qemudb/include/vote.php

<?php
require_once(BASE."include/util.php");
/* max votes per user */
define('MAX_VOTES',3);


/**
 * count the number of votes for appId by userId
 */
function vote_count($appId, $userId = null)
{

    if(!$userId)
    {
        if($_SESSION['current']->isLoggedIn())
            $userId = $_SESSION['current']->iUserId;
        else
            return 0;
}
    $hResult = query_parameters("SELECT * FROM appVotes WHERE appId = '?' AND userId = '?'",
                            $appId, $userId);
    return mysql_num_rows($hResult);
}


/**
 * total votes by userId
 */
function vote_count_user_total($userId = null)
{
    if(!$userId)
    {
        if($_SESSION['current']->isLoggedIn())
            $userId = $_SESSION['current']->iUserId;
        else
            return 0;
    }
    $hResult = query_parameters("SELECT * FROM appVotes WHERE userId = '?'", $userId);
    return mysql_num_rows($hResult);
}


/*
 * total votes for appId
 */
function vote_count_app_total($appId)
{
    $hResult = query_parameters("SELECT * FROM appVotes WHERE appId = '?'", $appId);
    return mysql_num_rows($hResult);
}


/**
 * add a vote for appId
 */
function vote_add($appId, $slot, $userId = null)
{
    if(!$userId)
    {
        if($_SESSION['current']->isLoggedIn())
            $userId = $_SESSION['current']->iUserId;
        else
            return;
    }

    if($slot > MAX_VOTES)
        return;
    
    vote_remove($slot, $userId);

    query_parameters("INSERT INTO appVotes (id, time, appId, userId, slot)
                      VALUES (?, ?, '?', '?', '?')", "null", "null", $appId, $userId, $slot);
}


/**
 * remove vote for a slot
 */
function vote_remove($slot, $userId = null)
{
    
    if(!$userId)
    {
        if($_SESSION['current']->isLoggedIn())
            $userId = $_SESSION['current']->iUserId;
        else
            return;
    }

    $sQuery = "DELETE FROM appVotes WHERE userId = '?' AND slot = '?'";
    query_parameters($sQuery, $userId, $slot);
}


function vote_get_user_votes($userId = null)
{
    if(!$userId)
    {
        if($_SESSION['current']->isLoggedIn())
            $userId = $_SESSION['current']->iUserId;
        if(!$userId)
            return array();
    }
    $hResult = query_parameters("SELECT * FROM appVotes WHERE userId = '?'", $userId);
    if(!$hResult)
        return array();

    $obs = array();
    while($oRow = mysql_fetch_object($hResult))
        $obs[$oRow->slot] = $oRow;
    return $obs;
}


function vote_menu()
{

    $aClean = array(); //array of filtered user input
    $aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);

    $m = new htmlmenu("Votes","updatevote.php");
    
    $votes = vote_get_user_votes();

    for($i = 1;$i <= MAX_VOTES; $i++)
    {
        if(isset($votes[$i]))
        {
            $sAppName = Application::lookup_name($votes[$i]->appId);
            $str = "<a href='appview.php?iAppId=".$votes[$i]->appId."'> $sAppName</a>";
            $m->add("<input type=radio name=slot value='$i'> ".$str);
        }
        else
            $m->add("<input type=radio name=iSlot value='$i'> No App Selected");
    }
    
    $m->addmisc("&nbsp;");

    $m->add("<input type=submit name=sClear value=' Clear Vote   ' class=votebutton>");
    $m->add("<input type=submit name=sVote value='Vote for App' class=votebutton>");
    
    $m->addmisc("<input type=hidden name=iAppId value={$aClean['iAppId']}>");
    
    $m->add("View Results", BASE."votestats.php");
    $m->add("Voting Help", BASE."help/?sTopic=voting");
    
    $m->done(1);    
}


function vote_update($vars)
{
    if(!$_SESSION['current']->isLoggedIn())
        util_show_error_page_and_exit("You must be logged in to vote");

    if( !is_numeric($vars['iAppId']) OR !is_numeric($vars['iSlot']))
    {
        if(is_numeric($vars['iAppId']))
           util_redirect_and_exit(apidb_fullurl("appview.php?iAppId=".$vars["iAppId"]));
        else
            util_redirect_and_exit(apidb_fullurl("index.php"));

        return;
    }
    
    if($vars["sVote"])
    {
        addmsg("Registered vote for App #".$vars["iAppId"], "green");
        vote_add($vars["iAppId"], $vars["slot"]);
    } else if($vars["sClear"])
    {
        /* see if we have a vote in this slot, if we don't there is */
        /* little reason to remove it or even mention that we did anything */
        if(is_vote_in_slot($vars["slot"]))
        {
            vote_remove($vars["slot"]);
            addmsg("Removed vote for App #".$vars["iAppId"], "green");
        }
    }

    util_redirect_and_exit(apidb_fullurl("appview.php?iAppId=".$vars["iAppId"]));
}

// tell us if there is a vote in a given slot so we don't
// display incorrect information to the user or go
// through the trouble of trying to remove a vote that doesn't exist
function is_vote_in_slot($slot, $userId = null)
{
    if(!$userId)
    {
        if($_SESSION['current']->isLoggedIn())
            $userId = $_SESSION['current']->iUserId;
        else
            return;
    }

    $sQuery = "SELECT COUNT(*) as count from appVotes WHERE userId = '?' AND slot = '?'";
    if($hResult = query_parameters($sQuery, $userId, $slot))
    {
        $oRow = mysql_fetch_object($hResult);        
        if($oRow->count != 0)
            return true;
        else
            return false;
    }
    
    return false;
}

?>
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`<?php`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`require_once(BASE."include/util.php");`
Delete on slot base. Note appId+slot base. And allow only MAX_VOTES slots 2004-12-28 00:01:21 +00:00			`/* max votes per user */`
			`define('MAX_VOTES',3);`
Initial revision 2004-03-15 16:22:00 +00:00

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`/**`
Initial revision 2004-03-15 16:22:00 +00:00			`* count the number of votes for appId by userId`
			`*/`
			`function vote_count($appId, $userId = null)`
			`{`

			`if(!$userId)`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
- OO version of user class - no more duplicated functions - improved performances (much less duplicated mysql queries) - less code and better error handling 2005-01-30 23:12:48 +00:00			`if($_SESSION['current']->isLoggedIn())`
			`$userId = $_SESSION['current']->iUserId;`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`else`
			`return 0;`
			`}`
Use query_parameters() in SQL select, update and delete statements to protect against sql injection attacks 2006-06-27 19:16:27 +00:00			`$hResult = query_parameters("SELECT * FROM appVotes WHERE appId = '?' AND userId = '?'",`
			`$appId, $userId);`
Make code more consistent by making it follow the appdb coding standards. Fix some spaces vs. tabs odd indenting. 2006-06-21 01:04:12 +00:00			`return mysql_num_rows($hResult);`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00
			`/**`
Initial revision 2004-03-15 16:22:00 +00:00			`* total votes by userId`
			`*/`
			`function vote_count_user_total($userId = null)`
			`{`
			`if(!$userId)`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
- OO version of user class - no more duplicated functions - improved performances (much less duplicated mysql queries) - less code and better error handling 2005-01-30 23:12:48 +00:00			`if($_SESSION['current']->isLoggedIn())`
			`$userId = $_SESSION['current']->iUserId;`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`else`
			`return 0;`
			`}`
Use query_parameters() in SQL select, update and delete statements to protect against sql injection attacks 2006-06-27 19:16:27 +00:00			`$hResult = query_parameters("SELECT * FROM appVotes WHERE userId = '?'", $userId);`
Make code more consistent by making it follow the appdb coding standards. Fix some spaces vs. tabs odd indenting. 2006-06-21 01:04:12 +00:00			`return mysql_num_rows($hResult);`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00
Initial revision 2004-03-15 16:22:00 +00:00			`/*`
			`* total votes for appId`
			`*/`
			`function vote_count_app_total($appId)`
			`{`
Use query_parameters() in SQL select, update and delete statements to protect against sql injection attacks 2006-06-27 19:16:27 +00:00			`$hResult = query_parameters("SELECT * FROM appVotes WHERE appId = '?'", $appId);`
Make code more consistent by making it follow the appdb coding standards. Fix some spaces vs. tabs odd indenting. 2006-06-21 01:04:12 +00:00			`return mysql_num_rows($hResult);`
Initial revision 2004-03-15 16:22:00 +00:00			`}`


- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`/**`
Initial revision 2004-03-15 16:22:00 +00:00			`* add a vote for appId`
			`*/`
			`function vote_add($appId, $slot, $userId = null)`
			`{`
			`if(!$userId)`
Clearing an empty vote would result in a blank screen, instead redirect the user to an appropriate page. Don't report that we removed votes for empty slots. Improve the message on the votestats page if there are no voting results. 2005-05-11 03:08:07 +00:00			`{`
- OO version of user class - no more duplicated functions - improved performances (much less duplicated mysql queries) - less code and better error handling 2005-01-30 23:12:48 +00:00			`if($_SESSION['current']->isLoggedIn())`
			`$userId = $_SESSION['current']->iUserId;`
Clearing an empty vote would result in a blank screen, instead redirect the user to an appropriate page. Don't report that we removed votes for empty slots. Improve the message on the votestats page if there are no voting results. 2005-05-11 03:08:07 +00:00			`else`
			`return;`
			`}`
Initial revision 2004-03-15 16:22:00 +00:00
Delete on slot base. Note appId+slot base. And allow only MAX_VOTES slots 2004-12-28 00:01:21 +00:00			`if($slot > MAX_VOTES)`
			`return;`

			`vote_remove($slot, $userId);`
Protect against sql injection attacks in sql INSERT statements 2006-06-24 04:20:32 +00:00
			`query_parameters("INSERT INTO appVotes (id, time, appId, userId, slot)`
			`VALUES (?, ?, '?', '?', '?')", "null", "null", $appId, $userId, $slot);`
Initial revision 2004-03-15 16:22:00 +00:00			`}`


- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`/**`
Delete on slot base. Note appId+slot base. And allow only MAX_VOTES slots 2004-12-28 00:01:21 +00:00			`* remove vote for a slot`
Initial revision 2004-03-15 16:22:00 +00:00			`*/`
Delete on slot base. Note appId+slot base. And allow only MAX_VOTES slots 2004-12-28 00:01:21 +00:00			`function vote_remove($slot, $userId = null)`
Initial revision 2004-03-15 16:22:00 +00:00			`{`
- access most globals by their $_XYZ['varname'] name - fix some code errors and typos (missing $ in front of variable names and so on) - fixed a lot of warnings that would have been thrown when error_reporting is set to show notices (if(isset($variable))) instead of if($variable) for example) 2004-12-10 01:07:45 +00:00
Initial revision 2004-03-15 16:22:00 +00:00			`if(!$userId)`
Clearing an empty vote would result in a blank screen, instead redirect the user to an appropriate page. Don't report that we removed votes for empty slots. Improve the message on the votestats page if there are no voting results. 2005-05-11 03:08:07 +00:00			`{`
			`if($_SESSION['current']->isLoggedIn())`
			`$userId = $_SESSION['current']->iUserId;`
			`else`
			`return;`
			`}`

Use query_parameters() in SQL select, update and delete statements to protect against sql injection attacks 2006-06-27 19:16:27 +00:00			`$sQuery = "DELETE FROM appVotes WHERE userId = '?' AND slot = '?'";`
			`query_parameters($sQuery, $userId, $slot);`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00
Initial revision 2004-03-15 16:22:00 +00:00			`function vote_get_user_votes($userId = null)`
			`{`
			`if(!$userId)`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
- OO version of user class - no more duplicated functions - improved performances (much less duplicated mysql queries) - less code and better error handling 2005-01-30 23:12:48 +00:00			`if($_SESSION['current']->isLoggedIn())`
			`$userId = $_SESSION['current']->iUserId;`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`if(!$userId)`
			`return array();`
			`}`
Use query_parameters() in SQL select, update and delete statements to protect against sql injection attacks 2006-06-27 19:16:27 +00:00			`$hResult = query_parameters("SELECT * FROM appVotes WHERE userId = '?'", $userId);`
Make code more consistent by making it follow the appdb coding standards. Fix some spaces vs. tabs odd indenting. 2006-06-21 01:04:12 +00:00			`if(!$hResult)`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`return array();`
Initial revision 2004-03-15 16:22:00 +00:00
			`$obs = array();`
Make code more consistent by making it follow the appdb coding standards. Fix some spaces vs. tabs odd indenting. 2006-06-21 01:04:12 +00:00			`while($oRow = mysql_fetch_object($hResult))`
			`$obs[$oRow->slot] = $oRow;`
Initial revision 2004-03-15 16:22:00 +00:00			`return $obs;`
			`}`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00
Initial revision 2004-03-15 16:22:00 +00:00			`function vote_menu()`
			`{`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00
			`$aClean = array(); //array of filtered user input`
Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`$aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00
Initial revision 2004-03-15 16:22:00 +00:00			`$m = new htmlmenu("Votes","updatevote.php");`

			`$votes = vote_get_user_votes();`

Rewrite vote_menu() to use MAX_VOTES. Show the application name instead of the ID in the menu. 2004-12-27 23:59:30 +00:00			`for($i = 1;$i <= MAX_VOTES; $i++)`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
Rewrite vote_menu() to use MAX_VOTES. Show the application name instead of the ID in the menu. 2004-12-27 23:59:30 +00:00			`if(isset($votes[$i]))`
			`{`
Clean up application and version classes. Move class related functions into the class as static member functions 2006-06-29 16:07:19 +00:00			`$sAppName = Application::lookup_name($votes[$i]->appId);`
Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`$str = "<a href='appview.php?iAppId=".$votes[$i]->appId."'> $sAppName</a>";`
Rewrite vote_menu() to use MAX_VOTES. Show the application name instead of the ID in the menu. 2004-12-27 23:59:30 +00:00			`$m->add("<input type=radio name=slot value='$i'> ".$str);`
			`}`
			`else`
Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`$m->add("<input type=radio name=iSlot value='$i'> No App Selected");`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`}`
Initial revision 2004-03-15 16:22:00 +00:00
			`$m->addmisc(" ");`

Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`$m->add("<input type=submit name=sClear value=' Clear Vote ' class=votebutton>");`
			`$m->add("<input type=submit name=sVote value='Vote for App' class=votebutton>");`
Initial revision 2004-03-15 16:22:00 +00:00
Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`$m->addmisc("<input type=hidden name=iAppId value={$aClean['iAppId']}>");`
Initial revision 2004-03-15 16:22:00 +00:00
make use of the new constants of the config file for db connection and base path 2004-12-23 01:12:03 +00:00			`$m->add("View Results", BASE."votestats.php");`
Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`$m->add("Voting Help", BASE."help/?sTopic=voting");`
Initial revision 2004-03-15 16:22:00 +00:00
			`$m->done(1);`
			`}`


			`function vote_update($vars)`
			`{`
- OO version of user class - no more duplicated functions - improved performances (much less duplicated mysql queries) - less code and better error handling 2005-01-30 23:12:48 +00:00			`if(!$_SESSION['current']->isLoggedIn())`
Rename util_show_error_page() to util_show_error_page_and_exit() and redirect() to util_redirect_and_exit() so it is explicit that we exit in those functions that so we know it isn't necessary to put an exit after we call them 2006-07-06 18:44:56 +00:00			`util_show_error_page_and_exit("You must be logged in to vote");`
Initial revision 2004-03-15 16:22:00 +00:00
Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`if( !is_numeric($vars['iAppId']) OR !is_numeric($vars['iSlot']))`
Fix vote form and check on userinput (making more user friendly at the same time) 2004-12-27 05:16:33 +00:00			`{`
Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`if(is_numeric($vars['iAppId']))`
Rename util_show_error_page() to util_show_error_page_and_exit() and redirect() to util_redirect_and_exit() so it is explicit that we exit in those functions that so we know it isn't necessary to put an exit after we call them 2006-07-06 18:44:56 +00:00			`util_redirect_and_exit(apidb_fullurl("appview.php?iAppId=".$vars["iAppId"]));`
Clearing an empty vote would result in a blank screen, instead redirect the user to an appropriate page. Don't report that we removed votes for empty slots. Improve the message on the votestats page if there are no voting results. 2005-05-11 03:08:07 +00:00			`else`
Rename util_show_error_page() to util_show_error_page_and_exit() and redirect() to util_redirect_and_exit() so it is explicit that we exit in those functions that so we know it isn't necessary to put an exit after we call them 2006-07-06 18:44:56 +00:00			`util_redirect_and_exit(apidb_fullurl("index.php"));`
Clearing an empty vote would result in a blank screen, instead redirect the user to an appropriate page. Don't report that we removed votes for empty slots. Improve the message on the votestats page if there are no voting results. 2005-05-11 03:08:07 +00:00
Fix vote form and check on userinput (making more user friendly at the same time) 2004-12-27 05:16:33 +00:00			`return;`
			`}`

Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`if($vars["sVote"])`
Clearing an empty vote would result in a blank screen, instead redirect the user to an appropriate page. Don't report that we removed votes for empty slots. Improve the message on the votestats page if there are no voting results. 2005-05-11 03:08:07 +00:00			`{`
Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`addmsg("Registered vote for App #".$vars["iAppId"], "green");`
			`vote_add($vars["iAppId"], $vars["slot"]);`
			`} else if($vars["sClear"])`
Clearing an empty vote would result in a blank screen, instead redirect the user to an appropriate page. Don't report that we removed votes for empty slots. Improve the message on the votestats page if there are no voting results. 2005-05-11 03:08:07 +00:00			`{`
			`/* see if we have a vote in this slot, if we don't there is */`
			`/* little reason to remove it or even mention that we did anything */`
			`if(is_vote_in_slot($vars["slot"]))`
			`{`
Make votes work again 2005-02-26 16:36:52 +00:00			`vote_remove($vars["slot"]);`
Prefix all GPC variables according to our coding standard 2006-07-06 17:27:54 +00:00			`addmsg("Removed vote for App #".$vars["iAppId"], "green");`
Clearing an empty vote would result in a blank screen, instead redirect the user to an appropriate page. Don't report that we removed votes for empty slots. Improve the message on the votestats page if there are no voting results. 2005-05-11 03:08:07 +00:00			`}`
			`}`

Rename util_show_error_page() to util_show_error_page_and_exit() and redirect() to util_redirect_and_exit() so it is explicit that we exit in those functions that so we know it isn't necessary to put an exit after we call them 2006-07-06 18:44:56 +00:00			`util_redirect_and_exit(apidb_fullurl("appview.php?iAppId=".$vars["iAppId"]));`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

Clearing an empty vote would result in a blank screen, instead redirect the user to an appropriate page. Don't report that we removed votes for empty slots. Improve the message on the votestats page if there are no voting results. 2005-05-11 03:08:07 +00:00			`// tell us if there is a vote in a given slot so we don't`
			`// display incorrect information to the user or go`
			`// through the trouble of trying to remove a vote that doesn't exist`
			`function is_vote_in_slot($slot, $userId = null)`
			`{`
			`if(!$userId)`
			`{`
			`if($_SESSION['current']->isLoggedIn())`
			`$userId = $_SESSION['current']->iUserId;`
			`else`
			`return;`
			`}`

Use query_parameters() in SQL select, update and delete statements to protect against sql injection attacks 2006-06-27 19:16:27 +00:00			`$sQuery = "SELECT COUNT(*) as count from appVotes WHERE userId = '?' AND slot = '?'";`
			`if($hResult = query_parameters($sQuery, $userId, $slot))`
Clearing an empty vote would result in a blank screen, instead redirect the user to an appropriate page. Don't report that we removed votes for empty slots. Improve the message on the votestats page if there are no voting results. 2005-05-11 03:08:07 +00:00			`{`
			`$oRow = mysql_fetch_object($hResult);`
			`if($oRow->count != 0)`
			`return true;`
			`else`
			`return false;`
			`}`

			`return false;`
			`}`
Initial revision 2004-03-15 16:22:00 +00:00
			`?>`