-
Notifications
You must be signed in to change notification settings - Fork 0
/
submit.php
158 lines (132 loc) · 4.51 KB
/
submit.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
<?php
ini_set('display_errors', 1);
error_reporting(E_ALL);
$config = parse_ini_file("config.ini");
function isValidTag($tag) {
return preg_match_all('/^[[:alnum:]]{4}$/', $tag, $matches) === 1;
}
try {
$database = new PDO("sqlite:" . $config["database"]);
$database->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e) {
print "Something went wrong with the database. If the problem persists, please contact us at <a href='mailto:[email protected]'>[email protected]</a>.";
// if there is actually a persistent error: add output code here to check it
exit();
}
function tagExists($tag) {
assert(isValidTag($tag));
global $database;
$sql = $database->prepare("SELECT COUNT(*) FROM tags WHERE tag = :tag");
$sql->bindParam(":tag", $tag);
if ($sql->execute())
return intval($sql->fetchColumn()) > 0;
return false;
}
function printBackLink() {
print("<br><a href='#' onclick='history.go(-2);'>go back</a>");
}
if (isset($_POST["skip"])) {
header("Location: input.php");
}
elseif (isset($_POST["submit"])) {
// submit the slogan
// if this triggers the user is messing with the POST request
if (!isset($_POST['tag']) or !isValidTag($_POST['tag'])) {
print('The tag your browser supplied in the request is not in a valid format.');
printBackLink();
exit();
}
if ($_POST['tag'] !== $_POST['check']) {
print('You did not pass the captcha. Please go back and fill in the correct tag to prove you are not a computer.');
printBackLink();
exit();
}
// the tag is not present in the database, when we start handling removed tags this will have to change
if (!tagExists($_POST['tag'])) {
print('The tag you are trying to post a comment on does not exist.');
printBackLink();
exit();
}
// empty author
if (empty($_POST['name'])) {
print('You must supply your name.');
printBackLink();
exit();
}
// empty email
if (empty($_POST['mail'])) {
print('You must supply your email address. Remark that it will not be posted.');
printBackLink();
exit();
}
// nonempty email, but the format is wrong
if (!filter_var($_POST['mail'], FILTER_VALIDATE_EMAIL)) {
print('You must supply a correctly formatted email address. Your current input is ' . $_POST['mail']);
printBackLink();
exit();
}
// first a little cleanup of the site field
$site = $_POST['site'];
if (!empty($site)) {
// incorrect url, probably missing http:// we prepend it and try again
if (!filter_var($site, FILTER_VALIDATE_URL)) {
$site = 'http://' . $site;
// nonempty site, but the format is wrong
if (!filter_var($site, FILTER_VALIDATE_URL)) {
print('You supplied a site but the format is wrong. Your current input is ' . $_POST['site']);
printBackLink();
exit();
}
}
}
// from here on it's safe to ignore the fact that it's user input
/**
* post slogan to slogans database
*/
$tag = $_POST['tag'];
$author = $_POST['name'];
$email = $_POST['mail'];
$site = $_POST['site'];
$slogan = htmlspecialchars($_POST['slogan']);
// for some reason Firefox is inserting 's in the input when you have two consecutive spaces, we don't like that
$slogan = str_replace(' ', ' ', $slogan);
try {
$sql = $database->prepare('INSERT INTO slogans (tag, author, slogan, email, site) VALUES (:tag, :author, :slogan, :email, :site)');
$sql->bindParam(':tag', $tag);
$sql->bindParam(':author', $author);
$sql->bindParam(':slogan', $slogan);
$sql->bindParam(':email', $mail);
$sql->bindParam(':site', $site);
if(!$sql->execute()) {
print("Something went wrong with your slogan.\n");
print_r($sql->errorInfo());
exit();
}
}
catch(PDOException $e) {
echo $e->getMessage();
}
try {
$suggested = "Suggested slogan: " . $slogan;
$sql = $database->prepare('INSERT INTO comments (tag, author, comment, site, email) VALUES (:tag, :author, :comment, :site, :email)');
$sql->bindParam(':tag', $tag);
$sql->bindParam(':author', $author);
$sql->bindParam(':comment', $suggested);
$sql->bindParam(':site', $site);
$sql->bindParam(':email', $mail);
if(!$sql->execute()) {
print("Something went wrong with your comment.\n");
print_r($sql->errorInfo());
exit();
}
}
catch(PDOException $e) {
echo $e->getMessage();
}
// put the tag into the session, so the input form can display the result
session_start();
$_SESSION["tag"] = $tag;
header('Location: input.php');
}
?>