1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
<?php
include_once 'Thread.php';
function add_quote($dbc, $thread_id, $matches) {
foreach ($matches as $match) {
$id = (int) filter_var($match, FILTER_SANITIZE_NUMBER_INT);
$sql = "SELECT post_content, post_author, post_thread, user_name FROM posts LEFT JOIN users ON post_author = user_id WHERE post_id = " . $id;
$result = mysqli_query($dbc, $sql);
if (!$result) {
return '<blockquote></blockquote>';
}
$reply = mysqli_fetch_assoc($result);
if (empty($reply)) {
return '<blockquote><span style="color:red;">This post has been deleted</span></blockquote>';
}
return '<blockquote><a href="/viewthread.php?id=' . $reply['post_thread'] . '#p' . $id .'">Quote from ' . $reply['user_name'] . '</a><br>' . $reply['post_content'] . '</blockquote>';
}
}
class Post {
public $id;
public $content;
public $date_created;
public $date_edited;
public $thread;
public $author;
function get_from_database($id, $dbc) {
// TODO: Potential SQL injection risk?
$sql = "SELECT post_content, post_date_created, post_date_edited, post_thread, post_author FROM posts WHERE post_id = " . mysqli_real_escape_string($dbc, $id);
$result = mysqli_query($dbc, $sql);
if (!$result) {
echo 'Failed to get post: ' . mysqli_error($dbc);
}
if (mysqli_num_rows($result) == 0) {
return 0;
} else {
while ($row = mysqli_fetch_assoc($result)) {
$this->id = $id;
$this->content = $row['post_content'];
$this->date_created = $row['post_date_created'];
$this->date_edited = $row['post_date_edited'];
$this->thread = new Thread();
$this->thread->get_from_database($row['post_thread'], $dbc);
$this->author = new User();
$this->author->get_by_id($row['post_author'], $dbc);
}
}
mysqli_free_result($result);
return 1;
}
function display_content($dbc) {
echo '<div class="header" id="p' . $this->id . '"><b>#' . $this->id . '</b>';
echo ' Posted by <a href="viewuser.php?id='. $this->author->id . '">' . $this->author->name . '</a>';
echo ' on ' . date('m/d/Y g:ia', strtotime($this->date_created));
if (!is_null($this->date_edited)) {
echo ' <small>edited ' . date('m/d/Y g:ia', strtotime($this->date_edited)) . '</small>';
}
if (isset($_SESSION['signed_in']) && $_SESSION['user_id'] == $this->author->id) {
echo '<span style="float:right;">';
echo '[<a href="includes/manage_post.php?action=edit&id=' . $this->id . '">Edit</a>] ';
echo '[<a href="includes/manage_post.php?action=delete&id=' . $this->id . '">Delete</a>]';
echo'</span>';
}
echo '</div>';
$post_content = $this->content;
$thread_id = $this->id;
$post_content = preg_replace_callback('/>#\d+/', function($matches) use($thread_id, $dbc) {
return add_quote($dbc, $thread_id, $matches);
}, $post_content);
// Replace newline characters with HTML <br> tags
$post_content = nl2br($post_content);
// Replace YouTube URLs with embedded YouTube videos.
$post_content = preg_replace(
"/\s*[a-zA-Z\/\/:\.]*youtu(be.com\/watch\?v=|.be\/)([a-zA-Z0-9\-_]+)([a-zA-Z0-9\/\*\-\_\?\&\;\%\=\.]*)/i",
'<br><iframe class="youtube-embed" src="//www.youtube.com/embed/$2" allowfullscreen></iframe>', $post_content);
// Replace Image URLs with embedded images.
$post_content = preg_replace('@\b(http(s)?://)([^\s]*?(?:\.[a-z\d?=/_-]+)+(?:\.jpg|\.png|\.gif))(?![^<]*?(?:</\w+>|/?>))@i', '<img class="image-embed" src="http$2://$3" alt="http$2://$3" />', $post_content);
// Replace other URLs with links.
$post_content = preg_replace('@\b(http(s)?://)([^\s]*?(?:\.[a-z\d?=/_-]+)+)(?![^<]*?(?:</\w+>|/?>))@i', '<a href="http$2://$3">$0</a>', $post_content);
echo '<span class="post-content">' . $post_content . '</span>';
}
}
function get_all_posts($dbc) {
$sql = "SELECT post_id FROM posts";
$result = mysqli_query($dbc, $sql);
if (!$result) {
echo 'Failed to get posts: ' . mysqli_error($dbc);
}
$posts = array();
if (mysqli_num_rows($result) == 0) {
} else {
while ($row = mysqli_fetch_assoc($result)) {
$post = new Post();
$post->get_from_database($row['post_id'], $dbc);
array_push($posts, $post);
}
}
mysqli_free_result($result);
return $posts;
}
|
