// // Alternatively, the contents of this file may be used under the terms of // either the GNU General Public License Version 2 or later (the "GPL"), or // the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), // in which case the provisions of the GPL or the LGPL are applicable instead // of those above. If you wish to allow use of your version of this file only // under the terms of either the GPL or the LGPL, and not to allow others to // use your version of this file under the terms of the MPL, indicate your // decision by deleting the provisions above and replace them with the notice // and other provisions required by the GPL or the LGPL. If you do not delete // the provisions above, a recipient may use your version of this file under // the terms of any one of the MPL, the GPL or the LGPL. // // ***** END LICENSE BLOCK ***** //Submit Review/Rating Feedback to Table require"../core/config.php"; //Check and see if the ID/vID is valid. $sql = "SELECT TM.ID, TV.vID FROM `main` TM INNER JOIN `version` TV ON TM.ID=TV.ID WHERE TM.ID = '".escape_string($_POST[id])."' AND `vID`='".escape_string($_POST["vid"])."' LIMIT 1"; $sql_result = mysql_query($sql, $connection) or trigger_error("MySQL Error ".mysql_errno().": ".mysql_error()."", E_USER_ERROR); if(mysql_num_rows($sql_result)=="0") { unset($_POST["id"],$_POST["vid"],$id,$vid); } else { $id = escape_string($_POST["id"]); $vid = escape_string($_POST["vid"]); } $name = escape_string(strip_tags($_POST["name"])); $title = escape_string(strip_tags($_POST["title"])); $rating = escape_string($_POST["rating"]); $comments = nl2br(strip_tags(escape_string($_POST["comments"]))); $email = escape_string($_POST["email"]); if (!$name) { $name="Anonymous"; } if (!$title) { $title="No Title"; } //Make Sure Rating is as expected. if (is_numeric($rating) and $rating<=5 and $rating>=0) { } else { unset($rating); } if (!$rating or !$comments ) { //No Rating or Comment Defined, throw an error. page_error("3","Comment is Blank or Rating is Null."); exit; } //Compile Info about What Version of the item this comment is about. $sql = "SELECT TV.Version, `OSName`, `AppName` FROM `version` TV INNER JOIN `os` TOS ON TOS.OSID=TV.OSID INNER JOIN `applications` TA ON TA.AppID=TV.AppID WHERE TV.ID = '$id' AND TV.vID='$vid' LIMIT 1"; $sql_result = mysql_query($sql, $connection) or trigger_error("MySQL Error ".mysql_errno().": ".mysql_error()."", E_USER_ERROR); $row = mysql_fetch_array($sql_result); $version = $row["Version"]; $os = $row["OSName"]; $appname = $row["AppName"]; $versiontagline = "version $version for $appname"; if ($os !=="ALL") {$versiontagline .=" on $os"; } //Are we behind a proxy and given the IP via an alternate enviroment variable? If so, use it. if ($_SERVER["HTTP_X_FORWARDED_FOR"]) { $remote_addr = $_SERVER["HTTP_X_FORWARDED_FOR"]; } else { $remote_addr = $_SERVER["REMOTE_ADDR"]; } //Check the Formkey against the DB, and see if this has already been posted... $formkey = escape_string($_POST["formkey"]); $date = date("Y-m-d H:i:s", mktime(0, 0, 0, date("m"), date("d")-1, date("Y"))); $sql = "SELECT `CommentID` FROM `feedback` WHERE `formkey` = '$formkey' AND `CommentDate`>='$date'"; $sql_result = mysql_query($sql, $connection) or trigger_error("MySQL Error ".mysql_errno().": ".mysql_error()."", E_USER_ERROR); if (mysql_num_rows($sql_result)=="0") { //FormKey check passed, now let's see if this IP is banned... $sql = "SELECT `bID` FROM `feedback_ipbans` WHERE `beginip` <= '$remote_addr' AND `endip` >='$remote_addr' LIMIT 1"; $sql_result = mysql_query($sql, $connection) or trigger_error("MySQL Error ".mysql_errno().": ".mysql_error()."", E_USER_ERROR); if (mysql_num_rows($sql_result)=="0") { //No Bans Returned, Proceed... //FormKey doesn't exist, go ahead and add their comment. $sql = "INSERT INTO `feedback` (`ID`, `CommentName`, `CommentVote`, `CommentTitle`, `CommentNote`, `CommentDate`, `commentip`, `email`, `formkey`, `VersionTagline`) VALUES ('$id', '$name', '$rating', '$title', '$comments', NOW(NULL), '$remote_addr', '$email', '$formkey', '$versiontagline');"; $sql_result = mysql_query($sql, $connection) or trigger_error("MySQL Error ".mysql_errno().": ".mysql_error()."", E_USER_NOTICE); //Get Rating Data and Create $ratingarray $date = date("Y-m-d H:i:s", mktime(0, 0, 0, date("m"), date("d")-30, date("Y"))); $sql = "SELECT ID, CommentVote FROM `feedback` WHERE `ID` = '$id' AND `CommentDate`>='$date' AND `CommentVote` IS NOT NULL"; $sql_result = mysql_query($sql, $connection) or trigger_error("MySQL Error ".mysql_errno().": ".mysql_error()."", E_USER_NOTICE); while ($row = mysql_fetch_array($sql_result)) { $ratingarray[$row[ID]][] = $row["CommentVote"]; } //Compile Rating Average if (!$ratingarray[$id]) { $ratingarray[$id] = array(); } $numratings = count($ratingarray[$id]); $sumratings = array_sum($ratingarray[$id]); if ($numratings > 0) { $rating = round($sumratings/$numratings, 1); } else { $rating = "2.5"; //Default Rating } $sql = "UPDATE `main` SET `Rating`='$rating' WHERE `ID`='$id' LIMIT 1"; $sql_result = mysql_query($sql, $connection) or trigger_error("MySQL Error ".mysql_errno().": ".mysql_error()."", E_USER_NOTICE); } else { //User is Banned, Add Param to URI to throw an error about this... $action="ipbanned"; } } if ($_POST["type"]=="E") { $type="extensions"; } else if ($_POST["type"]=="T") { $type="themes"; } if (!$action) { $action="successful"; } $return_path="$type/moreinfo.php?id=$id&vid=$vid&page=comments&action=$action"; header("Location: http://$sitehostname/$return_path"); exit; ?>