Commit | Line | Data |
---|---|---|
e586807d H |
1 | <?php |
2 | /* This program is free software. It comes without any warranty, to | |
3 | * the extent permitted by applicable law. You can redistribute it | |
4 | * and/or modify it under the terms of the Do What The Fuck You Want | |
5 | * To Public License, Version 2, as published by Sam Hocevar. See | |
6 | * http://sam.zoy.org/wtfpl/COPYING for more details. */ | |
7 | ||
8 | function send() { | |
9 | global $db; | |
10 | if (empty($_SESSION['user_id']) || empty($_SESSION['user_name'])) { | |
11 | global $error; | |
12 | $error="user_id or user_name empty. try again or fck.off if u'r hackin"; | |
13 | return false; | |
14 | } | |
15 | ||
16 | $user_id=$_SESSION['user_id']; | |
17 | $user_name=$_SESSION['user_name']; | |
18 | $mail_name=$_POST['mail_to']; | |
19 | // 01:07:37 <@stanojr> pyxel: tak fixni sql inject ktory je pri posielani posty konkretne meno uzivatela // | |
20 | $mail_name=mysql_escape_string($mail_name); | |
21 | $mail_to=explode(";",$mail_name); | |
22 | $mail_text=$_POST['mail_text']; | |
23 | $nohtml=$_POST['nohtml']; | |
24 | ||
25 | if (count($mail_to)==1) { | |
26 | $q="select user_id from users where login='$mail_name'"; | |
27 | $result=$db->query($q); | |
28 | $result->next(); | |
29 | $to=$result->getRecord(); | |
30 | $mail_to_id[]=$to['user_id']; | |
31 | } | |
32 | ||
33 | elseif (count($mail_to)>1) { | |
34 | foreach ($mail_to as $mail_to_exploded) { | |
35 | $q="select user_id from users where login='$mail_to_exploded'"; | |
36 | $result=$db->query($q); | |
37 | $result->next(); | |
38 | $to=$result->getRecord(); | |
39 | $mail_to_id[]=$to['user_id']; | |
40 | } | |
41 | } | |
42 | ||
43 | ||
44 | if (empty($mail_text)) { | |
45 | global $error; | |
46 | $error="Prilis kratka sprava. Syr vesela krava, student prava a ci dobra trava?"; | |
47 | return false; | |
48 | } | |
49 | ||
50 | if ($mail_to_id) { | |
51 | ||
52 | $mail_text=nodes::processContent($mail_text); | |
53 | global $htmlparse; | |
54 | if ($htmlparse) { | |
55 | $error=$htmlparse; | |
56 | return false; | |
57 | } | |
58 | foreach ($mail_to_id as $mail_to_id_send) { | |
59 | $q="insert into mail set mail_user='$user_id',mail_read='no', mail_from='$user_id',mail_text='$mail_text',mail_to='$mail_to_id_send',mail_timestamp=NOW()"; | |
60 | $result=$db->query($q); | |
61 | $duplicate_id=$db->getLastInsertId(); | |
62 | $q="insert into mail set mail_duplicate_id='$duplicate_id', mail_read='no',mail_user='$mail_to_id_send',mail_from='$user_id',mail_text='$mail_text', mail_to='$mail_to_id_send',mail_timestamp=NOW()"; | |
63 | $result=$db->query($q); | |
64 | $db->query("update users set user_mail=user_mail+1, user_mail_name='$user_name' where user_id='$mail_to_id_send'"); | |
65 | } | |
66 | return true; | |
67 | ||
68 | } | |
69 | ||
70 | else { | |
71 | global $error; | |
72 | $error="user $mail_to does not exist"; | |
73 | return false; | |
74 | } | |
75 | } | |
76 | ||
77 | ||
78 | ?> |