API tools faq
paste
Guest User

Untitled

a guest
Oct 24th, 2017
83
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.46 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. session_start();
  3.  
  4. $username = $_SESSION['username'];
  5.  
  6. include_once "/scripts/connect_to_mysql.php"; // Connect to the database
  7. // Check the HTTP_REFERER for light level security
  8. $ref = parse_url($_SERVER['HTTP_REFERER']);
  9. $host = $ref["host"];
  10. if ($host != "localhost") {
  11. echo "This is some screwed up error even the web developer of this site doesnt understand :(";
  12. exit();
  13. }
  14. // Be sure the user session vars are all set
  15. if(!isset($_SESSION['username']) || !isset($_SESSION['password'])) {
  16. echo "Your session has timed out.";
  17. exit(); // This you will want to handle more smoothly
  18. }
  19. // Be sure all form variables are present to proceed
  20. if (!isset($_POST['post_type']) || !isset($_POST['post_body']) || !isset($_POST['fsID']) || !isset($_POST['fsTitle']) || !isset($_POST['uid']) || !isset($_POST['upass'])) {
  21. echo "Important variables from the form are missing,reloading the page will help :D";
  22. exit();
  23. }
  24. // Filter all of the common variables
  25. $post_type = $_POST['post_type'];
  26. $post_body = $_POST['post_body'];
  27. $post_body = nl2br(htmlspecialchars($post_body));
  28. $post_body = mysql_real_escape_string($post_body);
  29. $forum_section_id = preg_replace('#[^0-9]#i', '', $_POST['fsID']);
  30. $forum_section_title = preg_replace('#[^A-Za-z 0-9]#i', '', $_POST['fsTitle']);
  31. $member_id = preg_replace('#[^0-9]#i', '', $_POST['username']);
  32. $post_author = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION['username']);
  33. $member_password = mysql_real_escape_string($_POST['password']);
  34. // Be sure the posted variables match the user's session variables
  35. if ($_SESSION['username'] != $username || $_SESSION['password'] != $password) {
  36. echo "Your username and/or password is a mismatch";
  37. exit();
  38. }
  39. // Check the database to be sure that their ID, password, and email session variables all match in the database
  40. $u_name = mysql_real_escape_string($_SESSION['username']);
  41. $u_pass = mysql_real_escape_string($_SESSION['password']);
  42. $sql = mysql_query("SELECT * FROM users WHERE id='$id' AND username='$username' AND email='$email' AND password='$password'");
  43. $numRows = mysql_num_rows($sql);
  44. if ($numRows < 0) {
  45. echo "ERROR: You do not exist in the system weenis";
  46. exit();
  47. }
  48. // Check the database to be sure that this forum section exists
  49. $sql = mysql_query("SELECT * FROM forum_sections WHERE id='$forum_section_id' AND title='$forum_section_title'");
  50. $numRows = mysql_num_rows($sql);
  51. if ($numRows < 0) {
  52. echo "ERROR: That forum section deos not exist lol";
  53. exit();
  54. }
  55. // Prevent this member from posting more than 30 times in one day
  56. $sql = mysql_query("SELECT id FROM forum_posts WHERE post_author_id='$member_id' AND DATE(date_time) = DATE(NOW()) LIMIT 32");
  57. $numRows = mysql_num_rows($sql);
  58. if ($numRows > 30) {
  59. echo "ERROR: You can post only 30 times per day. Your maximum has been reached.";
  60. exit();
  61. }
  62. // Add this post to the database now. The query depends on the "post_type" value
  63. // Only if the post_type is "a" ///////////////////////////////////////////////////////////////////////////////////
  64. if ($post_type == "a") {
  65. $post_title = preg_replace('#[^A-za-z0-9 ?!.,]#i', '', $_POST['post_title']);
  66. if ($post_title == "") { echo "The Topic Title is missing weenis"; exit(); }
  67. if (strlen($post_title) < 10) { echo "Your Topic Title is less than 10 characters"; exit(); }
  68. $sql = mysql_query("INSERT INTO forum_posts (post_author, post_author_id, date_time, type, section_title, section_id, thread_title, post_body)
  69. VALUES('$post_author','$member_id',now(),'a','$forum_section_title','$forum_section_id','$post_title','$post_body')") or die (mysql_error());
  70. $this_id = mysql_insert_id();
  71. //$sql = mysql_query("UPDATE forum_posts SET otid='$this_id' WHERE id='$this_id'");
  72. header("location: view_thread.php?id=$this_id");
  73. exit();
  74. }
  75. // Only if the post_type is "b" ////////////////////////////////////////////////////////////////////////////////////
  76. if ($post_type == "b") {
  77. $this_id = preg_replace('#[^0-9]#i', '', $_POST['tid']);
  78. if ($this_id == "") { echo "The thread ID is missing weenis"; exit(); }
  79. $sql = mysql_query("INSERT INTO forum_posts (post_author, post_author_id, otid, date_time, type, post_body) VALUES('$post_author','$member_id','$this_id',now(),'b','$post_body')") or die (mysql_error());
  80. $post_body = stripslashes($post_body);
  81. echo $post_body;
  82. // YOU CAN CHOOSE TO EMAIL ALERT ALL OF THE PEOPLE THAT ARE PART OF THIS THREAD
  83. // AT THIS POINT. (JUST BE SURE YOU DO NOT EMAIL THE PERSON WHO JUST LEFT THE RESPONSE)
  84. }
  85. ?>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!