From 8b7842b116979e8d217c284c230daa5ad1291a73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rytis=20Slatkevi=C4=8Dius?= Date: Mon, 7 May 2007 19:34:45 +0000 Subject: [PATCH] Fix #175 (quotes getting escaped twice) svn path=/trunk/boinc/; revision=12599 --- html/user/forum_pm.php | 479 +++++++++++++++++++++-------------------- 1 file changed, 240 insertions(+), 239 deletions(-) diff --git a/html/user/forum_pm.php b/html/user/forum_pm.php index 065aceb1d5..3b383ef607 100644 --- a/html/user/forum_pm.php +++ b/html/user/forum_pm.php @@ -1,239 +1,240 @@ -id." ORDER BY date DESC"); - if (mysql_num_rows($query) == 0) { - echo "You have no private messages."; - } else { - start_table(); - print "SubjectSenderDate\n"; - while ($row = mysql_fetch_object($query)) { - print "\n"; - $subject = "id."\">".$row->subject.""; - if ($row->opened) { - print "".$subject."\n"; - } else { - print "".$subject."\n"; - } - print "".user_links(get_user_from_id($row->senderid))."\n"; - print "".time_str($row->date)."\n"; - print "\n"; - } - end_table(); - } - -} elseif ($action == "read") { - $id = get_int("id"); - $message = mysql_query("SELECT * FROM private_messages WHERE id=".$id." AND userid=".$logged_in_user->id); - if (mysql_num_rows($message) == 0) { - error_page("No such message."); - } else { - $message = mysql_fetch_object($message); - page_head("Private messages : ".$message->subject); - pm_header(); - - $options = new output_options; - - start_table(); - echo "Subject".$message->subject.""; - echo "Sender".user_links(get_user_from_id($message->senderid)).""; - echo "Date".time_str($message->date).""; - echo "Message".output_transform($message->content, $options).""; - echo "\n"; - echo "Delete\n"; - echo " | Reply\n"; - echo " | Inbox\n"; - end_table(); - - if ($message->opened == 0) { - mysql_query("UPDATE private_messages SET opened=1 WHERE id=$id"); - } - } - -} elseif ($action == "new") { - pm_create_new(); -} elseif ($action == "delete") { - $id = get_int("id", true); - if ($id == null) { $id = post_int("id"); } - if (post_int("confirm", true) == 1) { - check_tokens($logged_in_user->authenticator); - mysql_query("DELETE FROM private_messages WHERE userid=".$logged_in_user->id." AND id=$id"); - header("Location: forum_pm.php"); - } else { - $message = mysql_query("SELECT * FROM private_messages WHERE userid=".$logged_in_user->id." AND id=$id"); - if (mysql_num_rows($message) == 1) { - $message = mysql_fetch_object($message); - $sender = lookup_user_id($message->senderid); - page_head("Private messages : Really delete?"); - pm_header(); - echo "
Are you sure you want to delete the message with subject \"".$message->subject."\" (sent by ".$sender->name." on ".time_str($message->date).")?
\n"; - echo "
\n"; - echo form_tokens($logged_in_user->authenticator); - echo "\n"; - echo "\n"; - echo "\n"; - echo "\n"; - echo "
\n"; - echo "
\n"; - echo "\n"; - echo "\n"; - echo "
\n"; - } else { - error_page("No such message."); - } - } -} elseif ($action == "send") { - check_tokens($logged_in_user->authenticator); - - $to = post_str("to", true); - $subject = post_str("subject", true); - $content = post_str("content", true); - - if (($to == null) || ($subject == null) || ($content == null)) { - pm_create_new("You need to fill all fields to send a private message"); - } else { - akismet_check(new User($logged_in_user->id), $content); - $to = str_replace(", ", ",", $to); // Filter out spaces after separator - $users = explode(",", $to); - - $userlist = array(); - $userids = array(); // To prevent from spamming a single user by adding it multiple times - - foreach ($users as $username) { - $user = explode(" ", $username); - if (is_numeric($user[0])) { // user ID is gived - $userid = $user[0]; - $user = lookup_user_id($userid); - if ($user == null) { - pm_create_new("Could not find user with id $userid"); - } - } else { - $user = lookup_user_name($username); - if ($user == null) { - pm_create_new("Could not find user $username"); - } - } - $ignorelist = mysql_query("SELECT ignorelist FROM forum_preferences WHERE userid=".$user->id); - $ignorelist = mysql_fetch_object($ignorelist); - $ignorelist = $ignorelist->ignorelist; - $ignorelist = explode("|", $ignorelist); - if (in_array($logged_in_user->id, $ignorelist)) { - pm_create_new("User ".$user->name." (ID: ".$user->id.") is not accepting private messages from you."); - } - if ($userids[$user->id] == null) { - $userlist[] = $user; - $userids[$user->id] = true; - } - } - - foreach ($userlist as $user) { - pm_send($user, $subject, $content); - } - - Header("Location: forum_pm.php?action=inbox&sent=1"); - } -} - -page_tail(); - - -function pm_header() { - echo "
\n"; - echo " Inbox\n"; - echo " | Write\n"; - echo "
\n"; -} - -function pm_create_new($error = null) { - page_head("Private messages : Create new"); - pm_header(); - - global $logged_in_user; - $replyto = get_int("replyto", true); - $userid = get_int("userid", true); - - - if ($replyto) { - $message = mysql_query("SELECT * FROM private_messages WHERE userid=".$logged_in_user->id." AND id=$replyto"); - if ($message) { - $message = mysql_fetch_object($message); - $content = "[quote]".$message->content."[/quote]\n"; - $userid = $message->senderid; - $user = get_user_from_id($userid); - if ($user != null) { - $writeto = $userid." (".$user->name.")"; - } - $subject = $message->subject; - if (substr($subject, 0, 3) != "re:") { - $subject = "re: ".$subject; - } - } - } elseif ($userid) { - $user = get_user_from_id($userid); - if ($user != null) { - $writeto = $userid." (".$user->name.")"; - } - } else { - $writeto = post_str("to", true); - $subject = post_str("subject", true); - $content = post_str("content", true); - } - - if ($error != null) { - echo "
$error
\n"; - } - - echo "
\n"; - echo "\n"; - echo form_tokens($logged_in_user->authenticator); - start_table(); - echo "To
User IDs or unique usernames, separated with commas\n"; - echo "\n"; - echo "Subject\n"; - echo "Message
".html_info()."\n"; - echo "\n"; - echo "\n"; - end_table(); - - page_tail(); - exit(); -} - -function pm_send($to, $subject, $content) { - global $logged_in_user; - $userid = $to->id; - $senderid = $logged_in_user->id; - $sql_subject = mysql_escape_string($subject); - $sql_content = mysql_escape_string($content); - mysql_query("INSERT INTO private_messages (userid, senderid, date, subject, content) VALUES ($userid, $senderid, UNIX_TIMESTAMP(), '$sql_subject', '$sql_content')"); - if ($to->send_email == 1) { // Send email notification - $message = "Dear ".$to->name.",\n\n"; - $message .= "You have received a new private message at ".PROJECT." from ".$logged_in_user->name.", entitled \"".$subject."\".\n\n"; - $message .= "To read the original version, respond to, or delete this message, you must log in here:\n"; - $message .= URL_BASE."forum_pm.php\n\n"; - $message .= "Do not reply to this message. To disable email notification, go to\n"; - $message .= URL_BASE."prefs.php?subset=project\n"; - $message .= "and change email notification settings.\n"; - - send_email($to, "[".PROJECT."] Private message notification", $message); - } -} - -?> +id." ORDER BY date DESC"); + if (mysql_num_rows($query) == 0) { + echo "You have no private messages."; + } else { + start_table(); + print "SubjectSenderDate\n"; + while ($row = mysql_fetch_object($query)) { + print "\n"; + $subject = "id."\">".$row->subject.""; + if ($row->opened) { + print "".$subject."\n"; + } else { + print "".$subject."\n"; + } + print "".user_links(get_user_from_id($row->senderid))."\n"; + print "".time_str($row->date)."\n"; + print "\n"; + } + end_table(); + } + +} elseif ($action == "read") { + $id = get_int("id"); + $message = mysql_query("SELECT * FROM private_messages WHERE id=".$id." AND userid=".$logged_in_user->id); + if (mysql_num_rows($message) == 0) { + error_page("No such message."); + } else { + $message = mysql_fetch_object($message); + page_head("Private messages : ".$message->subject); + pm_header(); + + $options = new output_options; + + start_table(); + echo "Subject".$message->subject.""; + echo "Sender".user_links(get_user_from_id($message->senderid)).""; + echo "Date".time_str($message->date).""; + echo "Message".output_transform($message->content, $options).""; + echo "\n"; + echo "Delete\n"; + echo " | Reply\n"; + echo " | Inbox\n"; + end_table(); + + if ($message->opened == 0) { + mysql_query("UPDATE private_messages SET opened=1 WHERE id=$id"); + } + } + +} elseif ($action == "new") { + pm_create_new(); +} elseif ($action == "delete") { + $id = get_int("id", true); + if ($id == null) { $id = post_int("id"); } + if (post_int("confirm", true) == 1) { + check_tokens($logged_in_user->authenticator); + mysql_query("DELETE FROM private_messages WHERE userid=".$logged_in_user->id." AND id=$id"); + header("Location: forum_pm.php"); + } else { + $message = mysql_query("SELECT * FROM private_messages WHERE userid=".$logged_in_user->id." AND id=$id"); + if (mysql_num_rows($message) == 1) { + $message = mysql_fetch_object($message); + $sender = lookup_user_id($message->senderid); + page_head("Private messages : Really delete?"); + pm_header(); + echo "
Are you sure you want to delete the message with subject \"".$message->subject."\" (sent by ".$sender->name." on ".time_str($message->date).")?
\n"; + echo "\n"; + echo form_tokens($logged_in_user->authenticator); + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "
\n"; + echo "
\n"; + echo "\n"; + echo "\n"; + echo "
\n"; + } else { + error_page("No such message."); + } + } +} elseif ($action == "send") { + check_tokens($logged_in_user->authenticator); + + $to = stripslashes(post_str("to", true)); + $subject = stripslashes(post_str("subject", true)); + $content = stripslashes(post_str("content", true)); + + if (($to == null) || ($subject == null) || ($content == null)) { + pm_create_new("You need to fill all fields to send a private message"); + } else { + akismet_check(new User($logged_in_user->id), $content); + $to = str_replace(", ", ",", $to); // Filter out spaces after separator + $users = explode(",", $to); + + $userlist = array(); + $userids = array(); // To prevent from spamming a single user by adding it multiple times + + foreach ($users as $username) { + $user = explode(" ", $username); + if (is_numeric($user[0])) { // user ID is gived + $userid = $user[0]; + $user = lookup_user_id($userid); + if ($user == null) { + pm_create_new("Could not find user with id $userid"); + } + } else { + $user = lookup_user_name($username); + if ($user == null) { + pm_create_new("Could not find user $username"); + } + } + $ignorelist = mysql_query("SELECT ignorelist FROM forum_preferences WHERE userid=".$user->id); + $ignorelist = mysql_fetch_object($ignorelist); + $ignorelist = $ignorelist->ignorelist; + $ignorelist = explode("|", $ignorelist); + if (in_array($logged_in_user->id, $ignorelist)) { + pm_create_new("User ".$user->name." (ID: ".$user->id.") is not accepting private messages from you."); + } + if ($userids[$user->id] == null) { + $userlist[] = $user; + $userids[$user->id] = true; + } + } + + foreach ($userlist as $user) { + pm_send($user, $subject, $content); + } + + Header("Location: forum_pm.php?action=inbox&sent=1"); + } +} + +page_tail(); + + +function pm_header() { + echo "
\n"; + echo " Inbox\n"; + echo " | Write\n"; + echo "
\n"; +} + +function pm_create_new($error = null) { + page_head("Private messages : Create new"); + pm_header(); + + global $logged_in_user; + $replyto = get_int("replyto", true); + $userid = get_int("userid", true); + + if ($replyto) { + $message = mysql_query("SELECT * FROM private_messages WHERE userid=".$logged_in_user->id." AND id=$replyto"); + if ($message) { + $message = mysql_fetch_object($message); + $content = "[quote]".$message->content."[/quote]\n"; + $userid = $message->senderid; + $user = get_user_from_id($userid); + if ($user != null) { + $writeto = $userid." (".$user->name.")"; + } + $subject = $message->subject; + if (substr($subject, 0, 3) != "re:") { + $subject = "re: ".$subject; + } + } + } elseif ($userid) { + $user = get_user_from_id($userid); + if ($user != null) { + $writeto = $userid." (".$user->name.")"; + } + } else { + $writeto = post_str("to", true); + $subject = post_str("subject", true); + $content = post_str("content", true); + } + + $subject = htmlspecialchars($subject); + + if ($error != null) { + echo "
$error
\n"; + } + + echo "
\n"; + echo "\n"; + echo form_tokens($logged_in_user->authenticator); + start_table(); + echo "To
User IDs or unique usernames, separated with commas\n"; + echo "\n"; + echo "Subject\n"; + echo "Message
".html_info()."\n"; + echo "\n"; + echo "\n"; + end_table(); + + page_tail(); + exit(); +} + +function pm_send($to, $subject, $content) { + global $logged_in_user; + $userid = $to->id; + $senderid = $logged_in_user->id; + $sql_subject = mysql_real_escape_string($subject); + $sql_content = mysql_real_escape_string($content); + mysql_query("INSERT INTO private_messages (userid, senderid, date, subject, content) VALUES ($userid, $senderid, UNIX_TIMESTAMP(), '$sql_subject', '$sql_content')"); + if ($to->send_email == 1) { // Send email notification + $message = "Dear ".$to->name.",\n\n"; + $message .= "You have received a new private message at ".PROJECT." from ".$logged_in_user->name.", entitled \"".$subject."\".\n\n"; + $message .= "To read the original version, respond to, or delete this message, you must log in here:\n"; + $message .= URL_BASE."forum_pm.php\n\n"; + $message .= "Do not reply to this message. To disable email notification, go to\n"; + $message .= URL_BASE."prefs.php?subset=project\n"; + $message .= "and change email notification settings.\n"; + + send_email($to, "[".PROJECT."] Private message notification", $message); + } +} + +?>