- Created 2 new functions:

+ path_uri(): returns the fully-qualified URI of your drupal site. + path_img(): returns the image directory or http://image-server.com/ in case you prefer to load-balance bandwidth usage. Replaced all occurences of the variable "site_url" with path_uri() and removed "site_url" from "setting.module". - Drastically simplified the node_save() API, which should make the node-forms more secure. Updated "story.module", "book.module", "forum.module", "page.module" and "node.module" to reflect this change. This is needs more testing so hit it, beat it, tease it. - Fixed an occasional glitch in the configuration file loading logic. - Made "queue.module" display an informative notice when an anonymous user tries accessing the moderation queue. - Updated the hard-coded information in drupal.module a bit.
author: Dries Buytaert <dries@buytaert.net> 2001-05-15 18:38:57 +0000
committer: Dries Buytaert <dries@buytaert.net> 2001-05-15 18:38:57 +0000
commit: 14ddbc473c3ccfc03773bd684cd41255cc951507 (patch)
tree: 3310c06c4323dfc5690d6e78236158b7bac2f428 /includes
parent: 1da587a9d9df433952981da62dda4f2b216799c7 (diff)
download: brdo-14ddbc473c3ccfc03773bd684cd41255cc951507.tar.gz
brdo-14ddbc473c3ccfc03773bd684cd41255cc951507.tar.bz2
3 files changed, 40 insertions, 27 deletions
diff --git a/includes/common.inc b/includes/common.inc
index 49b55eb54..99f87a1f4 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -5,7 +5,8 @@ $na = "<I>na</I>";
 function conf_init() {
   global $HTTP_HOST, $REQUEST_URI;
   $file = strtolower(strtr($HTTP_HOST ."". substr($REQUEST_URI, 0, strrpos($REQUEST_URI, "/")), "/:", ".."));
-  return file_exists("includes/$file.php") ? $file : "setting";
+  while ($file && !file_exists("includes/$file.php")) $file = substr($file, 0, strrpos($file, "."));
+  return $file ? $file : "setting";
 }
 
 function error_handler($errno, $message, $filename, $line, $variables) {
@@ -37,6 +38,20 @@ function throttle($type, $rate) {
   }
 }
 
+function path_uri() {
+  global $HTTP_HOST, $REQUEST_URI;
+  $REQUEST_URI = strstr("export/", $REQUEST_URI);
+  return "http://". $HTTP_HOST . substr($REQUEST_URI, 0, strrpos($REQUEST_URI, "/")) ."/";
+}
+
+function path_img() {
+  // use "http://your-image-server.com/ if you want to host images on a seperate server.
+  return "./images/";
+}
+
+function notice_account() {
+  return t("This page requires a valid user account.  Please <A HREF=\"account.php\">create a user account</A> and <A HREF=\"account.php\">login</A> prior to accessing it.");
+}
 
 function check_textfield($message) {
   return strip_tags(str_replace("\"", "&quot;", stripslashes($message)));
diff --git a/includes/node.inc b/includes/node.inc
index 7962087d6..138ef4a67 100644
--- a/includes/node.inc
+++ b/includes/node.inc
@@ -51,7 +51,7 @@ function node_get_comments($nid) {
   return $comment->number ? $comment->number : 0;
 }
 
-function node_save($node) {
+function node_save($node, $filter) {
   global $user, $status;
 
   $rows = array(nid, pid, lid, cid, tid, log, type, title, score, votes, author, status, comment, promote, moderate, timestamp);
@@ -63,11 +63,13 @@ function node_save($node) {
     $u2 = array();
 
     foreach ($node as $field=>$value) {
-      if (in_array($field, $rows)) {
-        array_push($u1, check_input($field) ." = '". check_input($value) ."'");
-      }
-      else {
-        array_push($u2, check_input($field) ." = '". check_input($value) ."'");
+      if (in_array($field, $filter)) {
+        if (in_array($field, $rows)) {
+          array_push($u1, check_input($field) ." = '". check_input($value) ."'");
+        }
+        else {
+          array_push($u2, check_input($field) ." = '". check_input($value) ."'");
+        }
       }
     }
 
@@ -89,23 +91,20 @@ function node_save($node) {
       // verify submission rate:
       throttle("post node", variable_get(max_node_rate, 900));
 
-      // setup default values:
-      $node = array_merge(array(title => "?", author => $user->id, type => "?", pid => 0, cid => 0, tid => 0, log => "node created", status => (category_submission($node[cid]) ? $status[queued] : $status[posted]) , score => 0, votes => 0, comment => category_comment($node[cid]), promote => category_promote($node[cid]), moderate => topic_moderate($node[tid]), timestamp => time()), $node);
-
       // prepare queries:
-      $f1 = array();
-      $v1 = array();
-      $f2 = array();
-      $v2 = array();
+      foreach ($filter as $field=>$value) {
+        $k = check_input(is_numeric($field) ? $value : $field);
+        $v = check_input(is_numeric($field) ? $node[$value] : $filter[$field]);
 
-      foreach ($node as $field=>$value) {
-        if (in_array($field, $rows)) {
-          array_push($f1, check_input($field));
-          array_push($v1, "'". check_input($value) ."'");
+        print "$k => $v ($field, $value)<BR>";
+
+        if (in_array($k, $rows)) {
+          $f1[] = $k;
+          $v1[] = "'$v'";
         }
         else {
-          array_push($f2, check_input($field));
-          array_push($v2, "'". check_input($value) ."'");
+          $f2[] = $k;
+          $v2[] = "'$v'";
         }
       }
 
@@ -115,14 +114,14 @@ function node_save($node) {
       $v2 = implode(", ", $v2);
 
       // insert data, try to roll-back when something goes wrong:
-      $result = db_query("INSERT INTO node ($f1) VALUES ($v1)");
+      $result = db_query("INSERT INTO node ($f1) VALUES ($v1)", 1);
       if ($result && $nid = db_insert_id()) {
-        $result = db_query("INSERT INTO $node[type] ($f2, nid) VALUES ($v2, $nid)");
+        $result = db_query("INSERT INTO $filter[type] ($f2, nid) VALUES ($v2, $nid)", 1);
         if ($result && $lid = db_insert_id()) {
-          $result = db_query("UPDATE node SET lid = '$lid' WHERE nid = '$nid'");
+          $result = db_query("UPDATE node SET lid = '$lid' WHERE nid = '$nid'", 1);
           if ($result) {
             if (($node[pid]) && ($node[status] == $status[posted])) {
-              db_query("UPDATE node SET status = '$status[expired]' WHERE nid = '$node[pid]'");
+              db_query("UPDATE node SET status = '$status[expired]' WHERE nid = '$node[pid]'", 1);
             }
             watchdog("special", "node: added '$node[title]'");
           }
@@ -131,7 +130,7 @@ function node_save($node) {
           }
         }
         else {
-          db_query("DELETE FROM node WHERE nid = '$nid'");
+          db_query("DELETE FROM node WHERE nid = '$nid'", 1);
           watchdog("warning", "node: added '$node[title]' - failed");
         }
       }
diff --git a/includes/setting.php b/includes/setting.php
index d4bc5240b..be4590b00 100644
--- a/includes/setting.php
+++ b/includes/setting.php
@@ -1,6 +1,5 @@
 <?php
 
-
 #
 # Database settings:
 #
@@ -58,6 +57,6 @@ $themes = array("UnConeD" => array(
 $languages = array("en" => "English");
 
 # This line prevents users from accessing your settings file:
-die();
+die("access denied");
 
 ?>
 \ No newline at end of file
author	Dries Buytaert <dries@buytaert.net>	2001-05-15 18:38:57 +0000
committer	Dries Buytaert <dries@buytaert.net>	2001-05-15 18:38:57 +0000
commit	14ddbc473c3ccfc03773bd684cd41255cc951507 (patch)
tree	3310c06c4323dfc5690d6e78236158b7bac2f428 /includes
parent	1da587a9d9df433952981da62dda4f2b216799c7 (diff)
download	brdo-14ddbc473c3ccfc03773bd684cd41255cc951507.tar.gz brdo-14ddbc473c3ccfc03773bd684cd41255cc951507.tar.bz2