amount of months to search
-        if ($amountMonths > 0)
-        {
-            $localtime = getdate($this->getCorrectTime());
-            $timestamp_start = mktime(0,0,0,$localtime['mon'] - $amountMonths,1,$localtime['year']);
-            $query .= ' and i.itime>' . mysqldate($timestamp_start);
-        }
-
-        if ($mode == '')
-        {
-            if ($select)
-                $query .= ' ORDER BY score DESC';
-            else
-                $query .= ' ORDER BY i.itime DESC ';
-        }
-
-        return $query;
-    }
-
-    /**
-     * Returns the SQL query that's normally used to display the blog items on the index type skins
-     *
-     * @param $mode
-     *      either empty, or 'count'. In this case, the query will be a SELECT COUNT(*) query
-     * @returns
-     *      either a full SQL query, or an empty string
-     * @note
-     *      No LIMIT clause is added. (caller should add this if multiple pages are requested)
-     */
-    function getSqlBlog($extraQuery, $mode = '')
-    {
-        if ($mode == '')
-            $query = 'SELECT i.inumber as itemid, i.ititle as title, i.ibody as body, m.mname as author, m.mrealname as authorname, i.itime, i.imore as more, m.mnumber as authorid, m.memail as authormail, m.murl as authorurl, c.cname as category, i.icat as catid, i.iclosed as closed';
-        else
-            $query = 'SELECT COUNT(*) as result ';
-
-        $query .= ' FROM '.sql_table('item').' as i, '.sql_table('member').' as m, '.sql_table('category').' as c'
-               . ' WHERE i.iblog='.$this->blogid
-               . ' and i.iauthor=m.mnumber'
-               . ' and i.icat=c.catid'
-               . ' and i.idraft=0'  // exclude drafts
-                    // don't show future items
-               . ' and i.itime<=' . mysqldate($this->getCorrectTime());
-
-        if ($this->getSelectedCategory())
-            $query .= ' and i.icat=' . $this->getSelectedCategory() . ' ';
-
-
-        $query .= $extraQuery;
-
-        if ($mode == '')
-            $query .= ' ORDER BY i.itime DESC';
-
-        return $query;
-    }
-
-    /**
-      * Shows the archivelist using the given template
-      */
-    function showArchiveList($template, $mode = 'month', $limit = 0) {
-        global $CONF, $catid, $manager;
-
-        if (!isset ($linkparams)) {
-        $linkparams = array();
-        }
-
-        if ($catid) {
-            $linkparams = array('catid' => $catid);
-        }
-
-        $template =& $manager->getTemplate($template);
-        $data['blogid'] = $this->getID();
-
-        $tplt = isset($template['ARCHIVELIST_HEADER']) ? $template['ARCHIVELIST_HEADER']
-                                                       : '';
-        echo TEMPLATE::fill($tplt, $data);
-
-        $query = 'SELECT itime, SUBSTRING(itime,1,4) AS Year, SUBSTRING(itime,6,2) AS Month, SUBSTRING(itime,9,2) as Day FROM '.sql_table('item')
-        . ' WHERE iblog=' . $this->getID()
-        . ' and itime <=' . mysqldate($this->getCorrectTime())  // don't show future items!
-        . ' and idraft=0'; // don't show draft items
-
-        if ($catid)
-            $query .= ' and icat=' . intval($catid);
-
-        $query .= ' GROUP BY Year';
-        if ($mode == 'month' || $mode == 'day')
-            $query .= ', Month';
-        if ($mode == 'day')
-            $query .= ', Day';
-
-        $query .= ' ORDER BY itime DESC';
-
-        if ($limit > 0)
-            $query .= ' LIMIT ' . intval($limit);
-
-        $res = sql_query($query);
-
-        while ($current = sql_fetch_object($res)) {
-            $current->itime = strtotime($current->itime);   // string time -> unix timestamp
-
-            if ($mode == 'day') {
-                $archivedate      = date('Y-m-d',$current->itime);
-                $archive['day']   = date('d',$current->itime);
-                $data['day']      = date('d',$current->itime);
-                $data['month']    = date('m',$current->itime);
-                $archive['month'] = $data['month'];
-            } elseif ($mode == 'year') {
-                $archivedate      = date('Y',$current->itime);
-                $data['day']      = '';
-                $data['month']    = '';
-                $archive['day']   = '';
-                $archive['month'] = '';
-            } else {
-                $archivedate = date('Y-m',$current->itime);
-                $data['month'] = date('m',$current->itime);
-                $archive['month'] = $data['month'];
-                $data['day'] = '';
-                $archive['day'] = '';
-            }
-
-            $data['year'] = date('Y',$current->itime);
-            $archive['year'] = $data['year'];
-            $data['archivelink'] = createArchiveLink($this->getID(),$archivedate,$linkparams);
-
-            $manager->notify(
-                'PreArchiveListItem',
-                array(
-                    'listitem' => &$data
-                )
-            );
-
-            $temp = TEMPLATE::fill($template['ARCHIVELIST_LISTITEM'],$data);
-            echo strftime($temp,$current->itime);
-
-        }
-
-        sql_free_result($res);
-
-        $tplt = isset($template['ARCHIVELIST_FOOTER']) ? $template['ARCHIVELIST_FOOTER']
-                                                       : '';
-        echo TEMPLATE::fill($tplt, $data);
-    }
-
-
-    /**
-      * Shows the list of categories using a given template
-      */
-    function showCategoryList($template) {
-        global $CONF, $manager;
-
-        // determine arguments next to catids
-        // I guess this can be done in a better way, but it works
-        global $archive, $archivelist;
-
-        $linkparams = array();
-        if ($archive) {
-            $blogurl = createArchiveLink($this->getID(), $archive, '');
-            $linkparams['blogid'] = $this->getID();
-            $linkparams['archive'] = $archive;
-        } else if ($archivelist) {
-            $blogurl = createArchiveListLink($this->getID(), '');
-            $linkparams['archivelist'] = $archivelist;
-        } else {
-            $blogurl = createBlogidLink($this->getID(), '');
-            $linkparams['blogid'] = $this->getID();
-        }
-
-        //$blogurl = $this->getURL() . $qargs;
-        //$blogurl = createBlogLink($this->getURL(), $linkparams);
-
-        $template =& $manager->getTemplate($template);
-
-        echo TEMPLATE::fill((isset($template['CATLIST_HEADER']) ? $template['CATLIST_HEADER'] : null),
-                            array(
-                                'blogid' => $this->getID(),
-                                'blogurl' => $blogurl,
-                                'self' => $CONF['Self']
-                            ));
-
-        $query = 'SELECT catid, cdesc as catdesc, cname as catname FROM '.sql_table('category').' WHERE cblog=' . $this->getID() . ' ORDER BY cname ASC';
-        $res = sql_query($query);
-
-
-        while ($data = sql_fetch_assoc($res)) {
-            $data['blogid'] = $this->getID();
-            $data['blogurl'] = $blogurl;
-            $data['catlink'] = createLink(
-                                'category',
-                                array(
-                                    'catid' => $data['catid'],
-                                    'name' => $data['catname'],
-                                    'extra' => $linkparams
-                                )
-                               );
-            $data['self'] = $CONF['Self'];
-            
-            //catiscurrent
-            if ($this->getSelectedCategory()) {
-                if ($this->getSelectedCategory() == $data['catid']) {
-                    $data['catiscurrent'] = 'yes';
-                    $data['currentcat'] = 'yes';
-                }
-                else {
-                    $data['catiscurrent'] = 'no';
-                    $data['currentcat'] = 'no';
-                }
-            }
-            else {
-                global $itemid;
-                if (intval($itemid) && $manager->existsItem(intval($itemid),0,0)) {
-                    $iobj =& $manager->getItem(intval($itemid),0,0);
-                    $cid = $iobj['catid'];
-                    if ($cid == $data['catid']) {
-                        $data['catiscurrent'] = 'yes';
-                        $data['currentcat'] = 'yes';
-                    }
-                    else {
-                        $data['catiscurrent'] = 'no';
-                        $data['currentcat'] = 'no';
-                    }
-                }
-            }
-
-            $manager->notify(
-                'PreCategoryListItem',
-                array(
-                    'listitem' => &$data
-                )
-            );
-
-            echo TEMPLATE::fill((isset($template['CATLIST_LISTITEM']) ? $template['CATLIST_LISTITEM'] : null), $data);
-            //$temp = TEMPLATE::fill((isset($template['CATLIST_LISTITEM']) ? $template['CATLIST_LISTITEM'] : null), $data);
-            //echo strftime($temp, $current->itime);
-
-        }
-
-        sql_free_result($res);
-
-        echo TEMPLATE::fill((isset($template['CATLIST_FOOTER']) ? $template['CATLIST_FOOTER'] : null),
-                            array(
-                                'blogid' => $this->getID(),
-                                'blogurl' => $blogurl,
-                                'self' => $CONF['Self']
-                            ));
-    }
-
-    /**
-      * Shows a list of all blogs in the system using a given template
-      * ordered by  number, name, shortname or description
-      * in ascending or descending order
-      */
-    function showBlogList($template, $bnametype, $orderby, $direction) {
-        global $CONF, $manager;
-
-        switch ($orderby) {
-            case 'number':
-                $orderby='bnumber';
-                break;
-            case 'name':
-                $orderby='bname';
-                break;
-            case 'shortname':
-                $orderby='bshortname';
-                break;
-            case 'description':
-                $orderby='bdesc';
-                break;
-            default:
-                $orderby='bnumber';
-                break;
-        }
-
-        $direction=strtolower($direction);
-        switch ($direction) {
-            case 'asc':
-                $direction='ASC';
-                break;
-            case 'desc':
-                $direction='DESC';
-                break;
-            default:
-                $direction='ASC';
-                break;
-        }
-
-        $template =& $manager->getTemplate($template);
-
-        echo TEMPLATE::fill((isset($template['BLOGLIST_HEADER']) ? $template['BLOGLIST_HEADER'] : null),
-                            array(
-                                'sitename' => $CONF['SiteName'],
-                                'siteurl' => $CONF['IndexURL']
-                            ));
-
-        $query = 'SELECT bnumber, bname, bshortname, bdesc, burl FROM '.sql_table('blog').' ORDER BY '.$orderby.' '.$direction;
-        $res = sql_query($query);
-
-        while ($data = sql_fetch_assoc($res)) {
-
-            $list = array();
+               $temp = parse_url($CONF['Self']);
+               if ($temp['scheme']) {
+                       $mailto_msg .= createItemLink($itemid) . "\n\n";
+               } else {
+                       $tempurl = $this->getURL();
+                       if (substr($tempurl, -1) == '/' || substr($tempurl, -4) == '.php') {
+                               $mailto_msg .= $tempurl . '?itemid=' . $itemid . "\n\n";
+                       } else {
+                               $mailto_msg .= $tempurl . '/?itemid=' . $itemid . "\n\n";
+                       }
+               }
+               $mailto_msg .= _NOTIFY_TITLE . ' ' . strip_tags($title) . "\n";
+               $mailto_msg .= _NOTIFY_CONTENTS . "\n " . $ascii . "\n";
+               $mailto_msg .= getMailFooter();
+
+               $mailto_title = $this->getName() . ': ' . _NOTIFY_NI_TITLE;
+
+               $frommail = $member->getNotifyFromMailAddress();
+
+               $notify =& new NOTIFICATION($this->getNotifyAddress());
+               $notify->notify($mailto_title, $mailto_msg , $frommail);
+
+
+
+       }
+
+
+       /**
+         * Creates a new category for this blog
+         *
+         * @param $catName
+         *      name of the new category. When empty, a name is generated automatically
+         *      (starting with newcat)
+         * @param $catDescription
+         *      description of the new category. Defaults to 'New Category'
+         *
+         * @returns
+         *      the new category-id in case of success.
+         *      0 on failure
+         */
+       function createNewCategory($catName = '', $catDescription = _CREATED_NEW_CATEGORY_DESC) {
+               global $member, $manager;
+
+               if ($member->blogAdminRights($this->getID())) {
+                       // generate
+                       if ($catName == '')
+                       {
+                               $catName = _CREATED_NEW_CATEGORY_NAME;
+                               $i = 1;
+
+                               $res = sql_query('SELECT * FROM '.sql_table('category')." WHERE cname='".$catName.$i."' and cblog=".$this->getID());
+                               while (sql_num_rows($res) > 0)
+                               {
+                                       $i++;
+                                       $res = sql_query('SELECT * FROM '.sql_table('category')." WHERE cname='".$catName.$i."' and cblog=".$this->getID());
+                               }
+
+                               $catName = $catName . $i;
+                       }
+
+                       $manager->notify(
+                               'PreAddCategory',
+                               array(
+                                       'blog' => &$this,
+                                       'name' => &$catName,
+                                       'description' => $catDescription
+                               )
+                       );
+
+                       $query = 'INSERT INTO '.sql_table('category').' (cblog, cname, cdesc) VALUES (' . $this->getID() . ", '" . sql_real_escape_string($catName) . "', '" . sql_real_escape_string($catDescription) . "')";
+                       sql_query($query);
+                       $catid = sql_insert_id();
+
+                       $manager->notify(
+                               'PostAddCategory',
+                               array(
+                                       'blog' => &$this,
+                                       'name' => $catName,
+                                       'description' => $catDescription,
+                                       'catid' => $catid
+                               )
+                       );
+
+                       return $catid;
+               } else {
+                       return 0;
+               }
+
+       }
+
+
+       /**
+        * Searches all months of this blog for the given query
+        *
+        * @param $query
+        *        search query
+        * @param $template
+        *        template to be used (__NAME__ of the template)
+        * @param $amountMonths
+        *        max amount of months to be search (0 = all)
+        * @param $maxresults
+        *        max number of results to show
+        * @param $startpos
+        *        offset
+        * @returns
+        *        amount of hits found
+        */
+       function search($query, $template, $amountMonths, $maxresults, $startpos) {
+               global $CONF, $manager;
+
+               $highlight  = '';
+               $sqlquery   = $this->getSqlSearch($query, $amountMonths, $highlight);
+
+               if ($sqlquery == '')
+               {
+                       // no query -> show everything
+                       $extraquery = '';
+                       $amountfound = $this->readLogAmount($template, $maxresults, $extraQuery, $query, 1, 1);
+               } else {
+
+                       // add LIMIT to query (to split search results into pages)
+                       if (intval($maxresults > 0))
+                               $sqlquery .= ' LIMIT ' . intval($startpos).',' . intval($maxresults);
+
+                       // show results
+                       $amountfound = $this->showUsingQuery($template, $sqlquery, $highlight, 1, 1);
+
+                       // when no results were found, show a message
+                       if ($amountfound == 0)
+                       {
+                               $template =& $manager->getTemplate($template);
+                               $vars = array(
+                                       'query'  => htmlspecialchars($query),
+                                       'blogid'        => $this->getID()
+                               );
+                               echo TEMPLATE::fill($template['SEARCH_NOTHINGFOUND'],$vars);
+                       }
+               }
+
+               return $amountfound;
+       }
+
+       /**
+        * Returns an SQL query to use for a search query
+        *
+        * @param $query
+        *        search query
+        * @param $amountMonths
+        *        amount of months to search back. Default = 0 = unlimited
+        * @param $mode
+        *        either empty, or 'count'. In this case, the query will be a SELECT COUNT(*) query
+        * @returns $highlight
+        *        words to highlight (out parameter)
+        * @returns
+        *        either a full SQL query, or an empty string (if querystring empty)
+        * @note
+        *        No LIMIT clause is added. (caller should add this if multiple pages are requested)
+        */
+       function getSqlSearch($query, $amountMonths = 0, &$highlight, $mode = '')
+       {
+               $searchclass =& new SEARCH($query);
+
+               $highlight      = $searchclass->inclusive;
+
+               // if querystring is empty, return empty string
+               if ($searchclass->inclusive == '')
+                       return '';
+
+
+               $where  = $searchclass->boolean_sql_where('ititle,ibody,imore');
+               $select = $searchclass->boolean_sql_select('ititle,ibody,imore');
+
+               // get list of blogs to search
+               $blogs    = $searchclass->blogs;          // array containing blogs that always need to be included
+               $blogs[]        = $this->getID();                  // also search current blog (duh)
+               $blogs    = array_unique($blogs);        // remove duplicates
+               $selectblogs = '';
+               if (count($blogs) > 0)
+                       $selectblogs = ' and i.iblog in (' . implode(',', $blogs) . ')';
+
+               if ($mode == '')
+               {
+                       $query = 'SELECT i.inumber as itemid, i.ititle as title, i.ibody as body, m.mname as author, m.mrealname as authorname, i.itime, i.imore as more, m.mnumber as authorid, m.memail as authormail, m.murl as authorurl, c.cname as category, i.icat as catid, i.iclosed as closed';
+                       if ($select)
+                               $query .= ', '.$select. ' as score ';
+               } else {
+                       $query = 'SELECT COUNT(*) as result ';
+               }
+
+               $query .= ' FROM '.sql_table('item').' as i, '.sql_table('member').' as m, '.sql_table('category').' as c'
+                          . ' WHERE i.iauthor=m.mnumber'
+                          . ' and i.icat=c.catid'
+                          . ' and i.idraft=0'  // exclude drafts
+                          . $selectblogs
+                                       // don't show future items
+                          . ' and i.itime<=' . mysqldate($this->getCorrectTime())
+                          . ' and '.$where;
+
+               // take into account amount of months to search
+               if ($amountMonths > 0)
+               {
+                       $localtime = getdate($this->getCorrectTime());
+                       $timestamp_start = mktime(0,0,0,$localtime['mon'] - $amountMonths,1,$localtime['year']);
+                       $query .= ' and i.itime>' . mysqldate($timestamp_start);
+               }
+
+               if ($mode == '')
+               {
+                       if ($select)
+                               $query .= ' ORDER BY score DESC';
+                       else
+                               $query .= ' ORDER BY i.itime DESC ';
+               }
+
+               return $query;
+       }
+
+       /**
+        * Returns the SQL query that's normally used to display the blog items on the index type skins
+        *
+        * @param $mode
+        *        either empty, or 'count'. In this case, the query will be a SELECT COUNT(*) query
+        * @returns
+        *        either a full SQL query, or an empty string
+        * @note
+        *        No LIMIT clause is added. (caller should add this if multiple pages are requested)
+        */
+       function getSqlBlog($extraQuery, $mode = '')
+       {
+               if ($mode == '')
+                       $query = 'SELECT i.inumber as itemid, i.ititle as title, i.ibody as body, m.mname as author, m.mrealname as authorname, i.itime, i.imore as more, m.mnumber as authorid, m.memail as authormail, m.murl as authorurl, c.cname as category, i.icat as catid, i.iclosed as closed';
+               else
+                       $query = 'SELECT COUNT(*) as result ';
+
+               $query .= ' FROM '.sql_table('item').' as i, '.sql_table('member').' as m, '.sql_table('category').' as c'
+                          . ' WHERE i.iblog='.$this->blogid
+                          . ' and i.iauthor=m.mnumber'
+                          . ' and i.icat=c.catid'
+                          . ' and i.idraft=0'  // exclude drafts
+                                       // don't show future items
+                          . ' and i.itime<=' . mysqldate($this->getCorrectTime());
+
+               if ($this->getSelectedCategory())
+                       $query .= ' and i.icat=' . $this->getSelectedCategory() . ' ';
+
+
+               $query .= $extraQuery;
+
+               if ($mode == '')
+                       $query .= ' ORDER BY i.itime DESC';
+
+               return $query;
+       }
+
+       /**
+         * Shows the archivelist using the given template
+         */
+       function showArchiveList($template, $mode = 'month', $limit = 0) {
+               global $CONF, $catid, $manager;
+
+               if (!isset ($linkparams)) {
+               $linkparams = array();
+               }
+
+               if ($catid) {
+                       $linkparams = array('catid' => $catid);
+               }
+
+               $template =& $manager->getTemplate($template);
+               $data['blogid'] = $this->getID();
+
+               $tplt = isset($template['ARCHIVELIST_HEADER']) ? $template['ARCHIVELIST_HEADER']
+                                                                                                          : '';
+               echo TEMPLATE::fill($tplt, $data);
+
+               $query = 'SELECT itime, SUBSTRING(itime,1,4) AS Year, SUBSTRING(itime,6,2) AS Month, SUBSTRING(itime,9,2) as Day FROM '.sql_table('item')
+               . ' WHERE iblog=' . $this->getID()
+               . ' and itime <=' . mysqldate($this->getCorrectTime())  // don't show future items!
+               . ' and idraft=0'; // don't show draft items
+
+               if ($catid)
+                       $query .= ' and icat=' . intval($catid);
+
+               $query .= ' GROUP BY Year';
+               if ($mode == 'month' || $mode == 'day')
+                       $query .= ', Month';
+               if ($mode == 'day')
+                       $query .= ', Day';
+
+               $query .= ' ORDER BY itime DESC';
+
+               if ($limit > 0)
+                       $query .= ' LIMIT ' . intval($limit);
+
+               $res = sql_query($query);
+
+               while ($current = sql_fetch_object($res)) {
+                       $current->itime = strtotime($current->itime);   // string time -> unix timestamp
+
+                       if ($mode == 'day') {
+                               $archivedate      = date('Y-m-d',$current->itime);
+                               $archive['day']   = date('d',$current->itime);
+                               $data['day']      = date('d',$current->itime);
+                               $data['month']  = date('m',$current->itime);
+                               $archive['month'] = $data['month'];
+                       } elseif ($mode == 'year') {
+                               $archivedate      = date('Y',$current->itime);
+                               $data['day']      = '';
+                               $data['month']  = '';
+                               $archive['day']   = '';
+                               $archive['month'] = '';
+                       } else {
+                               $archivedate = date('Y-m',$current->itime);
+                               $data['month'] = date('m',$current->itime);
+                               $archive['month'] = $data['month'];
+                               $data['day'] = '';
+                               $archive['day'] = '';
+                       }
+
+                       $data['year'] = date('Y',$current->itime);
+                       $archive['year'] = $data['year'];
+                       $data['archivelink'] = createArchiveLink($this->getID(),$archivedate,$linkparams);
+
+                       $manager->notify(
+                               'PreArchiveListItem',
+                               array(
+                                       'listitem' => &$data
+                               )
+                       );
+
+                       $temp = TEMPLATE::fill($template['ARCHIVELIST_LISTITEM'],$data);
+                       echo strftime($temp,$current->itime);
+
+               }
+
+               sql_free_result($res);
+
+               $tplt = isset($template['ARCHIVELIST_FOOTER']) ? $template['ARCHIVELIST_FOOTER']
+                                                                                                          : '';
+               echo TEMPLATE::fill($tplt, $data);
+       }
+
+
+       /**
+         * Shows the list of categories using a given template
+         */
+       function showCategoryList($template) {
+               global $CONF, $manager;
+
+               // determine arguments next to catids
+               // I guess this can be done in a better way, but it works
+               global $archive, $archivelist;
+
+               $linkparams = array();
+               if ($archive) {
+                       $blogurl = createArchiveLink($this->getID(), $archive, '');
+                       $linkparams['blogid'] = $this->getID();
+                       $linkparams['archive'] = $archive;
+               } else if ($archivelist) {
+                       $blogurl = createArchiveListLink($this->getID(), '');
+                       $linkparams['archivelist'] = $archivelist;
+               } else {
+                       $blogurl = createBlogidLink($this->getID(), '');
+                       $linkparams['blogid'] = $this->getID();
+               }
+
+               //$blogurl = $this->getURL() . $qargs;
+               //$blogurl = createBlogLink($this->getURL(), $linkparams);
+
+               $template =& $manager->getTemplate($template);
+
+               echo TEMPLATE::fill((isset($template['CATLIST_HEADER']) ? $template['CATLIST_HEADER'] : null),
+                                                       array(
+                                                               'blogid' => $this->getID(),
+                                                               'blogurl' => $blogurl,
+                                                               'self' => $CONF['Self']
+                                                       ));
+
+               $query = 'SELECT catid, cdesc as catdesc, cname as catname FROM '.sql_table('category').' WHERE cblog=' . $this->getID() . ' ORDER BY cname ASC';
+               $res = sql_query($query);
+
+
+               while ($data = sql_fetch_assoc($res)) {
+                       $data['blogid'] = $this->getID();
+                       $data['blogurl'] = $blogurl;
+                       $data['catlink'] = createLink(
+                                                               'category',
+                                                               array(
+                                                                       'catid' => $data['catid'],
+                                                                       'name' => $data['catname'],
+                                                                       'extra' => $linkparams
+                                                               )
+                                                          );
+                       $data['self'] = $CONF['Self'];
+                       
+                       //catiscurrent
+                       if ($this->getSelectedCategory()) {
+                               if ($this->getSelectedCategory() == $data['catid']) {
+                                       $data['catiscurrent'] = 'yes';
+                                       $data['currentcat'] = 'yes';
+                               }
+                               else {
+                                       $data['catiscurrent'] = 'no';
+                                       $data['currentcat'] = 'no';
+                               }
+                       }
+                       else {
+                               global $itemid;
+                               if (intval($itemid) && $manager->existsItem(intval($itemid),0,0)) {
+                                       $iobj =& $manager->getItem(intval($itemid),0,0);
+                                       $cid = $iobj['catid'];
+                                       if ($cid == $data['catid']) {
+                                               $data['catiscurrent'] = 'yes';
+                                               $data['currentcat'] = 'yes';
+                                       }
+                                       else {
+                                               $data['catiscurrent'] = 'no';
+                                               $data['currentcat'] = 'no';
+                                       }
+                               }
+                       }
+
+                       $manager->notify(
+                               'PreCategoryListItem',
+                               array(
+                                       'listitem' => &$data
+                               )
+                       );
+
+                       echo TEMPLATE::fill((isset($template['CATLIST_LISTITEM']) ? $template['CATLIST_LISTITEM'] : null), $data);
+                       //$temp = TEMPLATE::fill((isset($template['CATLIST_LISTITEM']) ? $template['CATLIST_LISTITEM'] : null), $data);
+                       //echo strftime($temp, $current->itime);
+
+               }
+
+               sql_free_result($res);
+
+               echo TEMPLATE::fill((isset($template['CATLIST_FOOTER']) ? $template['CATLIST_FOOTER'] : null),
+                                                       array(
+                                                               'blogid' => $this->getID(),
+                                                               'blogurl' => $blogurl,
+                                                               'self' => $CONF['Self']
+                                                       ));
+       }
+
+       /**
+         * Shows a list of all blogs in the system using a given template
+         * ordered by  number, name, shortname or description
+         * in ascending or descending order
+         */
+       function showBlogList($template, $bnametype, $orderby, $direction) {
+               global $CONF, $manager;
+
+               switch ($orderby) {
+                       case 'number':
+                               $orderby='bnumber';
+                               break;
+                       case 'name':
+                               $orderby='bname';
+                               break;
+                       case 'shortname':
+                               $orderby='bshortname';
+                               break;
+                       case 'description':
+                               $orderby='bdesc';
+                               break;
+                       default:
+                               $orderby='bnumber';
+                               break;
+               }
+
+               $direction=strtolower($direction);
+               switch ($direction) {
+                       case 'asc':
+                               $direction='ASC';
+                               break;
+                       case 'desc':
+                               $direction='DESC';
+                               break;
+                       default:
+                               $direction='ASC';
+                               break;
+               }
+
+               $template =& $manager->getTemplate($template);
+
+               echo TEMPLATE::fill((isset($template['BLOGLIST_HEADER']) ? $template['BLOGLIST_HEADER'] : null),
+                                                       array(
+                                                               'sitename' => $CONF['SiteName'],
+                                                               'siteurl' => $CONF['IndexURL']
+                                                       ));
+
+               $query = 'SELECT bnumber, bname, bshortname, bdesc, burl FROM '.sql_table('blog').' ORDER BY '.$orderby.' '.$direction;
+               $res = sql_query($query);
+
+               while ($data = sql_fetch_assoc($res)) {
+
+                       $list = array();
 
 //                     $list['bloglink'] = createLink('blog', array('blogid' => $data['bnumber']));
 
 //                     $list['bloglink'] = createLink('blog', array('blogid' => $data['bnumber']));
-            $list['bloglink'] = createBlogidLink($data['bnumber']);
-
-            $list['blogdesc'] = $data['bdesc'];
-
-            $list['blogurl'] = $data['burl'];
-
-            if ($bnametype=='shortname') {
-                $list['blogname'] = $data['bshortname'];
-            }
-            else { // all other cases
-                $list['blogname'] = $data['bname'];
-            }
-
-            $manager->notify(
-                'PreBlogListItem',
-                array(
-                    'listitem' => &$list
-                )
-            );
-
-            echo TEMPLATE::fill((isset($template['BLOGLIST_LISTITEM']) ? $template['BLOGLIST_LISTITEM'] : null), $list);
-
-        }
-
-        sql_free_result($res);
-
-        echo TEMPLATE::fill((isset($template['BLOGLIST_FOOTER']) ? $template['BLOGLIST_FOOTER'] : null),
-                            array(
-                                'sitename' => $CONF['SiteName'],
-                                'siteurl' => $CONF['IndexURL']
-                            ));
-
-    }
-
-    /**
-      * Blogsettings functions
-      */
-
-    function readSettings() {
-        $query =  'SELECT *'
-               . ' FROM '.sql_table('blog')
-               . ' WHERE bnumber=' . $this->blogid;
-        $res = sql_query($query);
-
-        $this->isValid = (sql_num_rows($res) > 0);
-        if (!$this->isValid)
-            return;
-
-        $this->settings = sql_fetch_assoc($res);
-    }
-
-    function writeSettings() {
-
-        // (can't use floatval since not available prior to PHP 4.2)
-        $offset = $this->getTimeOffset();
-        if (!is_float($offset))
-            $offset = intval($offset);
-
-        $query =  'UPDATE '.sql_table('blog')
-               . " SET bname='" . addslashes($this->getName()) . "',"
-               . "     bshortname='". addslashes($this->getShortName()) . "',"
-               . "     bcomments=". intval($this->commentsEnabled()) . ","
-               . "     bmaxcomments=" . intval($this->getMaxComments()) . ","
-               . "     btimeoffset=" . $offset . ","
-               . "     bpublic=" . intval($this->isPublic()) . ","
-               . "     breqemail=" . intval($this->emailRequired()) . ","
-               . "     bconvertbreaks=" . intval($this->convertBreaks()) . ","
-               . "     ballowpast=" . intval($this->allowPastPosting()) . ","
-               . "     bnotify='" . addslashes($this->getNotifyAddress()) . "',"
-               . "     bnotifytype=" . intval($this->getNotifyType()) . ","
-               . "     burl='" . addslashes($this->getURL()) . "',"
-               . "     bupdate='" . addslashes($this->getUpdateFile()) . "',"
-               . "     bdesc='" . addslashes($this->getDescription()) . "',"
-               . "     bdefcat=" . intval($this->getDefaultCategory()) . ","
-               . "     bdefskin=" . intval($this->getDefaultSkin()) . ","
-               . "     bincludesearch=" . intval($this->getSearchable())
-               . " WHERE bnumber=" . intval($this->getID());
-        sql_query($query);
-
-    }
-
-
-
-    // update update file if requested
-    function updateUpdatefile() {
-         if ($this->getUpdateFile()) {
-            $f_update = fopen($this->getUpdateFile(),'w');
-            fputs($f_update,$this->getCorrectTime());
-            fclose($f_update);
-         }
-
-    }
-
-    function isValidCategory($catid) {
-        $query = 'SELECT * FROM '.sql_table('category').' WHERE cblog=' . $this->getID() . ' and catid=' . intval($catid);
-        $res = sql_query($query);
-        return (sql_num_rows($res) != 0);
-    }
-
-    function getCategoryName($catid) {
-        $res = sql_query('SELECT cname FROM '.sql_table('category').' WHERE cblog='.$this->getID().' and catid=' . intval($catid));
-        $o = sql_fetch_object($res);
-        return $o->cname;
-    }
-
-    function getCategoryDesc($catid) {
-        $res = sql_query('SELECT cdesc FROM '.sql_table('category').' WHERE cblog='.$this->getID().' and catid=' . intval($catid));
-        $o = sql_fetch_object($res);
-        return $o->cdesc;
-    }
-
-    function getCategoryIdFromName($name) {
-        $res = sql_query('SELECT catid FROM '.sql_table('category').' WHERE cblog='.$this->getID().' and cname="' . addslashes($name) . '"');
-        if (sql_num_rows($res) > 0) {
-            $o = sql_fetch_object($res);
-            return $o->catid;
-        } else {
-            return $this->getDefaultCategory();
-        }
-    }
-
-    function convertBreaks() {
-        return $this->getSetting('bconvertbreaks');
-    }
-
-    function insertJavaScriptInfo($authorid = '') {
-        global $member, $CONF;
-
-        if ($authorid == '')
-            $authorid = $member->getID();
-
-        ?>
-        <script type="text/javascript">
-            setConvertBreaks(<?php echo  $this->convertBreaks() ? 'true' : 'false' ?>);
-            setMediaUrl("<?php echo $CONF['MediaURL']?>");
-            setAuthorId(<?php echo $authorid?>);
-        </script><?php  }
-
-    function setConvertBreaks($val) {
-        $this->setSetting('bconvertbreaks',$val);
-    }
-    function setAllowPastPosting($val) {
-        $this->setSetting('ballowpast',$val);
-    }
-    function allowPastPosting() {
-        return $this->getSetting('ballowpast');
-    }
-
-    function getCorrectTime($t=0) {
-        if ($t == 0) $t = time();
-        return ($t + 3600 * $this->getTimeOffset());
-    }
-
-    function getName() {
-        return $this->getSetting('bname');
-    }
-
-    function getShortName() {
-        return $this->getSetting('bshortname');
-    }
-
-    function getMaxComments() {
-        return $this->getSetting('bmaxcomments');
-    }
-
-    function getNotifyAddress() {
-        return $this->getSetting('bnotify');
-    }
-
-    function getNotifyType() {
-        return $this->getSetting('bnotifytype');
-    }
-
-    function notifyOnComment() {
-        $n = $this->getNotifyType();
-        return (($n != 0) && (($n % 3) == 0));
-    }
-
-    function notifyOnVote() {
-        $n = $this->getNotifyType();
-        return (($n != 0) && (($n % 5) == 0));
-    }
-
-    function notifyOnNewItem() {
-        $n = $this->getNotifyType();
-        return (($n != 0) && (($n % 7) == 0));
-    }
-
-    function setNotifyType($val) {
-        $this->setSetting('bnotifytype',$val);
-    }
-
-
-    function getTimeOffset() {
-        return $this->getSetting('btimeoffset');
-    }
-
-    function commentsEnabled() {
-        return $this->getSetting('bcomments');
-    }
-
-    function getURL() {
-        return $this->getSetting('burl');
-    }
-
-    function getDefaultSkin() {
-        return $this->getSetting('bdefskin');
-    }
-
-    function getUpdateFile() {
-        return $this->getSetting('bupdate');
-    }
-
-    function getDescription() {
-        return $this->getSetting('bdesc');
-    }
-
-    function isPublic() {
-        return $this->getSetting('bpublic');
-    }
-
-    function emailRequired() {
-        return $this->getSetting('breqemail');
-    }
-
-    function getSearchable() {
-        return $this->getSetting('bincludesearch');
-    }
-
-    function getDefaultCategory() {
-        return $this->getSetting('bdefcat');
-    }
-
-    function setPublic($val) {
-        $this->setSetting('bpublic',$val);
-    }
-
-    function setSearchable($val) {
-        $this->setSetting('bincludesearch',$val);
-    }
-
-    function setDescription($val) {
-        $this->setSetting('bdesc',$val);
-    }
-
-    function setUpdateFile($val) {
-        $this->setSetting('bupdate',$val);
-    }
-
-    function setDefaultSkin($val) {
-        $this->setSetting('bdefskin',$val);
-    }
-
-    function setURL($val) {
-        $this->setSetting('burl',$val);
-    }
-
-    function setName($val) {
-        $this->setSetting('bname',$val);
-    }
-
-    function setShortName($val) {
-        $this->setSetting('bshortname',$val);
-    }
-
-    function setCommentsEnabled($val) {
-        $this->setSetting('bcomments',$val);
-    }
-
-    function setMaxComments($val) {
-        $this->setSetting('bmaxcomments',$val);
-    }
-
-    function setNotifyAddress($val) {
-        $this->setSetting('bnotify',$val);
-    }
-
-    function setEmailRequired($val) {
-        $this->setSetting('breqemail',$val);
-    }
-
-    function setTimeOffset($val) {
-        // check validity of value
-        // 1. replace , by . (common mistake)
-        $val = str_replace(',','.',$val);
-        // 2. cast to float or int
-        if (is_numeric($val) && strstr($val,'.5')) {
-            $val = (float) $val;
-        } else {
-            $val = intval($val);
-        }
-
-        $this->setSetting('btimeoffset',$val);
-    }
-
-    function setDefaultCategory($val) {
-        $this->setSetting('bdefcat',$val);
-    }
-
-    function getSetting($key) {
-        return $this->settings[$key];
-    }
-
-    function setSetting($key,$value) {
-        $this->settings[$key] = $value;
-    }
-
-
-    // tries to add a member to the team. Returns false if the member was already on
-    // the team
-    function addTeamMember($memberid, $admin) {
-        global $manager;
-
-        $memberid = intval($memberid);
-        $admin = intval($admin);
-
-        // check if member is already a member
-        $tmem = MEMBER::createFromID($memberid);
-
-        if ($tmem->isTeamMember($this->getID()))
-            return 0;
-
-        $manager->notify(
-            'PreAddTeamMember',
-            array(
-                'blog' => &$this,
-                'member' => &$tmem,
-                'admin' => &$admin
-            )
-        );
-
-        // add to team
-        $query = 'INSERT INTO '.sql_table('team').' (TMEMBER, TBLOG, TADMIN) '
-               . 'VALUES (' . $memberid .', '.$this->getID().', "'.$admin.'")';
-        sql_query($query);
-
-        $manager->notify(
-            'PostAddTeamMember',
-            array(
-                'blog' => &$this,
-                'member' => &$tmem,
-                'admin' => $admin
-            )
-
-        );
-
-        $logMsg = sprintf(_TEAM_ADD_NEWTEAMMEMBER, $tmem->getDisplayName(), $memberid, $this->getName());
-        ACTIONLOG::add(INFO, $logMsg);
-
-        return 1;
-    }
-
-    function getID() {
-        return intVal($this->blogid);
-    }
-
-    // returns true if there is a blog with the given shortname (static)
-    function exists($name) {
-        $r = sql_query('select * FROM '.sql_table('blog').' WHERE bshortname="'.addslashes($name).'"');
-        return (sql_num_rows($r) != 0);
-    }
-
-    // returns true if there is a blog with the given ID (static)
-    function existsID($id) {
-        $r = sql_query('select * FROM '.sql_table('blog').' WHERE bnumber='.intval($id));
-        return (sql_num_rows($r) != 0);
-    }
-
-        // flag there is a future post pending
-        function setFuturePost() {
-        $query =  'UPDATE '.sql_table('blog')
-               . " SET bfuturepost='1' WHERE bnumber=" . $this->getID();
-        sql_query($query);
-        }
-
-    // clear there is a future post pending
-    function clearFuturePost() {
-        $query =  'UPDATE '.sql_table('blog')
-               . " SET bfuturepost='0' WHERE bnumber=" . $this->getID();
-        sql_query($query);
-    }
-
-    // check if we should throw justPosted event
-    function checkJustPosted() {
-        global $manager;
-
-        if ($this->settings['bfuturepost'] == 1) {
-            $blogid = $this->getID();
-            $result = sql_query("SELECT * FROM " . sql_table('item')
-                      . " WHERE iposted=0 AND iblog=" . $blogid . " AND itime<NOW()");
-            if (sql_num_rows($result) > 0) {
-                // This $pinged is allow a plugin to tell other hook to the event that a ping is sent already
-                // Note that the plugins's calling order is subject to thri order in the plugin list
-                $pinged = false;
-                $manager->notify(
-                        'JustPosted',
-                        array('blogid' => $blogid,
-                        'pinged' => &$pinged
-                        )
-                );
-
-                // clear all expired future posts
-                sql_query("UPDATE " . sql_table('item') . " SET iposted='1' WHERE iblog=" . $blogid . " AND itime<NOW()");
-
-                // check to see any pending future post, clear the flag is none
-                $result = sql_query("SELECT * FROM " . sql_table('item')
-                          . " WHERE iposted=0 AND iblog=" . $blogid);
-                if (sql_num_rows($result) == 0) {
-                    $this->clearFuturePost();
-                }
-            }
-        }
-    }
-
-    /**
-     * Shows the given list of items for this blog
-     *
-     * @param $itemarray
-     *      array of item numbers to be displayed
-     * @param $template
-     *      String representing the template _NAME_ (!)
-     * @param $highlight
-     *      contains a query that should be highlighted
-     * @param $comments
-     *      1=show comments 0=don't show comments
-     * @param $dateheads
-     *      1=show dateheads 0=don't show dateheads
-     * @returns int
-     *      amount of items shown
-     */
-    function readLogFromList($itemarray, $template, $highlight = '', $comments = 1, $dateheads = 1) {
-
-        $query = $this->getSqlItemList($itemarray);
-
-        return $this->showUsingQuery($template, $query, $highlight, $comments, $dateheads);
-    }
-
-    /**
-     * Returns the SQL query used to fill out templates for a list of items
-     *
-     * @param $itemarray
-     *      an array holding the item numbers of the items to be displayed
-     * @returns
-     *      either a full SQL query, or an empty string
-     * @note
-     *      No LIMIT clause is added. (caller should add this if multiple pages are requested)
-     */
-    function getSqlItemList($itemarray)
-    {
-        if (!is_array($itemarray)) return '';
-        $items = array();
-        foreach ($itemarray as $value) {
-            if (intval($value)) $items[] = intval($value);
-        }
-        if (!count($items)) return '';
-        //$itemlist = implode(',',$items);
-        $i = count($items);
-        $query = '';
-        foreach ($items as $value) {
-            $query .= '('
-                    .   'SELECT'
-                    .   ' i.inumber as itemid,'
-                    .   ' i.ititle as title,'
-                    .   ' i.ibody as body,'
-                    .   ' m.mname as author,'
-                    .   ' m.mrealname as authorname,'
-                    .   ' i.itime,'
-                    .   ' i.imore as more,'
-                    .   ' m.mnumber as authorid,'
-                    .   ' m.memail as authormail,'
-                    .   ' m.murl as authorurl,'
-                    .   ' c.cname as category,'
-                    .   ' i.icat as catid,'
-                    .   ' i.iclosed as closed';
-
-            $query .= ' FROM '
-                    . sql_table('item') . ' as i, '
-                    . sql_table('member') . ' as m, '
-                    . sql_table('category').' as c'
-                    . ' WHERE'
-                    .     ' i.iblog   = ' . $this->blogid
-                    . ' and i.iauthor = m.mnumber'
-                    . ' and i.icat    = c.catid'
-                    . ' and i.idraft  = 0'  // exclude drafts
-                        // don't show future items
-                    . ' and i.itime  <= ' . mysqldate($this->getCorrectTime());
-
-            //$query .= ' and i.inumber IN ('.$itemlist.')';
-            $query .= ' and i.inumber = '.intval($value);
-            $query .= ')';
-            $i--;
-            if ($i) $query .= ' UNION ';
-        }
-
-        return $query;
-    }
+                       $list['bloglink'] = createBlogidLink($data['bnumber']);
+
+                       $list['blogdesc'] = $data['bdesc'];
+
+                       $list['blogurl'] = $data['burl'];
+
+                       if ($bnametype=='shortname') {
+                               $list['blogname'] = $data['bshortname'];
+                       }
+                       else { // all other cases
+                               $list['blogname'] = $data['bname'];
+                       }
+
+                       $manager->notify(
+                               'PreBlogListItem',
+                               array(
+                                       'listitem' => &$list
+                               )
+                       );
+
+                       echo TEMPLATE::fill((isset($template['BLOGLIST_LISTITEM']) ? $template['BLOGLIST_LISTITEM'] : null), $list);
+
+               }
+
+               sql_free_result($res);
+
+               echo TEMPLATE::fill((isset($template['BLOGLIST_FOOTER']) ? $template['BLOGLIST_FOOTER'] : null),
+                                                       array(
+                                                               'sitename' => $CONF['SiteName'],
+                                                               'siteurl' => $CONF['IndexURL']
+                                                       ));
+
+       }
+
+       /**
+         * Blogsettings functions
+         */
+
+       function readSettings() {
+               $query =  'SELECT *'
+                          . ' FROM '.sql_table('blog')
+                          . ' WHERE bnumber=' . $this->blogid;
+               $res = sql_query($query);
+
+               $this->isValid = (sql_num_rows($res) > 0);
+               if (!$this->isValid)
+                       return;
+
+               $this->settings = sql_fetch_assoc($res);
+       }
+
+       function writeSettings() {
+
+               // (can't use floatval since not available prior to PHP 4.2)
+               $offset = $this->getTimeOffset();
+               if (!is_float($offset))
+                       $offset = intval($offset);
+
+               $query =  'UPDATE '.sql_table('blog')
+                          . " SET bname='" . sql_real_escape_string($this->getName()) . "',"
+                          . "   bshortname='". sql_real_escape_string($this->getShortName()) . "',"
+                          . "   bcomments=". intval($this->commentsEnabled()) . ","
+                          . "   bmaxcomments=" . intval($this->getMaxComments()) . ","
+                          . "   btimeoffset=" . $offset . ","
+                          . "   bpublic=" . intval($this->isPublic()) . ","
+                          . "   breqemail=" . intval($this->emailRequired()) . ","
+                          . "   bconvertbreaks=" . intval($this->convertBreaks()) . ","
+                          . "   ballowpast=" . intval($this->allowPastPosting()) . ","
+                          . "   bnotify='" . sql_real_escape_string($this->getNotifyAddress()) . "',"
+                          . "   bnotifytype=" . intval($this->getNotifyType()) . ","
+                          . "   burl='" . sql_real_escape_string($this->getURL()) . "',"
+                          . "   bupdate='" . sql_real_escape_string($this->getUpdateFile()) . "',"
+                          . "   bdesc='" . sql_real_escape_string($this->getDescription()) . "',"
+                          . "   bdefcat=" . intval($this->getDefaultCategory()) . ","
+                          . "   bdefskin=" . intval($this->getDefaultSkin()) . ","
+                          . "   bincludesearch=" . intval($this->getSearchable())
+                          . " WHERE bnumber=" . intval($this->getID());
+               sql_query($query);
+
+       }
+
+
+
+       // update update file if requested
+       function updateUpdatefile() {
+                if ($this->getUpdateFile()) {
+                       $f_update = fopen($this->getUpdateFile(),'w');
+                       fputs($f_update,$this->getCorrectTime());
+                       fclose($f_update);
+                }
+
+       }
+
+       function isValidCategory($catid) {
+               $query = 'SELECT * FROM '.sql_table('category').' WHERE cblog=' . $this->getID() . ' and catid=' . intval($catid);
+               $res = sql_query($query);
+               return (sql_num_rows($res) != 0);
+       }
+
+       function getCategoryName($catid) {
+               $res = sql_query('SELECT cname FROM '.sql_table('category').' WHERE cblog='.$this->getID().' and catid=' . intval($catid));
+               $o = sql_fetch_object($res);
+               return $o->cname;
+       }
+
+       function getCategoryDesc($catid) {
+               $res = sql_query('SELECT cdesc FROM '.sql_table('category').' WHERE cblog='.$this->getID().' and catid=' . intval($catid));
+               $o = sql_fetch_object($res);
+               return $o->cdesc;
+       }
+
+       function getCategoryIdFromName($name) {
+               $res = sql_query('SELECT catid FROM '.sql_table('category').' WHERE cblog='.$this->getID().' and cname="' . sql_real_escape_string($name) . '"');
+               if (sql_num_rows($res) > 0) {
+                       $o = sql_fetch_object($res);
+                       return $o->catid;
+               } else {
+                       return $this->getDefaultCategory();
+               }
+       }
+
+       function convertBreaks() {
+               return $this->getSetting('bconvertbreaks');
+       }
+
+       function insertJavaScriptInfo($authorid = '') {
+               global $member, $CONF;
+
+               if ($authorid == '')
+                       $authorid = $member->getID();
+
+               ?>
+               <script type="text/javascript">
+                       setConvertBreaks(<?php echo  $this->convertBreaks() ? 'true' : 'false' ?>);
+                       setMediaUrl("<?php echo $CONF['MediaURL']?>");
+                       setAuthorId(<?php echo $authorid?>);
+               </script><?php  }
+
+       function setConvertBreaks($val) {
+               $this->setSetting('bconvertbreaks',$val);
+       }
+       function setAllowPastPosting($val) {
+               $this->setSetting('ballowpast',$val);
+       }
+       function allowPastPosting() {
+               return $this->getSetting('ballowpast');
+       }
+
+       function getCorrectTime($t=0) {
+               if ($t == 0) $t = time();
+               return ($t + 3600 * $this->getTimeOffset());
+       }
+
+       function getName() {
+               return $this->getSetting('bname');
+       }
+
+       function getShortName() {
+               return $this->getSetting('bshortname');
+       }
+
+       function getMaxComments() {
+               return $this->getSetting('bmaxcomments');
+       }
+
+       function getNotifyAddress() {
+               return $this->getSetting('bnotify');
+       }
+
+       function getNotifyType() {
+               return $this->getSetting('bnotifytype');
+       }
+
+       function notifyOnComment() {
+               $n = $this->getNotifyType();
+               return (($n != 0) && (($n % 3) == 0));
+       }
+
+       function notifyOnVote() {
+               $n = $this->getNotifyType();
+               return (($n != 0) && (($n % 5) == 0));
+       }
+
+       function notifyOnNewItem() {
+               $n = $this->getNotifyType();
+               return (($n != 0) && (($n % 7) == 0));
+       }
+
+       function setNotifyType($val) {
+               $this->setSetting('bnotifytype',$val);
+       }
+
+
+       function getTimeOffset() {
+               return $this->getSetting('btimeoffset');
+       }
+
+       function commentsEnabled() {
+               return $this->getSetting('bcomments');
+       }
+
+       function getURL() {
+               return $this->getSetting('burl');
+       }
+
+       function getDefaultSkin() {
+               return $this->getSetting('bdefskin');
+       }
+
+       function getUpdateFile() {
+               return $this->getSetting('bupdate');
+       }
+
+       function getDescription() {
+               return $this->getSetting('bdesc');
+       }
+
+       function isPublic() {
+               return $this->getSetting('bpublic');
+       }
+
+       function emailRequired() {
+               return $this->getSetting('breqemail');
+       }
+
+       function getSearchable() {
+               return $this->getSetting('bincludesearch');
+       }
+
+       function getDefaultCategory() {
+               return $this->getSetting('bdefcat');
+       }
+
+       function setPublic($val) {
+               $this->setSetting('bpublic',$val);
+       }
+
+       function setSearchable($val) {
+               $this->setSetting('bincludesearch',$val);
+       }
+
+       function setDescription($val) {
+               $this->setSetting('bdesc',$val);
+       }
+
+       function setUpdateFile($val) {
+               $this->setSetting('bupdate',$val);
+       }
+
+       function setDefaultSkin($val) {
+               $this->setSetting('bdefskin',$val);
+       }
+
+       function setURL($val) {
+               $this->setSetting('burl',$val);
+       }
+
+       function setName($val) {
+               $this->setSetting('bname',$val);
+       }
+
+       function setShortName($val) {
+               $this->setSetting('bshortname',$val);
+       }
+
+       function setCommentsEnabled($val) {
+               $this->setSetting('bcomments',$val);
+       }
+
+       function setMaxComments($val) {
+               $this->setSetting('bmaxcomments',$val);
+       }
+
+       function setNotifyAddress($val) {
+               $this->setSetting('bnotify',$val);
+       }
+
+       function setEmailRequired($val) {
+               $this->setSetting('breqemail',$val);
+       }
+
+       function setTimeOffset($val) {
+               // check validity of value
+               // 1. replace , by . (common mistake)
+               $val = str_replace(',','.',$val);
+               // 2. cast to float or int
+               if (is_numeric($val) && strstr($val,'.5')) {
+                       $val = (float) $val;
+               } else {
+                       $val = intval($val);
+               }
+
+               $this->setSetting('btimeoffset',$val);
+       }
+
+       function setDefaultCategory($val) {
+               $this->setSetting('bdefcat',$val);
+       }
+
+       function getSetting($key) {
+               return $this->settings[$key];
+       }
+
+       function setSetting($key,$value) {
+               $this->settings[$key] = $value;
+       }
+
+
+       // tries to add a member to the team. Returns false if the member was already on
+       // the team
+       function addTeamMember($memberid, $admin) {
+               global $manager;
+
+               $memberid = intval($memberid);
+               $admin = intval($admin);
+
+               // check if member is already a member
+               $tmem = MEMBER::createFromID($memberid);
+
+               if ($tmem->isTeamMember($this->getID()))
+                       return 0;
+
+               $manager->notify(
+                       'PreAddTeamMember',
+                       array(
+                               'blog' => &$this,
+                               'member' => &$tmem,
+                               'admin' => &$admin
+                       )
+               );
+
+               // add to team
+               $query = 'INSERT INTO '.sql_table('team').' (TMEMBER, TBLOG, TADMIN) '
+                          . 'VALUES (' . $memberid .', '.$this->getID().', "'.$admin.'")';
+               sql_query($query);
+
+               $manager->notify(
+                       'PostAddTeamMember',
+                       array(
+                               'blog' => &$this,
+                               'member' => &$tmem,
+                               'admin' => $admin
+                       )
+
+               );
+
+               $logMsg = sprintf(_TEAM_ADD_NEWTEAMMEMBER, $tmem->getDisplayName(), $memberid, $this->getName());
+               ACTIONLOG::add(INFO, $logMsg);
+
+               return 1;
+       }
+
+       function getID() {
+               return intVal($this->blogid);
+       }
+
+       // returns true if there is a blog with the given shortname (static)
+       function exists($name) {
+               $r = sql_query('select * FROM '.sql_table('blog').' WHERE bshortname="'.sql_real_escape_string($name).'"');
+               return (sql_num_rows($r) != 0);
+       }
+
+       // returns true if there is a blog with the given ID (static)
+       function existsID($id) {
+               $r = sql_query('select * FROM '.sql_table('blog').' WHERE bnumber='.intval($id));
+               return (sql_num_rows($r) != 0);
+       }
+
+               // flag there is a future post pending
+               function setFuturePost() {
+               $query =  'UPDATE '.sql_table('blog')
+                          . " SET bfuturepost='1' WHERE bnumber=" . $this->getID();
+               sql_query($query);
+               }
+
+       // clear there is a future post pending
+       function clearFuturePost() {
+               $query =  'UPDATE '.sql_table('blog')
+                          . " SET bfuturepost='0' WHERE bnumber=" . $this->getID();
+               sql_query($query);
+       }
+
+       // check if we should throw justPosted event
+       function checkJustPosted() {
+               global $manager;
+
+               if ($this->settings['bfuturepost'] == 1) {
+                       $blogid = $this->getID();
+                       $result = sql_query("SELECT * FROM " . sql_table('item')
+                                         . " WHERE iposted=0 AND iblog=" . $blogid . " AND itime<NOW()");
+                       if (sql_num_rows($result) > 0) {
+                               // This $pinged is allow a plugin to tell other hook to the event that a ping is sent already
+                               // Note that the plugins's calling order is subject to thri order in the plugin list
+                               $pinged = false;
+                               $manager->notify(
+                                               'JustPosted',
+                                               array('blogid' => $blogid,
+                                               'pinged' => &$pinged
+                                               )
+                               );
+
+                               // clear all expired future posts
+                               sql_query("UPDATE " . sql_table('item') . " SET iposted='1' WHERE iblog=" . $blogid . " AND itime<NOW()");
+
+                               // check to see any pending future post, clear the flag is none
+                               $result = sql_query("SELECT * FROM " . sql_table('item')
+                                                 . " WHERE iposted=0 AND iblog=" . $blogid);
+                               if (sql_num_rows($result) == 0) {
+                                       $this->clearFuturePost();
+                               }
+                       }
+               }
+       }
+
+       /**
+        * Shows the given list of items for this blog
+        *
+        * @param $itemarray
+        *        array of item numbers to be displayed
+        * @param $template
+        *        String representing the template _NAME_ (!)
+        * @param $highlight
+        *        contains a query that should be highlighted
+        * @param $comments
+        *        1=show comments 0=don't show comments
+        * @param $dateheads
+        *        1=show dateheads 0=don't show dateheads
+        * @param $showDrafts
+        *              0=do not show drafts 1=show drafts
+        * @param $showFuture
+        *              0=do not show future posts 1=show future posts
+        * @returns int
+        *        amount of items shown
+        */
+       function readLogFromList($itemarray, $template, $highlight = '', $comments = 1, $dateheads = 1,$showDrafts = 0, $showFuture = 0) {
+               
+               $query = $this->getSqlItemList($itemarray,$showDrafts,$showFuture);
+               
+               return $this->showUsingQuery($template, $query, $highlight, $comments, $dateheads);
+       }
+
+       /**
+        * Returns the SQL query used to fill out templates for a list of items
+        *
+        * @param $itemarray
+        *        an array holding the item numbers of the items to be displayed
+        * @param $showDrafts
+        *              0=do not show drafts 1=show drafts
+        * @param $showFuture
+        *              0=do not show future posts 1=show future posts
+        * @returns
+        *        either a full SQL query, or an empty string
+        * @note
+        *        No LIMIT clause is added. (caller should add this if multiple pages are requested)
+        */
+       function getSqlItemList($itemarray,$showDrafts = 0,$showFuture = 0)
+       {
+               if (!is_array($itemarray)) return '';
+               $showDrafts = intval($showDrafts);
+               $showFuture = intval($showFuture);
+               $items = array();
+               foreach ($itemarray as $value) {
+                       if (intval($value)) $items[] = intval($value);
+               }
+               if (!count($items)) return '';
+               //$itemlist = implode(',',$items);
+               $i = count($items);
+               $query = '';
+               foreach ($items as $value) {
+                       $query .= '('
+                                       .   'SELECT'
+                                       .   ' i.inumber as itemid,'
+                                       .   ' i.ititle as title,'
+                                       .   ' i.ibody as body,'
+                                       .   ' m.mname as author,'
+                                       .   ' m.mrealname as authorname,'
+                                       .   ' i.itime,'
+                                       .   ' i.imore as more,'
+                                       .   ' m.mnumber as authorid,'
+                                       .   ' m.memail as authormail,'
+                                       .   ' m.murl as authorurl,'
+                                       .   ' c.cname as category,'
+                                       .   ' i.icat as catid,'
+                                       .   ' i.iclosed as closed';
+
+                       $query .= ' FROM '
+                                       . sql_table('item') . ' as i, '
+                                       . sql_table('member') . ' as m, '
+                                       . sql_table('category').' as c'
+                                       . ' WHERE'
+                                       .        ' i.iblog   = ' . $this->blogid
+                                       . ' and i.iauthor = m.mnumber'
+                                       . ' and i.icat  = c.catid'
+                                       . ' and i.idraft  = 0'  // exclude drafts
+                                               // don't show future items
+                                       . ' and i.itime  <= ' . mysqldate($this->getCorrectTime());
+                       if (!$showDrafts) $query .= ' and i.idraft=0';  // exclude drafts                                               
+                       if (!$showFuture) $query .= ' and i.itime<=' . mysqldate($this->getCorrectTime()); // don't show future items
+                       
+                       //$query .= ' and i.inumber IN ('.$itemlist.')';
+                       $query .= ' and i.inumber = '.intval($value);
+                       $query .= ')';
+                       $i--;
+                       if ($i) $query .= ' UNION ';
+               }
+
+               return $query;
+       }
 
 }
 
 
 }
 
index 059a317..ddbbe04 100644 (file)
@@ -31,6 +31,8 @@ class BODYACTIONS extends BaseActions {
        
        function setCurrentItem(&$item) {
                $this->currentItem =& $item;
        
        function setCurrentItem(&$item) {
                $this->currentItem =& $item;
+               global $currentitemid;
+               $currentitemid = $this->currentItem->itemid;
        }
        
        function setTemplate($template) {
        }
        
        function setTemplate($template) {
@@ -38,7 +40,7 @@ class BODYACTIONS extends BaseActions {
        }
 
        function getDefinedActions() {
        }
 
        function getDefinedActions() {
-               return array('image', 'media', 'popup', 'plugin');
+               return array('image', 'media', 'popup', 'plugin', 'if', 'else', 'endif', 'elseif', 'ifnot', 'elseifnot');
        }
 
        function parse_plugin($pluginName) {
        }
 
        function parse_plugin($pluginName) {
@@ -148,6 +150,247 @@ class BODYACTIONS extends BaseActions {
 
                echo TEMPLATE::fill($this->template['POPUP_CODE'],$vars);
        }
 
                echo TEMPLATE::fill($this->template['POPUP_CODE'],$vars);
        }
+       
+       
+       // function to enable if-else-elseif-elseifnot-ifnot-endif to item template fields
+       
+       /**
+        * Checks conditions for if statements
+        *
+        * @param string $field type of <%if%>
+        * @param string $name property of field
+        * @param string $value value of property
+        */
+       function checkCondition($field, $name='', $value = '') {
+               global $catid, $blog, $member, $itemidnext, $itemidprev, $manager, $archiveprevexists, $archivenextexists;
+
+               $condition = 0;
+               switch($field) {
+                       case 'category':
+                               $condition = ($blog && $this->_ifCategory($name,$value));
+                               break;
+                       case 'itemcategory':
+                               $condition = ($this->_ifItemCategory($name,$value));
+                               break;
+                       case 'blogsetting':
+                               $condition = ($blog && ($blog->getSetting($name) == $value));
+                               break;
+                       case 'itemblogsetting':
+                               $b =& $manager->getBlog(getBlogIDFromItemID($this->currentItem->itemid));
+                               $condition = ($b && ($b->getSetting($name) == $value));
+                               break;
+                       case 'loggedin':
+                               $condition = $member->isLoggedIn();
+                               break;
+                       case 'onteam':
+                               $condition = $member->isLoggedIn() && $this->_ifOnTeam($name);
+                               break;
+                       case 'admin':
+                               $condition = $member->isLoggedIn() && $this->_ifAdmin($name);
+                               break;
+                       case 'author':
+                               $condition = ($this->_ifAuthor($name,$value));
+                               break;
+/*                     case 'nextitem':
+                               $condition = ($itemidnext != '');
+                               break;
+                       case 'previtem':
+                               $condition = ($itemidprev != '');
+                               break;
+                       case 'archiveprevexists':
+                               $condition = ($archiveprevexists == true);
+                               break;
+                       case 'archivenextexists':
+                               $condition = ($archivenextexists == true);
+                               break; 
+                       case 'skintype':
+                               $condition = ($name == $this->skintype);
+                               break; */
+                       case 'hasplugin':
+                               $condition = $this->_ifHasPlugin($name, $value);
+                               break;
+                       default:
+                               $condition = $manager->pluginInstalled('NP_' . $field) && $this->_ifPlugin($field, $name, $value);
+                               break;
+               }
+               return $condition;
+       }       
+       
+       /**
+        *  Different checks for a category
+        */
+       function _ifCategory($name = '', $value='') {
+               global $blog, $catid;
+
+               // when no parameter is defined, just check if a category is selected
+               if (($name != 'catname' && $name != 'catid') || ($value == ''))
+                       return $blog->isValidCategory($catid);
+
+               // check category name
+               if ($name == 'catname') {
+                       $value = $blog->getCategoryIdFromName($value);
+                       if ($value == $catid)
+                               return $blog->isValidCategory($catid);
+               }
+
+               // check category id
+               if (($name == 'catid') && ($value == $catid))
+                       return $blog->isValidCategory($catid);
+
+               return false;
+       }
+       
+               
+       /**
+        *  Different checks for an author
+        */
+       function _ifAuthor($name = '', $value='') {
+               global $member, $manager;
+               
+               $b =& $manager->getBlog(getBlogIDFromItemID($this->currentItem->itemid));
+
+               // when no parameter is defined, just check if author is current visitor
+               if (($name != 'isadmin' && $name != 'name') || ($name == 'name' && $value == '')) {
+                       return (intval($member->getID()) > 0 && intval($member->getID()) == intval($this->currentItem->authorid));
+               }
+
+               // check author name
+               if ($name == 'name') {
+                       $value = strtolower($value);
+                       if ($value == strtolower($this->currentItem->author))
+                               return true;
+               }
+
+               // check if author is admin
+               if (($name == 'isadmin')) {                     
+                       $aid = intval($this->currentItem->authorid);
+                       $blogid = intval($b->getID());                  
+                       $amember =& $manager->getMember($aid);
+                       if ($amember->isAdmin())
+                               return true;
+                               
+                       return $amember->isBlogAdmin($blogid);
+               }
+
+               return false;
+       }
+       
+       /**
+        *  Different checks for a category
+        */
+       function _ifItemCategory($name = '', $value='') {
+               global $catid, $manager;
+               
+               $b =& $manager->getBlog(getBlogIDFromItemID($this->currentItem->itemid));
+
+               // when no parameter is defined, just check if a category is selected
+               if (($name != 'catname' && $name != 'catid') || ($value == ''))
+                       return $b->isValidCategory($catid);
+                       
+               $icatid = $this->currentItem->catid;
+               //$icategory = $this->currentItem->category;
+
+               // check category name
+               if ($name == 'catname') {
+                       $value = $b->getCategoryIdFromName($value);
+                       if ($value == $icatid)
+                               return $b->isValidCategory($icatid);
+               }
 
 
+               // check category id
+               if (($name == 'catid') && ($value == $icatid))
+                       return $b->isValidCategory($icatid);
+
+               return false;
+       }
+
+       
+       /**
+        *  Checks if a member is on the team of a blog and return his rights
+        */
+       function _ifOnTeam($blogName = '') {
+               global $blog, $member, $manager;
+
+               // when no blog found
+               if (($blogName == '') && (!is_object($blog)))
+                       return 0;
+
+               // explicit blog selection
+               if ($blogName != '')
+                       $blogid = getBlogIDFromName($blogName);
+
+               if (($blogName == '') || !$manager->existsBlogID($blogid))
+                       // use current blog
+                       $blogid = $blog->getID();
+
+               return $member->teamRights($blogid);
+       }
+
+       /**
+        *  Checks if a member is admin of a blog
+        */
+       function _ifAdmin($blogName = '') {
+               global $blog, $member, $manager;
+
+               // when no blog found
+               if (($blogName == '') && (!is_object($blog)))
+                       return 0;
+
+               // explicit blog selection
+               if ($blogName != '')
+                       $blogid = getBlogIDFromName($blogName);
+                       
+               if (($blogName == '') || !$manager->existsBlogID($blogid))
+                       // use current blog
+                       $blogid = $blog->getID();
+               
+               return $member->isBlogAdmin($blogid);
+       }
+
+       
+       /**
+        *      hasplugin,PlugName
+        *         -> checks if plugin exists
+        *      hasplugin,PlugName,OptionName
+        *         -> checks if the option OptionName from plugin PlugName is not set to 'no'
+        *      hasplugin,PlugName,OptionName=value
+        *         -> checks if the option OptionName from plugin PlugName is set to value
+        */
+       function _ifHasPlugin($name, $value) {
+               global $manager;
+               $condition = false;
+               // (pluginInstalled method won't write a message in the actionlog on failure)
+               if ($manager->pluginInstalled('NP_'.$name)) {
+                       $plugin =& $manager->getPlugin('NP_' . $name);
+                       if ($plugin != NULL) {
+                               if ($value == "") {
+                                       $condition = true;
+                               } else {
+                                       list($name2, $value2) = explode('=', $value, 2);
+                                       if ($value2 == "" && $plugin->getOption($name2) != 'no') {
+                                               $condition = true;
+                                       } else if ($plugin->getOption($name2) == $value2) {
+                                               $condition = true;
+                                       }
+                               }
+                       }
+               }
+               return $condition;
+       }
+       
+       /**
+        * Checks if a plugin exists and call its doIf function
+        */
+       function _ifPlugin($name, $key = '', $value = '') {
+               global $manager;
+               
+               $plugin =& $manager->getPlugin('NP_' . $name);
+               if (!$plugin) return;
+               
+               $params = func_get_args();
+               array_shift($params);
+               
+               return call_user_func_array(array(&$plugin, 'doIf'), $params);
+       }
 }
 ?>
 }
 ?>
index 39c83c4..6bdd43f 100755 (executable)
@@ -26,14 +26,13 @@ class COMMENT {
          * @static
          */
        function getComment($commentid) {
          * @static
          */
        function getComment($commentid) {
-               $query =  'SELECT cnumber as commentid, cbody as body, cuser as user, cmail as userid, cemail as email, cmember as memberid, ctime, chost as host, mname as member, cip as ip, cblog as blogid'
-                          . ' FROM '.sql_table('comment').' left outer join '.sql_table('member').' on cmember=mnumber'
-                          . ' WHERE cnumber=' . intval($commentid);
+               $query = 'SELECT `cnumber` AS commentid, `cbody` AS body, `cuser` AS user, `cmail` AS userid, `cemail` AS email, `cmember` AS memberid, `ctime`, `chost` AS host, `mname` AS member, `cip` AS ip, `cblog` AS blogid'
+                                       . ' FROM ' . sql_table('comment') . ' LEFT OUTER JOIN ' . sql_table('member') . ' ON `cmember` = `mnumber`'
+                                       . ' WHERE `cnumber` = ' . intval($commentid);
                $comments = sql_query($query);
 
                $aCommentInfo = sql_fetch_assoc($comments);
                $comments = sql_query($query);
 
                $aCommentInfo = sql_fetch_assoc($comments);
-               if ($aCommentInfo)
-               {
+               if ($aCommentInfo) {
                        $aCommentInfo['timestamp'] = strtotime($aCommentInfo['ctime']);
                }
                return $aCommentInfo;
                        $aCommentInfo['timestamp'] = strtotime($aCommentInfo['ctime']);
                }
                return $aCommentInfo;
@@ -49,13 +48,18 @@ class COMMENT {
                $comment['userid'] = strip_tags($comment['userid']);
                $comment['email'] = strip_tags($comment['email']);
 
                $comment['userid'] = strip_tags($comment['userid']);
                $comment['email'] = strip_tags($comment['email']);
 
-               // remove quotes and newlines from user and userid
-               $comment['user'] = strtr($comment['user'], "\'\"\n",'-- ');
-               $comment['userid'] = strtr($comment['userid'], "\'\"\n",'-- ');
-               $comment['email'] = strtr($comment['email'], "\'\"\n",'-- ');
-
+               // remove newlines from user; remove quotes and newlines from userid and email; trim whitespace from beginning and end
+               $comment['user'] = trim(strtr($comment['user'], "\n", ' ') );
+               $comment['userid'] = trim(strtr($comment['userid'], "\'\"\n", '-- ') );
+               $comment['email'] = trim(strtr($comment['email'], "\'\"\n", '-- ') );
+               
+               // begin if: a comment userid is supplied, but does not have an "http://" or "https://" at the beginning - prepend an "http://"
+               if ( !empty($comment['userid']) && (strpos($comment['userid'], 'http://') !== 0) && (strpos($comment['userid'], 'https://') !== 0) ) {
+                       $comment['userid'] = 'http://' . $comment['userid'];
+               } // end if
+               
                $comment['body'] = COMMENT::prepareBody($comment['body']);
                $comment['body'] = COMMENT::prepareBody($comment['body']);
-
+               
                return $comment;
        }
 
                return $comment;
        }
 
@@ -65,10 +69,12 @@ class COMMENT {
         * @ static
         */             
        function prepareBody($body) {
         * @ static
         */             
        function prepareBody($body) {
-
-               // remove newlines when too many in a row
-               $body = ereg_replace("\n.\n.\n","\n",$body);
-
+               # replaced ereg_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0
+               # original ereg_replace: ereg_replace("\n.\n.\n", "\n", $body);
+               // remove newlines when too many in a row               
+               $body = preg_replace("/\r\n/", "\n", $body);
+               $body = preg_replace("/\n+/", "\n", $body);
+               
                // encode special characters as entities
                $body = htmlspecialchars($body);
 
                // encode special characters as entities
                $body = htmlspecialchars($body);
 
@@ -109,11 +115,9 @@ class COMMENT {
                // since htmlspecialchars is applied _before_ URL linking
                // move the part of URL, starting from the disallowed entity to the 'post' link part
                $aBadEntities = array('&quot;', '&gt;', '&lt;');
                // since htmlspecialchars is applied _before_ URL linking
                // move the part of URL, starting from the disallowed entity to the 'post' link part
                $aBadEntities = array('&quot;', '&gt;', '&lt;');
-               foreach ($aBadEntities as $entity)
-               {
+               foreach ($aBadEntities as $entity) {
                        $pos = strpos($url, $entity);
                        $pos = strpos($url, $entity);
-                       if ($pos)
-                       {
+                       if ($pos) {
                                $post = substr($url, $pos) . $post;
                                $url = substr($url, 0, $pos);
 
                                $post = substr($url, $pos) . $post;
                                $url = substr($url, 0, $pos);
 
@@ -127,25 +131,28 @@ class COMMENT {
                }
 
                // move ending comma from url to 'post' part
                }
 
                // move ending comma from url to 'post' part
-               if (substr($url, strlen($url) - 1) == ',')
-               {
+               if (substr($url, strlen($url) - 1) == ',') {
                        $url = substr($url, 0, strlen($url) - 1);
                        $post = ',' . $post;
                }
 
                        $url = substr($url, 0, strlen($url) - 1);
                        $post = ',' . $post;
                }
 
-               if (!ereg('^'.$protocol.'://',$url))
+               # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0
+               # original ereg: ereg('^' . $protocol . '://', $url)
+               if (!preg_match('#^' . $protocol . '://#', $url) )
+               {
                        $linkedUrl = $protocol . (($protocol == 'mailto') ? ':' : '://') . $url;
                        $linkedUrl = $protocol . (($protocol == 'mailto') ? ':' : '://') . $url;
+               }
                else
                else
+               {
                        $linkedUrl = $url;
                        $linkedUrl = $url;
-
-
-               if ($protocol != 'mailto')
+               }
+               
+               if ($protocol != 'mailto') {
                        $displayedUrl = $linkedUrl;
                        $displayedUrl = $linkedUrl;
-               else
+               } else {
                        $displayedUrl = $url;
                        $displayedUrl = $url;
+               }
                return $pre . '<a href="'.$linkedUrl.'" rel="nofollow">'.shorten($displayedUrl,30,'...').'</a>' . $post;
        }
                return $pre . '<a href="'.$linkedUrl.'" rel="nofollow">'.shorten($displayedUrl,30,'...').'</a>' . $post;
        }
-
 }
 }
-
 ?>
\ No newline at end of file
 ?>
\ No newline at end of file
index 351e2c3..b7d7c85 100644 (file)
@@ -71,7 +71,13 @@ class COMMENTACTIONS extends BaseActions {
                        'plugin',
                        'include',
                        'phpinclude',
                        'plugin',
                        'include',
                        'phpinclude',
-                       'parsedinclude'
+                       'parsedinclude',
+                       'if',
+                       'else',
+                       'endif',
+                       'elseif',
+                       'ifnot',
+                       'elseifnot'
                );
        }
 
                );
        }
 
@@ -89,16 +95,25 @@ class COMMENTACTIONS extends BaseActions {
        
        function setCurrentComment(&$comment) {
                global $manager;
        
        function setCurrentComment(&$comment) {
                global $manager;
-               if ($comment['memberid'] != 0) {
+               // begin if: member comment
+               if ($comment['memberid'] != 0)
+               {
                        $comment['authtext'] = $template['COMMENTS_AUTH'];
 
                        $mem =& $manager->getMember($comment['memberid']);
                        $comment['user'] = $mem->getDisplayName();
                        $comment['authtext'] = $template['COMMENTS_AUTH'];
 
                        $mem =& $manager->getMember($comment['memberid']);
                        $comment['user'] = $mem->getDisplayName();
+                       
+                       // begin if: member URL exists, set it as the userid
                        if ($mem->getURL())
                        if ($mem->getURL())
+                       {
                                $comment['userid'] = $mem->getURL();
                                $comment['userid'] = $mem->getURL();
+                       }
+                       // else: set the email as the userid
                        else
                        else
+                       {
                                $comment['userid'] = $mem->getEmail();
                                $comment['userid'] = $mem->getEmail();
-
+                       } // end if
+                       
                        $comment['userlinkraw'] = createLink(
                                                                                'member',
                                                                                array(
                        $comment['userlinkraw'] = createLink(
                                                                                'member',
                                                                                array(
@@ -107,27 +122,40 @@ class COMMENTACTIONS extends BaseActions {
                                                                                        'extra' => $this->commentsObj->itemActions->linkparams
                                                                                )
                                                                          );
                                                                                        'extra' => $this->commentsObj->itemActions->linkparams
                                                                                )
                                                                          );
-
-               } else {
-
-                       // create smart links
-/*                     if (isValidMailAddress($comment['userid']))
-                               $comment['userlinkraw'] = 'mailto:'.$comment['userid'];
-                       elseif (strstr($comment['userid'],'http://') != false)
-                               $comment['userlinkraw'] = $comment['userid'];
-                       elseif (strstr($comment['userid'],'www') != false)
-                               $comment['userlinkraw'] = 'http://'.$comment['userid'];*/
-                       if (strstr($comment['userid'],'http://') != false)
-                               $comment['userlinkraw'] = $comment['userid'];
-                       elseif (strstr($comment['userid'],'www') != false)
-                               $comment['userlinkraw'] = 'http://'.$comment['userid'];
-                       elseif (isValidMailAddress($comment['email']))
-                               $comment['userlinkraw'] = 'mailto:'.$comment['email'];
-                       elseif (isValidMailAddress($comment['userid']))
-                               $comment['userlinkraw'] = 'mailto:'.$comment['userid'];
+               // else: non-member comment
                }
                }
-
+               else
+               {
+                       // create smart links
+                       // begin if: comment userid is not empty
+                       if (!empty($comment['userid']) )
+                       {
+                               // begin if: comment userid has either "http://" or "https://" at the beginning
+                               if ( (strpos($comment['userid'], 'http://') === 0) || (strpos($comment['userid'], 'https://') === 0) )
+                               {
+                                       $comment['userlinkraw'] = $comment['userid'];
+                               }
+                               // else: prepend the "http://" (backwards compatibility before rev 1471)
+                               else
+                               {
+                                       $comment['userlinkraw'] = 'http://' . $comment['userid'];
+                               } // end if
+                       }
+                       // else if: comment email is valid
+                       else if (isValidMailAddress($comment['email']) )
+                       {
+                               $comment['userlinkraw'] = 'mailto:' . $comment['email'];
+                       }
+                       // else if: comment userid is a valid email
+                       else if (isValidMailAddress($comment['userid']) )
+                       {
+                               $comment['userlinkraw'] = 'mailto:' . $comment['userid'];
+                       } // end if
+               } // end if
                $this->currentComment =& $comment;
                $this->currentComment =& $comment;
+               global $currentcommentid, $currentcommentarray;
+               $currentcommentid = $comment['commentid'];
+               $currentcommentarray = $comment;
        }
 
        /**
        }
 
        /**
@@ -401,6 +429,263 @@ class COMMENTACTIONS extends BaseActions {
                        echo $this->currentComment['user'];
                }
        }
                        echo $this->currentComment['user'];
                }
        }
+       
+       // function to enable if-else-elseif-elseifnot-ifnot-endif to comment template fields
+       
+       /**
+        * Checks conditions for if statements
+        *
+        * @param string $field type of <%if%>
+        * @param string $name property of field
+        * @param string $value value of property
+        */
+       function checkCondition($field, $name='', $value = '') {
+               global $catid, $blog, $member, $itemidnext, $itemidprev, $manager, $archiveprevexists, $archivenextexists;
+
+               $condition = 0;
+               switch($field) {
+                       case 'category':
+                               $condition = ($blog && $this->_ifCategory($name,$value));
+                               break;
+                       case 'itemcategory':
+                               $condition = ($this->_ifItemCategory($name,$value));
+                               break;
+                       case 'blogsetting':
+                               $condition = ($blog && ($blog->getSetting($name) == $value));
+                               break;
+                       case 'itemblogsetting':
+                               $b =& $manager->getBlog(getBlogIDFromItemID($this->currentComment['itemid']));
+                               $condition = ($b && ($b->getSetting($name) == $value));
+                               break;
+                       case 'loggedin':
+                               $condition = $member->isLoggedIn();
+                               break;
+                       case 'onteam':
+                               $condition = $member->isLoggedIn() && $this->_ifOnTeam($name);
+                               break;
+                       case 'admin':
+                               $condition = $member->isLoggedIn() && $this->_ifAdmin($name);
+                               break;
+                       case 'author':
+                               $condition = ($this->_ifAuthor($name,$value));
+                               break;
+/*                     case 'nextitem':
+                               $condition = ($itemidnext != '');
+                               break;
+                       case 'previtem':
+                               $condition = ($itemidprev != '');
+                               break;
+                       case 'archiveprevexists':
+                               $condition = ($archiveprevexists == true);
+                               break;
+                       case 'archivenextexists':
+                               $condition = ($archivenextexists == true);
+                               break; 
+                       case 'skintype':
+                               $condition = ($name == $this->skintype);
+                               break; */
+                       case 'hasplugin':
+                               $condition = $this->_ifHasPlugin($name, $value);
+                               break;
+                       default:
+                               $condition = $manager->pluginInstalled('NP_' . $field) && $this->_ifPlugin($field, $name, $value);
+                               break;
+               }
+               return $condition;
+       }       
+       
+       /**
+        *  Different checks for a category
+        */
+       function _ifCategory($name = '', $value='') {
+               global $blog, $catid;
+
+               // when no parameter is defined, just check if a category is selected
+               if (($name != 'catname' && $name != 'catid') || ($value == ''))
+                       return $blog->isValidCategory($catid);
+
+               // check category name
+               if ($name == 'catname') {
+                       $value = $blog->getCategoryIdFromName($value);
+                       if ($value == $catid)
+                               return $blog->isValidCategory($catid);
+               }
+
+               // check category id
+               if (($name == 'catid') && ($value == $catid))
+                       return $blog->isValidCategory($catid);
+
+               return false;
+       }
+       
+               
+       /**
+        *  Different checks for an author
+        */
+       function _ifAuthor($name = '', $value='') {
+               global $member, $manager;
+               
+               if ($this->currentComment['memberid'] == 0) return false;
+               
+               $mem =& $manager->getMember($this->currentComment['memberid']);
+               $b =& $manager->getBlog(getBlogIDFromItemID($this->currentComment['itemid']));
+               $citem =& $manager->getItem($this->currentComment['itemid'],1,1);
+
+               // when no parameter is defined, just check if item author is current visitor
+               if (($name != 'isadmin' && $name != 'name' && $name != 'isauthor' && $name != 'isonteam')) {
+                       return (intval($member->getID()) > 0 && intval($member->getID()) == intval($citem['authorid']));
+               }
+
+               // check comment author name
+               if ($name == 'name') {
+                       $value = trim(strtolower($value));
+                       if ($value == '') 
+                               return false;
+                       if ($value == strtolower($mem->getDisplayName()))
+                               return true;
+               }
+
+               // check if comment author is admin
+               if ($name == 'isadmin') {                       
+                       $blogid = intval($b->getID());                  
+                       if ($mem->isAdmin())
+                               return true;
+                               
+                       return $mem->isBlogAdmin($blogid);
+               }
+               
+               // check if comment author is item author
+               if ($name == 'isauthor') {                      
+                       return (intval($citem['authorid']) == intval($this->currentComment['memberid']));
+               }
+               
+               // check if comment author is on team
+               if ($name == 'isonteam') {
+                       return $mem->teamRights(intval($b->getID()));
+               }
+
+               return false;
+       }
+       
+       /**
+        *  Different checks for a category
+        */
+       function _ifItemCategory($name = '', $value='') {
+               global $catid, $manager;
+               
+               $b =& $manager->getBlog(getBlogIDFromItemID($this->currentComment['itemid']));
+               $citem =& $manager->getItem($this->currentComment['itemid'],1,1);
+               $icatid = $citem['catid'];
+
+               // when no parameter is defined, just check if a category is selected
+               if (($name != 'catname' && $name != 'catid') || ($value == ''))
+                       return $b->isValidCategory($icatid);
+                       
+               // check category name
+               if ($name == 'catname') {
+                       $value = $b->getCategoryIdFromName($value);
+                       if ($value == $icatid)
+                               return $b->isValidCategory($icatid);
+               }
+
+               // check category id
+               if (($name == 'catid') && ($value == $icatid))
+                       return $b->isValidCategory($icatid);
+
+               return false;
+       }
+
+       
+       /**
+        *  Checks if a member is on the team of a blog and return his rights
+        */
+       function _ifOnTeam($blogName = '') {
+               global $blog, $member, $manager;
+               
+               $b =& $manager->getBlog(getBlogIDFromItemID($this->currentComment['itemid']));
+               
+               // when no blog found
+               if (($blogName == '') && (!is_object($b)))
+                       return 0;
+
+               // explicit blog selection
+               if ($blogName != '')
+                       $blogid = getBlogIDFromName($blogName);
+
+               if (($blogName == '') || !$manager->existsBlogID($blogid))
+                       // use current blog
+                       $blogid = $b->getID();
 
 
+               return $member->teamRights($blogid);
+       }
+
+       /**
+        *  Checks if a member is admin of a blog
+        */
+       function _ifAdmin($blogName = '') {
+               global $blog, $member, $manager;
+
+               $b =& $manager->getBlog(getBlogIDFromItemID($this->currentComment['itemid']));
+               
+               // when no blog found
+               if (($blogName == '') && (!is_object($b)))
+                       return 0;
+
+               // explicit blog selection
+               if ($blogName != '')
+                       $blogid = getBlogIDFromName($blogName);
+
+               if (($blogName == '') || !$manager->existsBlogID($blogid))
+                       // use current blog
+                       $blogid = $b->getID();
+
+               return $member->isBlogAdmin($blogid);
+       }
+
+       
+       /**
+        *      hasplugin,PlugName
+        *         -> checks if plugin exists
+        *      hasplugin,PlugName,OptionName
+        *         -> checks if the option OptionName from plugin PlugName is not set to 'no'
+        *      hasplugin,PlugName,OptionName=value
+        *         -> checks if the option OptionName from plugin PlugName is set to value
+        */
+       function _ifHasPlugin($name, $value) {
+               global $manager;
+               $condition = false;
+               // (pluginInstalled method won't write a message in the actionlog on failure)
+               if ($manager->pluginInstalled('NP_'.$name)) {
+                       $plugin =& $manager->getPlugin('NP_' . $name);
+                       if ($plugin != NULL) {
+                               if ($value == "") {
+                                       $condition = true;
+                               } else {
+                                       list($name2, $value2) = explode('=', $value, 2);
+                                       if ($value2 == "" && $plugin->getOption($name2) != 'no') {
+                                               $condition = true;
+                                       } else if ($plugin->getOption($name2) == $value2) {
+                                               $condition = true;
+                                       }
+                               }
+                       }
+               }
+               return $condition;
+       }
+
+       /**
+        * Checks if a plugin exists and call its doIf function
+        */
+       function _ifPlugin($name, $key = '', $value = '') {
+               global $manager;
+
+               $plugin =& $manager->getPlugin('NP_' . $name);
+               if (!$plugin) return;
+
+               $params = func_get_args();
+               array_shift($params);
+
+               return call_user_func_array(array(&$plugin, 'doIf'), $params);
+       }
 }
 ?>
\ No newline at end of file
 }
 ?>
\ No newline at end of file
index 9796773..d49f655 100755 (executable)
@@ -259,12 +259,12 @@ class COMMENTS {
 
                $manager->notify('PreAddComment',array('comment' => &$comment, 'spamcheck' => &$spamcheck));
 
 
                $manager->notify('PreAddComment',array('comment' => &$comment, 'spamcheck' => &$spamcheck));
 
-               $name           = addslashes($comment['user']);
-               $url            = addslashes($comment['userid']);
-               $email      = addslashes($comment['email']);
-               $body           = addslashes($comment['body']);
-               $host           = addslashes($comment['host']);
-               $ip                     = addslashes($comment['ip']);
+               $name           = sql_real_escape_string($comment['user']);
+               $url            = sql_real_escape_string($comment['userid']);
+               $email      = sql_real_escape_string($comment['email']);
+               $body           = sql_real_escape_string($comment['body']);
+               $host           = sql_real_escape_string($comment['host']);
+               $ip                     = sql_real_escape_string($comment['ip']);
                $memberid       = intval($comment['memberid']);
                $timestamp      = date('Y-m-d H:i:s', $comment['timestamp']);
                $itemid         = $this->itemid;
                $memberid       = intval($comment['memberid']);
                $timestamp      = date('Y-m-d H:i:s', $comment['timestamp']);
                $itemid         = $this->itemid;
@@ -301,36 +301,46 @@ class COMMENTS {
         */
        function isValidComment(&$comment, & $spamcheck) {
                global $member, $manager;
         */
        function isValidComment(&$comment, & $spamcheck) {
                global $member, $manager;
-
+               
                // check if there exists a item for this date
                $item =& $manager->getItem($this->itemid,0,0);
                // check if there exists a item for this date
                $item =& $manager->getItem($this->itemid,0,0);
-
-               if (!$item)
+               
+               if (!$item) {
                        return _ERROR_NOSUCHITEM;
                        return _ERROR_NOSUCHITEM;
-
-               if ($item['closed'])
+               }
+               
+               if ($item['closed']) {
                        return _ERROR_ITEMCLOSED;
                        return _ERROR_ITEMCLOSED;
-
+               }
+               
+               # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0
+               # original eregi comparison: eregi('[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}', $comment['body']) != FALSE
+               
                // don't allow words that are too long
                // don't allow words that are too long
-               if (eregi('[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}',$comment['body']) != false)
+               if (preg_match('/[a-zA-Z0-9|\.,;:!\?=\/\\\\]{90,90}/', $comment['body']) != 0)
+               {
                        return _ERROR_COMMENT_LONGWORD;
                        return _ERROR_COMMENT_LONGWORD;
-
+               }
+               
                // check lengths of comment
                // check lengths of comment
-               if (strlen($comment['body'])<3)
+               if (strlen($comment['body'])<3) {
                        return _ERROR_COMMENT_NOCOMMENT;
                        return _ERROR_COMMENT_NOCOMMENT;
-
-               if (strlen($comment['body'])>5000)
+               }
+               
+               if (strlen($comment['body'])>5000) {
                        return _ERROR_COMMENT_TOOLONG;
                        return _ERROR_COMMENT_TOOLONG;
-
+               }
+               
                // only check username if no member logged in
                // only check username if no member logged in
-               if (!$member->isLoggedIn())
+               if (!$member->isLoggedIn()) {
                        if (strlen($comment['user'])<2)
                                return _ERROR_COMMENT_NOUSERNAME;
                        if (strlen($comment['user'])<2)
                                return _ERROR_COMMENT_NOUSERNAME;
-
-               if ((strlen($comment['email']) != 0) && !(isValidMailAddress($comment['email']))) {
+               }
+               
+               if ((strlen($comment['email']) != 0) && !(isValidMailAddress(trim($comment['email']) ) ) )
                        return _ERROR_BADMAILADDRESS;
                }
                        return _ERROR_BADMAILADDRESS;
                }
-
+               
                // let plugins do verification (any plugin which thinks the comment is invalid
                // can change 'error' to something other than '1')
                $result = 1;
                // let plugins do verification (any plugin which thinks the comment is invalid
                // can change 'error' to something other than '1')
                $result = 1;
index 139484d..e773c70 100755 (executable)
@@ -213,9 +213,9 @@ class ITEM {
                // update item itsself\r
                $query =  'UPDATE '.sql_table('item')\r
                           . ' SET'\r
                // update item itsself\r
                $query =  'UPDATE '.sql_table('item')\r
                           . ' SET'\r
-                          . " ibody='". addslashes($body) ."',"\r
-                          . " ititle='" . addslashes($title) . "',"\r
-                          . " imore='" . addslashes($more) . "',"\r
+                          . " ibody='". sql_real_escape_string($body) ."',"\r
+                          . " ititle='" . sql_real_escape_string($title) . "',"\r
+                          . " imore='" . sql_real_escape_string($more) . "',"\r
                           . " iclosed=" . intval($closed) . ","\r
                           . " icat=" . intval($catid);\r
 \r
                           . " iclosed=" . intval($closed) . ","\r
                           . " icat=" . intval($catid);\r
 \r
index fb87f00..8f85186 100644 (file)
@@ -102,13 +102,13 @@ class ITEMACTIONS extends BaseActions {
                        'editlink',\r
                        'editpopupcode',\r
                        'comments',\r
                        'editlink',\r
                        'editpopupcode',\r
                        'comments',\r
-                       'relevance'/*,\r
+                       'relevance',\r
                        'if',\r
                        'else',\r
                        'endif',\r
                        'elseif',\r
                        'ifnot',\r
                        'if',\r
                        'else',\r
                        'endif',\r
                        'elseif',\r
                        'ifnot',\r
-                       'elseifnot'*/\r
+                       'elseifnot'\r
                );\r
        }\r
 \r
                );\r
        }\r
 \r
@@ -119,11 +119,13 @@ class ITEMACTIONS extends BaseActions {
        function setParser(&$parser) {\r
                $this->parser =& $parser;\r
        }\r
        function setParser(&$parser) {\r
                $this->parser =& $parser;\r
        }\r
-\r
-       function setCurrentItem(&$item) {\r
-               $this->currentItem =& $item;\r
-       }\r
-\r
+       \r
+       function setCurrentItem(&$item) {
+               $this->currentItem =& $item;
+               global $currentitemid;
+               $currentitemid = $this->currentItem->itemid;
+       }
+       
        function setBlog(&$blog) {\r
                $this->blog =& $blog;\r
        }\r
        function setBlog(&$blog) {\r
                $this->blog =& $blog;\r
        }\r
@@ -540,7 +542,246 @@ class ITEMACTIONS extends BaseActions {
                $this->parser->actions = $this->getDefinedActions();\r
        }\r
        */\r
                $this->parser->actions = $this->getDefinedActions();\r
        }\r
        */\r
-\r
+       \r
+       // function to enable if-else-elseif-elseifnot-ifnot-endif to item template fields
+       
+               /**
+        * Checks conditions for if statements
+        *
+        * @param string $field type of <%if%>
+        * @param string $name property of field
+        * @param string $value value of property
+        */
+       function checkCondition($field, $name='', $value = '') {
+               global $catid, $blog, $member, $itemidnext, $itemidprev, $manager, $archiveprevexists, $archivenextexists;
+
+               $condition = 0;
+               switch($field) {
+                       case 'category':
+                               $condition = ($blog && $this->_ifCategory($name,$value));
+                               break;
+                       case 'itemcategory':
+                               $condition = ($this->_ifItemCategory($name,$value));
+                               break;
+                       case 'blogsetting':
+                               $condition = ($blog && ($blog->getSetting($name) == $value));
+                               break;
+                       case 'itemblogsetting':
+                               $b =& $manager->getBlog(getBlogIDFromItemID($this->currentItem->itemid));
+                               $condition = ($b && ($b->getSetting($name) == $value));
+                               break;
+                       case 'loggedin':
+                               $condition = $member->isLoggedIn();
+                               break;
+                       case 'onteam':
+                               $condition = $member->isLoggedIn() && $this->_ifOnTeam($name);
+                               break;
+                       case 'admin':
+                               $condition = $member->isLoggedIn() && $this->_ifAdmin($name);
+                               break;
+                       case 'author':
+                               $condition = ($this->_ifAuthor($name,$value));
+                               break;
+/*                     case 'nextitem':
+                               $condition = ($itemidnext != '');
+                               break;
+                       case 'previtem':
+                               $condition = ($itemidprev != '');
+                               break;
+                       case 'archiveprevexists':
+                               $condition = ($archiveprevexists == true);
+                               break;
+                       case 'archivenextexists':
+                               $condition = ($archivenextexists == true);
+                               break; 
+                       case 'skintype':
+                               $condition = ($name == $this->skintype);
+                               break; */
+                       case 'hasplugin':
+                               $condition = $this->_ifHasPlugin($name, $value);
+                               break;
+                       default:
+                               $condition = $manager->pluginInstalled('NP_' . $field) && $this->_ifPlugin($field, $name, $value);
+                               break;
+               }
+               return $condition;
+       }       
+       
+       /**
+        *  Different checks for a category
+        */
+       function _ifCategory($name = '', $value='') {
+               global $blog, $catid;
+
+               // when no parameter is defined, just check if a category is selected
+               if (($name != 'catname' && $name != 'catid') || ($value == ''))
+                       return $blog->isValidCategory($catid);
+
+               // check category name
+               if ($name == 'catname') {
+                       $value = $blog->getCategoryIdFromName($value);
+                       if ($value == $catid)
+     &nbs