<?php$ajaxPage = true;if($_GET["key"] != $loguser["token"]) die("Nope!")

1. <?php
2. $ajaxPage = true;
3.  
4. if($_GET["key"] != $loguser["token"])
5. die("Nope!");
6.  
7. CheckPermission('user.voteposts');
8.  
9. $pid = (int)$pageParams["id"];
10.  
11. $post = Fetch(Query("SELECT * FROM {posts} WHERE id = {0}", $pid));
12. if(!$post)
13. die("Unknown post");
14. if($post["user"] == $loguserid)
15. die("Nope!");
16.  
17. $thread = Fetch(Query("SELECT * FROM {threads} WHERE id = {0}", $post["thread"]));
18. if(!$thread)
19. die("Unknown thread");
20.  
21. if (!HasPermission('forum.viewforum', $thread['forum']))
22. die('Nice try hacker kid, but no.');
23.  
24. $vote = Fetch(Query("SELECT * FROM {postplusones} WHERE post = {0} AND user = {1}", $pid, $loguserid));
25. if(!$vote) {
26. Query("UPDATE {posts} SET postplusones = postplusones+1 WHERE id = {0} LIMIT 1", $pid);
27. Query("UPDATE {users} SET postplusones = postplusones+1 WHERE id = {0} LIMIT 1", $post["user"]);
28. Query("UPDATE {users} SET postplusonesgiven = postplusonesgiven+1 WHERE id = {0} LIMIT 1", $loguserid);
29. Query("INSERT INTO {postplusones} (user, post) VALUES ({0}, {1})", $loguserid, $pid);
30. $post["postplusones"]++;
31. $starimg = 'https://i.imgur.com/gErHVso.png';
32. } else {
33. Query("UPDATE {posts} SET postplusones = postplusones-1 WHERE id = {0} LIMIT 1", $pid);
34. Query("UPDATE {users} SET postplusones = postplusones-1 WHERE id = {0} LIMIT 1", $post["user"]);
35. Query("UPDATE {users} SET postplusonesgiven = postplusonesgiven-1 WHERE id = {0} LIMIT 1", $loguserid);
36. Query("DELETE FROM {postplusones} WHERE user = {0} AND post = {1}", $loguserid, $pid);
37. $post["postplusones"]--;
38. $starimg = 'https://i.imgur.com/zMAbCLC.png';
39. }
40.  
41. $starurl = actionLink("plusone", $post["id"], "key=".$loguser["token"]);
42. $starurl = htmlspecialchars($starurl);
43.  
44. echo "<a href=\"\" onclick=\"$(this.parentElement).load('$starurl'); return false;\"><img src=\"$starimg\"></a>".$post["postplusones"];