-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaddcomment.php
43 lines (36 loc) · 1.35 KB
/
addcomment.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php /**/ ?><?php
include('inc/constants.inc.php');
function removeEvilTags($source) {
//stolen from niv.elscorcho.org/addresponse.php
$allowedTags='<a><br><b><blockquote><em><h1><h2><h3><h4><i>' .
'<img><li><ol><p><strong><table>' .
'<tr><td><th><u><ul>';
$source = strip_tags($source, $allowedTags);
return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
}
if($frm_comment && $frm_name && $frm_email) {
//DB connection
$db = mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PASSWD);
mysql_select_db(MYSQL_DB,$db);
//clean up $frm_name
$frm_name = htmlspecialchars($frm_name);
$frm_name = addslashes($frm_name);
//clean up $frm_email
$frm_email = htmlspecialchars($frm_email);
$frm_email = addslashes($frm_email);
// clean up $frm_comment
$frm_comment = removeEvilTags($frm_comment);
$frm_comment = str_replace("\r","<br />",$frm_comment);
$frm_comment = addslashes($frm_comment);
//insert into db
$sql = "insert into image_comments (image_ID,name,email,comment_date,comment_body)".
"VALUES ($image_id,'$frm_name','$frm_email',NOW(),'$frm_comment')";
mysql_query($sql);
if(mysql_errno()) {
print mysql_error();
exit;
}
}
// insert header that pushes me back to where i came from
header("Location: $HTTP_REFERER");
?>