qemudb/addcomment.php

<?php
include("path.php");
require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");

$aClean = array(); //array of filtered user input

$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['thread'] = makeSafe($_REQUEST['thread']);
$aClean['body'] = makeSafe($_REQUEST['body']);
$aClean['subject'] = makeSafe($_REQUEST['subject']);

/********************************/
/* code to submit a new comment */
/********************************/
    
/*
 * application environment
 */
// you must be logged in to submit comments
if(!$_SESSION['current']->isLoggedIn())
{
  apidb_header("Please login");
  echo "To submit a comment for an application you must be logged in. Please <a href=\"account.php?cmd=login\">login now</a> or create a <a href=\"account.php?cmd=new\">new account</a>.","\n";
  exit;
}

if( !is_numeric($aClean['versionId']) )
{
  errorpage('Internal Database Access Error');
  exit;
}

if(!is_numeric($aClean['thread']))
{
  $aClean['thread'] = 0;
}

############################
# ADDS COMMENT TO DATABASE #
############################
if(!empty($aClean['body']))
{
    $oComment = new Comment();
    $oComment->create($aClean['subject'], $aClean['body'], $aClean['thread'], $aClean['versionId']);
    redirect(apidb_fullurl("appview.php?versionId=".$oComment->iVersionId));
}

################################
# USER WANTS TO SUBMIT COMMENT #
################################
else
{
  apidb_header("Add Comment");

  $mesTitle = "<b>Post New Comment</b>";

  if($aClean['thread'] > 0)
  {
    $hResult = query_parameters("SELECT * FROM appComments WHERE commentId = '?'",
                            $aClean['thread']);
    $oRow = mysql_fetch_object($hResult);
    if($oRow)
    {
      $mesTitle = "<b>Replying To ...</b> $oRow->subject\n";
      $originator = $oRow->userId;
      echo html_frame_start($oRow->subject,500);
      echo htmlify_urls($oRow->body), "<br /><br />\n";
      echo html_frame_end();
    }
  }

  echo "<form method=\"post\" action=\"addcomment.php\">\n";

  echo html_frame_start($mesTitle,500,"",0);
    
  echo '<table width="100%" border=0 cellpadding=0 cellspacing=1>',"\n";
  echo "<tr class=\"color0\"><td align=right><b>From:</b>&nbsp;</td>\n";
  echo "	<td>&nbsp;".$_SESSION['current']->sRealname."</td></tr>\n";
  echo "<tr class=\"color0\"><td align=right><b>Subject:</b>&nbsp;</td>\n";
  echo "	<td>&nbsp;<input type=\"text\" size=\"35\" name=\"subject\" value=\"".$aClean['subject']."\" /> </td></tr>\n";
  echo "<tr class=\"color1\"><td colspan=2><textarea name=\"body\" cols=\"70\" rows=\"15\" wrap=\"virtual\">".$aClean['body']."</textarea></td></tr>\n";
  echo "<tr class=\"color1\"><td colspan=2 align=center>\n";
  echo "  <input type=\"submit\" value=\"Post Comment\" class=\"button\" />\n";
  echo "  <input type=\"reset\" value=\"Reset\" class=\"button\" />\n";
  echo "</td></tr>\n";
  echo "</table>\n";

  echo html_frame_end();

  echo "<input type=\"hidden\" name=\"thread\" value=\"".$aClean['thread']."\" />\n";
  echo "<input type=\"hidden\" name=\"appId\" value=\"".$aClean['appId']."\" />\n";
  echo "<input type=\"hidden\" name=\"versionId\" value=\"".$aClean['versionId']."\" />\n";
  if (!empty($aClean['thread']))
  {
    echo "<input type=\"hidden\" name=\"originator\" value=\"$originator\" />\n";
  }
  echo "</form>";
}

apidb_footer();
?>
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`<?php`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`include("path.php");`
			`require(BASE."include/incl.php");`
			`require(BASE."include/application.php");`
			`require(BASE."include/mail.php");`

			`$aClean = array(); //array of filtered user input`

			`$aClean['versionId'] = makeSafe($_REQUEST['versionId']);`
			`$aClean['thread'] = makeSafe($_REQUEST['thread']);`
			`$aClean['body'] = makeSafe($_REQUEST['body']);`
			`$aClean['subject'] = makeSafe($_REQUEST['subject']);`

Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`/********************************/`
			`/* code to submit a new comment */`
			`/********************************/`
Initial revision 2004-03-15 16:22:00 +00:00
- use mail_appdb() instead of mail() for better error handling and to avoid code duplication - use \r\n as line separator in mail (RFC compliant) 2005-01-30 00:57:34 +00:00			`/*`
			`* application environment`
			`*/`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`// you must be logged in to submit comments`
- OO version of user class - no more duplicated functions - improved performances (much less duplicated mysql queries) - less code and better error handling 2005-01-30 23:12:48 +00:00			`if(!$_SESSION['current']->isLoggedIn())`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`{`
			`apidb_header("Please login");`
			`echo "To submit a comment for an application you must be logged in. Please <a href=\"account.php?cmd=login\">login now</a> or create a <a href=\"account.php?cmd=new\">new account</a>.","\n";`
Security fixes 2005-01-15 05:59:21 +00:00			`exit;`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`if( !is_numeric($aClean['versionId']) )`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`{`
			`errorpage('Internal Database Access Error');`
			`exit;`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`if(!is_numeric($aClean['thread']))`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`{`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`$aClean['thread'] = 0;`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`}`
Initial revision 2004-03-15 16:22:00 +00:00
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`############################`
			`# ADDS COMMENT TO DATABASE #`
			`############################`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`if(!empty($aClean['body']))`
Initial revision 2004-03-15 16:22:00 +00:00			`{`
- new Comment class - improved performances (much less duplicated mysql queries) - less code and better error handling - informs the whole thread when posting new comment - fix various bugs 2005-02-02 03:01:29 +00:00			`$oComment = new Comment();`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`$oComment->create($aClean['subject'], $aClean['body'], $aClean['thread'], $aClean['versionId']);`
- new Comment class - improved performances (much less duplicated mysql queries) - less code and better error handling - informs the whole thread when posting new comment - fix various bugs 2005-02-02 03:01:29 +00:00			`redirect(apidb_fullurl("appview.php?versionId=".$oComment->iVersionId));`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`################################`
			`# USER WANTS TO SUBMIT COMMENT #`
			`################################`
Security fixes 2005-01-15 05:59:21 +00:00			`else`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`{`
			`apidb_header("Add Comment");`
Initial revision 2004-03-15 16:22:00 +00:00
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`$mesTitle = "<b>Post New Comment</b>";`
Initial revision 2004-03-15 16:22:00 +00:00
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`if($aClean['thread'] > 0)`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`{`
Use query_parameters() in SQL select, update and delete statements to protect against sql injection attacks 2006-06-27 19:16:27 +00:00			`$hResult = query_parameters("SELECT * FROM appComments WHERE commentId = '?'",`
			`$aClean['thread']);`
Make code more consistent by making it follow the appdb coding standards. Fix some spaces vs. tabs odd indenting. 2006-06-21 01:04:12 +00:00			`$oRow = mysql_fetch_object($hResult);`
			`if($oRow)`
send an email to the original poster if this is a reply. 2004-11-17 23:05:36 +00:00			`{`
Make code more consistent by making it follow the appdb coding standards. Fix some spaces vs. tabs odd indenting. 2006-06-21 01:04:12 +00:00			`$mesTitle = "<b>Replying To ...</b> $oRow->subject\n";`
			`$originator = $oRow->userId;`
			`echo html_frame_start($oRow->subject,500);`
			`echo htmlify_urls($oRow->body), "<br /><br />\n";`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`echo html_frame_end();`
send an email to the original poster if this is a reply. 2004-11-17 23:05:36 +00:00			`}`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`}`
Initial revision 2004-03-15 16:22:00 +00:00
Html attributes and values are lowercase to be forward compatible with xhtml 2006-06-27 16:54:22 +00:00			`echo "<form method=\"post\" action=\"addcomment.php\">\n";`
Initial revision 2004-03-15 16:22:00 +00:00
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`echo html_frame_start($mesTitle,500,"",0);`

			`echo '<table width="100%" border=0 cellpadding=0 cellspacing=1>',"\n";`
Clean up HTML and PHP, remove extranious checks for loggedin() 2004-12-29 20:21:31 +00:00			`echo "<tr class=\"color0\"><td align=right><b>From:</b> </td>\n";`
- fix notifications - improves notifications 2005-02-02 00:14:01 +00:00			`echo " <td> ".$_SESSION['current']->sRealname."</td></tr>\n";`
Clean up HTML and PHP, remove extranious checks for loggedin() 2004-12-29 20:21:31 +00:00			`echo "<tr class=\"color0\"><td align=right><b>Subject:</b> </td>\n";`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`echo " <td> <input type=\"text\" size=\"35\" name=\"subject\" value=\"".$aClean['subject']."\" /> </td></tr>\n";`
			`echo "<tr class=\"color1\"><td colspan=2><textarea name=\"body\" cols=\"70\" rows=\"15\" wrap=\"virtual\">".$aClean['body']."</textarea></td></tr>\n";`
Clean up HTML and PHP, remove extranious checks for loggedin() 2004-12-29 20:21:31 +00:00			`echo "<tr class=\"color1\"><td colspan=2 align=center>\n";`
Html attributes and values are lowercase to be forward compatible with xhtml 2006-06-27 16:54:22 +00:00			`echo " <input type=\"submit\" value=\"Post Comment\" class=\"button\" />\n";`
			`echo " <input type=\"reset\" value=\"Reset\" class=\"button\" />\n";`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`echo "</td></tr>\n";`
			`echo "</table>\n";`

			`echo html_frame_end();`

Html attributes and values are lowercase to be forward compatible with xhtml 2006-06-27 16:54:22 +00:00			`echo "<input type=\"hidden\" name=\"thread\" value=\"".$aClean['thread']."\" />\n";`
			`echo "<input type=\"hidden\" name=\"appId\" value=\"".$aClean['appId']."\" />\n";`
			`echo "<input type=\"hidden\" name=\"versionId\" value=\"".$aClean['versionId']."\" />\n";`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`if (!empty($aClean['thread']))`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`{`
Html attributes and values are lowercase to be forward compatible with xhtml 2006-06-27 16:54:22 +00:00			`echo "<input type=\"hidden\" name=\"originator\" value=\"$originator\" />\n";`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00			`}`
			`echo "</form>";`
Initial revision 2004-03-15 16:22:00 +00:00			`}`
Authors: Jonathan Ernst <Jonathan@ernstfamily.ch>, Chris Morgan <cmorgan@alum.wpi.edu> - stop annoymous comments submitions - code cleanup (more php style than c style + better indentation + comments + replaced globally registered vars) 2004-12-11 04:07:40 +00:00
			`apidb_footer();`
Initial revision 2004-03-15 16:22:00 +00:00			`?>`