Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- session_start();
- include_once "/scripts/connect_to_mysql.php"; // Connect to the database
- // Check the HTTP_REFERER for light level security
- $ref = parse_url($_SERVER['HTTP_REFERER']);
- $host = $ref["host"];
- if ($host != "localhost") {
- echo "This is some screwed up error even the web developer of this site doesnt understand :(";
- exit();
- }
- // Be sure the user session vars are all set
- if(!isset($_SESSION['username']) || !isset($_SESSION['password'])) {
- echo "Your session has timed out.";
- exit(); // This you will want to handle more smoothly
- }
- // Be sure all form variables are present to proceed
- if (!isset($_POST['post_type']) || !isset($_POST['post_body']) || !isset($_POST['fsID']) || !isset($_POST['fsTitle']) || !isset($_POST['uid']) || !isset($_POST['upass'])) {
- echo "Important variables from the form are missing,reloading the page will help :D";
- exit();
- }
- // Filter all of the common variables
- $post_type = $_POST['post_type'];
- $post_body = $_POST['post_body'];
- $post_body = nl2br(htmlspecialchars($post_body));
- $post_body = mysql_real_escape_string($post_body);
- $forum_section_id = preg_replace('#[^0-9]#i', '', $_POST['fsID']);
- $forum_section_title = preg_replace('#[^A-Za-z 0-9]#i', '', $_POST['fsTitle']);
- $member_id = preg_replace('#[^0-9]#i', '', $_POST['uid']);
- $post_author = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION['username']);
- $member_password = mysql_real_escape_string($_POST['upass']);
- // Be sure the posted variables match the user's session variables
- if ($_SESSION['id'] != $member_id || $_SESSION['password'] != $member_password) {
- echo 1 . $member_id;
- echo 2 . $_SESSION['id'];
- echo 3 . $_POST['uid'];
- echo "Your id and/or password is a mismatch ";
- exit();
- }
- // Check the database to be sure that their ID, password, and email session variables all match in the database
- $u_name = mysql_real_escape_string($_SESSION['username']);
- $u_pass = mysql_real_escape_string($_SESSION['password']);
- $sql = mysql_query("SELECT * FROM users WHERE id='$id' AND username='$username' AND email='$email' AND password='$password'");
- $numRows = mysql_num_rows($sql);
- if ($numRows < 0) {
- echo "ERROR: You do not exist in the system ";
- exit();
- }
- // Check the database to be sure that this forum section exists
- $sql = mysql_query("SELECT * FROM forum_sections WHERE id='$forum_section_id' AND title='$forum_section_title'");
- $numRows = mysql_num_rows($sql);
- if ($numRows < 0) {
- echo "ERROR: That forum section deos not exist lol";
- exit();
- }
- // Prevent this member from posting more than 30 times in one day
- $sql = mysql_query("SELECT id FROM forum_posts WHERE post_author_id='$member_id' AND DATE(date_time) = DATE(NOW()) LIMIT 32");
- $numRows = mysql_num_rows($sql);
- if ($numRows > 30) {
- echo "ERROR: You can post only 30 times per day. Your maximum has been reached.";
- exit();
- }
- // Add this post to the database now. The query depends on the "post_type" value
- // Only if the post_type is "a" ///////////////////////////////////////////////////////////////////////////////////
- if ($post_type == "a") {
- $post_title = preg_replace('#[^A-za-z0-9 ?!.,]#i', '', $_POST['post_title']);
- if ($post_title == "") { echo "The Topic Title is missing weenis"; exit(); }
- if (strlen($post_title) < 10) { echo "Your Topic Title is less than 10 characters"; exit(); }
- $sql = mysql_query("INSERT INTO forum_posts (post_author, post_author_id, date_time, type, section_title, section_id, thread_title, post_body)
- VALUES('$post_author','$member_id',now(),'a','$forum_section_title','$forum_section_id','$post_title','$post_body')") or die (mysql_error());
- $this_id = mysql_insert_id();
- //$sql = mysql_query("UPDATE forum_posts SET otid='$this_id' WHERE id='$this_id'");
- header("location: view_thread.php?id=$this_id");
- exit();
- }
- // Only if the post_type is "b" ////////////////////////////////////////////////////////////////////////////////////
- if ($post_type == "b") {
- $this_id = preg_replace('#[^0-9]#i', '', $_POST['tid']);
- if ($this_id == "") { echo "The thread ID is missing weenis"; exit(); }
- $sql = mysql_query("INSERT INTO forum_posts (post_author, post_author_id, otid, date_time, type, post_body) VALUES('$post_author','$member_id','$this_id',now(),'b','$post_body')") or die (mysql_error());
- $post_body = stripslashes($post_body);
- echo $post_body;
- // YOU CAN CHOOSE TO EMAIL ALERT ALL OF THE PEOPLE THAT ARE PART OF THIS THREAD
- // AT THIS POINT. (JUST BE SURE YOU DO NOT EMAIL THE PERSON WHO JUST LEFT THE RESPONSE)
- }
- ?>
Add Comment
Please, Sign In to add comment