Project

General

Profile

1
<?php
2
/**
3
 *
4
 * @category        modules
5
 * @package         news
6
 * @author          WebsiteBaker Project
7
 * @copyright       Website Baker Org. e.V.
8
 * @link            http://websitebaker.org/
9
 * @license         http://www.gnu.org/licenses/gpl.html
10
 * @platform        WebsiteBaker 2.8.3
11
 * @requirements    PHP 5.3.6 and higher
12
 * @version         $Id: submit_comment.php 2 2017-07-02 15:14:29Z Manuela $
13
 * @filesource      $HeadURL: svn://isteam.dynxs.de/wb/2.10.x/branches/main/modules/news/submit_comment.php $
14
 * @lastmodified    $Date: 2017-07-02 17:14:29 +0200 (Sun, 02 Jul 2017) $
15
 *
16
 */
17
// Include config file
18
if ( !defined( 'WB_PATH' ) ){ require( dirname(dirname((__DIR__))).'/config.php' ); }
19
if ( !class_exists('wb')) { require(WB_PATH.'/framework/class.wb.php');  }
20
// Create new frontend object
21
if (!isset($wb) || !($wb instanceof wb)) { $wb = new wb(); }
22

    
23
    $requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
24
    $aRequestVars  = (isset(${$requestMethod}) ? ${$requestMethod} : null);
25
// Get page id
26
    $page_id = intval(isset($aRequestVars['page_id'])) ? $aRequestVars['page_id'] : (isset($page_id) ? intval($page_id) : 0);
27
// Get post_id
28
    $post_id = (intval(isset($aRequestVars['post_id'])) ? $aRequestVars['post_id'] : (isset($post_id) ? intval($post_id) : 0));
29
// Get section id if there is one
30
    $section_id = intval(isset($aRequestVars['section_id'])) ? $aRequestVars['section_id'] : (isset($section_id) ? intval($section_id) : 0);
31
     $_SESSION['message']=null;
32
    if (!$wb->checkFTAN())
33
    {
34
        $_SESSION['message'][] = ($MESSAGE['GENERIC_SECURITY_ACCESS']);
35
        header("Location: ".WB_URL."/modules/news/comment.php?post_id=".(int)$aRequestVars['post_id']."&section_id=".(int)$aRequestVars['section_id']."" ) ;
36
        exit( 0 );
37
    }
38
    $position       = (isset($aRequestVars['p']) ? $aRequestVars['p'] : '' );
39
    $comment        = (isset($aRequestVars['comment']) ? $aRequestVars['comment'] : '' );
40
    $comment_date   = (isset($aRequestVars['comment_'.date('W')]) ? $aRequestVars['comment_'.date('W')] : '' );
41
    $sRecallAddress = (isset($aRequestVars['redirect']) ? $aRequestVars['redirect'] : WB_URL );
42
    $action = intval(isset($aRequestVars['cancel']) ? true : false );
43
// Check if we should show the form or add a comment
44
    if (
45
        $page_id && $section_id  && $post_id  && !$action
46
        && ( ( ENABLED_ASP && $comment_date != '')
47
        || ( !ENABLED_ASP && $comment != '' ) ) 
48
      ){
49
        if(ENABLED_ASP){
50
            $comment = $_POST['comment_'.date('W')];
51
        } else {
52
            $comment = $_POST['comment'];
53
        }
54
        $comment = strip_tags($comment);
55
        $title   = strip_tags($_POST['title']);
56
        // do not allow droplets in user input!
57
        $title   = $wb->StripCodeFromText($title);
58
        $comment = $wb->StripCodeFromText($comment);
59
        // Check captcha
60
        $sql  = 'SELECT `use_captcha` FROM `'.TABLE_PREFIX.'mod_news_settings` '
61
              . 'WHERE `section_id` ='.$section_id;
62
        if( $use_captcha = $database->get_one( $sql ) ) {
63
            $t=time();
64
            // Advanced Spam Protection
65
            if(ENABLED_ASP && ( ($_SESSION['session_started']+ASP_SESSION_MIN_AGE > $t)  // session too young
66
                OR (!isset($_SESSION['comes_from_view']))// user doesn't come from view.php
67
                OR (!isset($_SESSION['comes_from_view_time']) OR $_SESSION['comes_from_view_time'] > $t-ASP_VIEW_MIN_AGE) // user is too fast
68
                OR (!isset($_SESSION['submitted_when']) OR !isset($aRequestVars['submitted_when'])) // faked form
69
                OR ($_SESSION['submitted_when'] != $aRequestVars['submitted_when']) // faked form
70
                OR ($_SESSION['submitted_when'] > $t-ASP_INPUT_MIN_AGE && !isset($_SESSION['captcha_retry_news'])) // user too fast
71
                OR ($_SESSION['submitted_when'] < $t-43200) // form older than 12h
72
                OR ($aRequestVars['email'] OR $aRequestVars['url'] OR $aRequestVars['homepage'] OR $aRequestVars['comment']) /* honeypot-fields */ ) )
73
            {
74
                header("Location: ".$sRecallAddress."?p=".$position);
75
                exit;
76
            }
77
            if(ENABLED_ASP)
78
            {
79
                if(isset($_SESSION['captcha_retry_news']))
80
                {
81
                  unset($_SESSION['captcha_retry_news']);
82
                }
83
            }
84
            if( $use_captcha )
85
            {
86
                $search = array('{SERVER_EMAIL}');
87
                $replace = array( SERVER_EMAIL,);
88
                $MESSAGE['MOD_FORM_INCORRECT_CAPTCHA'] = str_replace($search,$replace,$MESSAGE['MOD_FORM_INCORRECT_CAPTCHA']);
89
                if(isset($_POST['captcha']) && $_POST['captcha'] != '')
90
                {
91
                    // Check for a mismatch
92
                    if(!isset($_POST['captcha']) OR !isset($_SESSION['captcha']) OR $_POST['captcha'] != $_SESSION['captcha'])
93
                    {
94
                        $_SESSION['captcha_error'] = $MESSAGE['MOD_FORM_INCORRECT_CAPTCHA'];
95
                        $_SESSION['comment_title'] = $title;
96
                        $_SESSION['comment_body'] = $comment;
97
                        header("Location: ".WB_URL.'/modules/news/comment.php?post_id='.$post_id.'&section_id='.$section_id.'&amp;p='.$position );
98
                        exit;
99
                    }
100
                }
101
                else
102
                {
103
                    $_SESSION['captcha_error'] = $MESSAGE['MOD_FORM_INCORRECT_CAPTCHA'];
104
                    $_SESSION['comment_title'] = $title;
105
                    $_SESSION['comment_body'] = $comment;
106
                    header("Location: ".WB_URL.'/modules/news/comment.php?post_id='.$post_id.'&section_id='.$section_id.'&amp;p='.$position );
107
                    exit;
108
                }
109
            }
110
        }
111
    
112
        if(isset($_SESSION['captcha'])) { unset($_SESSION['captcha']); }
113
    
114
        if(ENABLED_ASP)
115
        {
116
            unset($_SESSION['comes_from_view']);
117
            unset($_SESSION['comes_from_view_time']);
118
            unset($_SESSION['submitted_when']);
119
        }
120
        // Insert the comment into db
121
        $commented_when = time();
122
        if($wb->is_authenticated() == true)
123
        {
124
            $commented_by = $wb->get_user_id();
125
        }
126
        else
127
        {
128
            $commented_by = 0;
129
        }
130
        $sql  = 'INSERT INTO `'.TABLE_PREFIX.'mod_news_comments` SET '
131
              . '`section_id` = '.intval($section_id).', '
132
              . '`page_id` = '.intval($page_id).', '
133
              . '`post_id` = '.intval($post_id).', '
134
              . '`title` = \''.$database->escapeString($title).'\', '
135
              . '`comment` = \''.$database->escapeString($comment).'\', '
136
              . '`commented_when` = '.intval($commented_when).', '
137
              . '`commented_by` = '.intval($commented_by).' '
138
              .'';
139
        $query = $database->query( $sql );
140
    
141
    // Get page link
142
        $sql = 'SELECT `link` FROM `'.TABLE_PREFIX.'mod_news_posts` WHERE `post_id` = '.(int)$post_id;
143
        $query_page = $database->query( $sql );
144
        $page = $query_page->fetchRow( MYSQLI_ASSOC );
145
        header('Location: '.$wb->page_link($page['link']).'?post_id='.$post_id.'' );
146
        exit;
147
    }else{
148
    if( $post_id && $section_id && !$action )
149
    {
150
        header("Location: ".WB_URL.'/modules/news/comment.php?post_id='.$post_id.'&section_id='.$section_id );
151
        exit( 0 );
152
    }
153
    else
154
    {
155
        header("Location: ".$sRecallAddress);
156
        exit;
157
    }
158
}
(33-33/36)