Guest User

Untitled

a guest
Oct 31st, 2017
105
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.68 KB | None | 0 0
  1. <?php
  2. session_start();
  3.  
  4. include_once "/scripts/connect_to_mysql.php"; // Connect to the database
  5. // Check the HTTP_REFERER for light level security
  6. $ref = parse_url($_SERVER['HTTP_REFERER']);
  7. $host = $ref["host"];
  8. if ($host != "localhost") {
  9.         echo "This is some screwed up error even the web developer of this site doesnt understand :(";
  10.         exit();
  11. }
  12. // Be sure the user session vars are all set
  13. if(!isset($_SESSION['username']) || !isset($_SESSION['password'])) {
  14.         echo "Your session has timed out.";
  15.         exit(); // This you will want to handle more smoothly
  16. }
  17. // Be sure all form variables are present to proceed
  18. if (!isset($_POST['post_type']) || !isset($_POST['post_body']) || !isset($_POST['fsID']) || !isset($_POST['fsTitle']) || !isset($_POST['uid']) || !isset($_POST['upass'])) {
  19.         echo "Important variables from the form are missing,reloading the page will help :D";
  20.         exit();
  21. }
  22. // Filter all of the common variables
  23. $post_type = $_POST['post_type'];
  24. $post_body = $_POST['post_body'];
  25. $post_body = nl2br(htmlspecialchars($post_body));
  26. $post_body = mysql_real_escape_string($post_body);
  27. $forum_section_id = preg_replace('#[^0-9]#i', '', $_POST['fsID']);
  28. $forum_section_title = preg_replace('#[^A-Za-z 0-9]#i', '', $_POST['fsTitle']);
  29. $member_id = preg_replace('#[^0-9]#i', '', $_POST['uid']);
  30. $post_author = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION['username']);
  31. $member_password = mysql_real_escape_string($_POST['upass']);
  32. // Be sure the posted variables match the user's session variables
  33. if ($_SESSION['id'] != $member_id || $_SESSION['password'] != $member_password) {
  34.  
  35.  
  36. echo $member_password;
  37. echo $_SESSION['password'];
  38. echo $_POST['upass'];
  39.  
  40.  
  41.         echo "Your id and/or password is a mismatch ";
  42.         exit();
  43. }
  44. // Check the database to be sure that their ID, password, and email session variables all match in the database
  45. $u_name = mysql_real_escape_string($_SESSION['username']);
  46. $u_pass = mysql_real_escape_string($_SESSION['password']);
  47. $sql = mysql_query("SELECT * FROM users WHERE id='$id' AND username='$username' AND email='$email' AND password='$password'");
  48. $numRows = mysql_num_rows($sql);
  49. if ($numRows < 0) {
  50.             echo "ERROR: You do not exist in the system ";
  51.             exit();
  52. }
  53. // Check the database to be sure that this forum section exists
  54. $sql = mysql_query("SELECT * FROM forum_sections WHERE id='$forum_section_id' AND title='$forum_section_title'");
  55. $numRows = mysql_num_rows($sql);
  56. if ($numRows < 0) {
  57.             echo "ERROR: That forum section deos not exist lol";
  58.             exit();
  59. }
  60. // Prevent this member from posting more than 30 times in one day
  61. $sql = mysql_query("SELECT id FROM forum_posts WHERE post_author_id='$member_id' AND DATE(date_time) = DATE(NOW()) LIMIT 32");
  62. $numRows = mysql_num_rows($sql);
  63. if ($numRows > 30) {
  64.         echo "ERROR: You can post only 30 times per day. Your maximum has been reached.";
  65.     exit();
  66. }
  67. // Add this post to the database now. The query depends on the "post_type" value
  68. // Only if the post_type is "a" ///////////////////////////////////////////////////////////////////////////////////
  69. if ($post_type == "a") {
  70.         $post_title = preg_replace('#[^A-za-z0-9 ?!.,]#i', '', $_POST['post_title']);  
  71.         if ($post_title == "") { echo "The Topic Title is missing weenis"; exit(); }
  72.         if (strlen($post_title) < 10) { echo "Your Topic Title is less than 10 characters"; exit(); }
  73.         $sql = mysql_query("INSERT INTO forum_posts (post_author, post_author_id, date_time, type, section_title, section_id, thread_title, post_body)
  74.     VALUES('$post_author','$member_id',now(),'a','$forum_section_title','$forum_section_id','$post_title','$post_body')") or die (mysql_error());
  75.         $this_id = mysql_insert_id();
  76.         //$sql = mysql_query("UPDATE forum_posts SET otid='$this_id' WHERE id='$this_id'");
  77.         header("location: view_thread.php?id=$this_id");
  78.     exit();
  79. }
  80. // Only if the post_type is "b" ////////////////////////////////////////////////////////////////////////////////////
  81. if ($post_type == "b") {
  82.         $this_id = preg_replace('#[^0-9]#i', '', $_POST['tid']);
  83.         if ($this_id == "") { echo "The thread ID is missing weenis"; exit(); }
  84.         $sql = mysql_query("INSERT INTO forum_posts (post_author, post_author_id, otid, date_time, type, post_body) VALUES('$post_author','$member_id','$this_id',now(),'b','$post_body')") or die (mysql_error());
  85.         $post_body = stripslashes($post_body);
  86.         echo $post_body;
  87.         // YOU CAN CHOOSE TO EMAIL ALERT ALL OF THE PEOPLE THAT ARE PART OF THIS THREAD
  88.         // AT THIS POINT. (JUST BE SURE YOU DO NOT EMAIL THE PERSON WHO JUST LEFT THE RESPONSE)
  89. }
  90. ?>
Add Comment
Please, Sign In to add comment