mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-08-10 18:54:08 +02:00
Code Issues Releases Wiki Activity

- view active topics

Browse Source 
- seperated search id (int) from search id (string) for security reasons


git-svn-id: file:///svn/phpbb/trunk@5161 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen
2005-06-13 17:51:55 +00:00
parent 2ca7293a68
commit 2e4ea58d28
5 changed files with 215 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

362
phpBB/search.php
View File

@@ -27,6 +27,7 @@ $user->setup('search');
// Define initial vars
$mode = request_var('mode', '');
$search_id = request_var('search_id', '');
$search_session_id = request_var('search_session_id', 0);
$start = request_var('start', 0);
$post_id = request_var('p', 0);
$view = request_var('view', '');
@@ -77,7 +78,7 @@ if ($config['search_interval'])
}
}
if ($search_keywords || $search_author || $search_id)
if ($search_keywords || $search_author || $search_id || $search_session_id)
{
$post_id_ary = $split_words = $old_split_words = $common_words = array();
@@ -156,6 +157,33 @@ if ($search_keywords || $search_author || $search_id)
switch ($search_id)
{
// Oh holy Bob, bring us some activity...
case 'active_topics':
$show_results = 'topics';
if (!$sort_days)
{
$sort_days = 1;
gen_sort_selects($limit_days, $sort_by_text, $sort_days, $sort_key, $sort_dir, $s_limit_days, $s_sort_key, $s_sort_dir, $u_sort_param);
}
$last_post_time = (time() - ($sort_days * 24 * 3600));
$sql = 'SELECT DISTINCT t.topic_id
FROM ' . POSTS_TABLE . ' p
LEFT JOIN ' . TOPICS_TABLE . " t ON (t.topic_approved = 1 AND p.topic_id = t.topic_id)
WHERE p.post_time > $last_post_time
$sql_forums
ORDER BY t.topic_last_post_time DESC";
$result = $db->sql_query_limit($sql, 1000);
while ($row = $db->sql_fetchrow($result))
{
$post_id_ary[] = $row['topic_id'];
}
$db->sql_freeresult($result);
break;
case 'egosearch':
break;
@@ -225,39 +253,40 @@ if ($search_keywords || $search_author || $search_id)
trigger_error($user->lang['NO_SEARCH_RESULTS']);
}
break;
default:
$search_id = (int) $search_id;
$sql = 'SELECT search_array
FROM ' . SEARCH_TABLE . "
WHERE search_id = $search_id
AND session_id = '" . $db->sql_escape($user->data['session_id']) . "'";
$result = $db->sql_query($sql);
if ($row = $db->sql_fetchrow($result))
{
$data = explode('#', $row['search_array']);
$split_words = unserialize(array_shift($data));
if ($search_keywords)
{
// If we're wanting to search on these results we store the existing split word array
$old_split_words = $split_words;
}
$stopped_words = unserialize(array_shift($data));
foreach ($store_vars as $var)
{
$$var = array_shift($data);
}
$sql_where = (($show_results == 'posts') ? 'p.post_id' : 't.topic_id') . ' IN (' . implode(', ', $data) . ')';
unset($data);
}
$db->sql_freeresult($result);
}
}
if ($search_session_id)
{
$sql = 'SELECT search_array
FROM ' . SEARCH_TABLE . "
WHERE search_id = $search_session_id
AND session_id = '" . $db->sql_escape($user->data['session_id']) . "'";
$result = $db->sql_query($sql);
if ($row = $db->sql_fetchrow($result))
{
$data = explode('#', $row['search_array']);
$split_words = unserialize(array_shift($data));
if ($search_keywords)
{
// If we're wanting to search on these results we store the existing split word array
$old_split_words = $split_words;
}
$stopped_words = unserialize(array_shift($data));
foreach ($store_vars as $var)
{
$$var = array_shift($data);
}
$sql_where = (($show_results == 'posts') ? 'p.post_id' : 't.topic_id') . ' IN (' . implode(', ', $data) . ')';
unset($data);
}
$db->sql_freeresult($result);
}
// TODO: hook in fulltext_phpbb/mysql
// Are we looking for words
if ($search_keywords)
@@ -541,8 +570,9 @@ if ($search_keywords || $search_author || $search_id)
$db->sql_freeresult($result);
}
$total_match_count = 0;
if ($post_id_ary)
if ($post_id_ary && sizeof($post_id_ary))
{
// Finish building query (for all combinations) and run it ...
$sql = 'SELECT session_id
@@ -580,10 +610,10 @@ if ($search_keywords || $search_author || $search_id)
unset($post_id_ary);
srand ((double) microtime() * 1000000);
$search_id = rand();
$search_session_id = rand();
$sql_ary = array(
'search_id' => $search_id,
'search_id' => $search_session_id,
'session_id' => $user->data['session_id'],
'search_time' => $current_time,
'search_array' => $data
@@ -622,13 +652,14 @@ if ($search_keywords || $search_author || $search_id)
'SEARCH_MATCHES' => $l_search_matches,
'SEARCH_WORDS' => $split_words,
'IGNORED_WORDS' => ($ignored_words) ? $ignored_words : '',
'PAGINATION' => generate_pagination("search.$phpEx$SID&search_id=$search_id&hilit=$hilit&$u_sort_param", $total_match_count, $per_page, $start),
'PAGINATION' => generate_pagination("search.$phpEx$SID&search_session_id=$search_session_id&search_id=$search_id&hilit=$hilit&$u_sort_param", $total_match_count, $per_page, $start),
'PAGE_NUMBER' => on_page($total_match_count, $per_page, $start),
'TOTAL_MATCHES' => $total_match_count,
'S_SELECT_SORT_DIR' => $s_sort_dir,
'S_SELECT_SORT_KEY' => $s_sort_key,
'S_SEARCH_ACTION' => "search.$phpEx$SID&search_id=$search_id",
'S_SELECT_SORT_DAYS' => $s_limit_days,
'S_SEARCH_ACTION' => "{$phpbb_root_path}search.$phpEx$SID&search_session_id=$search_session_id&search_id=$search_id",
'S_SHOW_TOPICS' => ($show_results == 'posts') ? false : true,
'REPORTED_IMG' => $user->img('icon_reported', 'TOPIC_REPORTED'),
@@ -644,145 +675,152 @@ if ($search_keywords || $search_author || $search_id)
// within an existing search result set
$sort_by_sql = array('a' => (($show_results == 'posts') ? 'u.username' : 't.topic_poster'), 't' => (($show_results == 'posts') ? 'p.post_time' : 't.topic_last_post_time'), 'f' => 'f.forum_id', 'i' => 't.topic_title', 's' => (($show_results == 'posts') ? 'pt.post_subject' : 't.topic_title'));
if ($show_results == 'posts')
if ($sql_where)
{
// Not joining this query to the one below at present ... may do in future
$sql = 'SELECT zebra_id, friend, foe
FROM ' . ZEBRA_TABLE . '
WHERE user_id = ' . $user->data['user_id'];
$result = $db->sql_query($sql);
$zebra = array();
while ($row = $db->sql_fetchrow($result))
if ($show_results == 'posts')
{
if ($row['friend'])
// Not joining this query to the one below at present ... may do in future
$sql = 'SELECT zebra_id, friend, foe
FROM ' . ZEBRA_TABLE . '
WHERE user_id = ' . $user->data['user_id'];
$result = $db->sql_query($sql);
$zebra = array();
while ($row = $db->sql_fetchrow($result))
{
$zebra['friend'][] = $row['zebra_id'];
$zebra[($row['friend']) ? 'friend' : 'foe'][] = $row['zebra_id'];
}
else
{
$zebra['foe'][] = $row['zebra_id'];
}
}
$db->sql_freeresult($result);
$db->sql_freeresult($result);
$sql = 'SELECT p.*, f.forum_id, f.forum_name, t.*, u.username, u.user_sig, u.user_sig_bbcode_uid
FROM ' . FORUMS_TABLE . ' f, ' . TOPICS_TABLE . ' t, ' . USERS_TABLE . ' u, ' . POSTS_TABLE . " p
WHERE $sql_where
AND f.forum_id = p.forum_id
AND p.topic_id = t.topic_id
AND p.poster_id = u.user_id";
}
else
{
$sql = 'SELECT t.*, f.forum_id, f.forum_name
FROM ' . TOPICS_TABLE . ' t, ' . FORUMS_TABLE . " f
WHERE $sql_where
AND f.forum_id = t.forum_id";
}
$sql .= ' ORDER BY ' . $sort_by_sql[$sort_key] . ' ' . (($sort_dir == 'd') ? 'DESC' : 'ASC') . " LIMIT $start, $per_page";
$result = $db->sql_query($sql);
while ($row = $db->sql_fetchrow($result))
{
$forum_id = $row['forum_id'];
$topic_id = $row['topic_id'];
$view_topic_url = "viewtopic.$phpEx$SID&f=$forum_id&t=$topic_id&hilit=$u_hilit";
if ($show_results == 'topics')
{
$replies = ($auth->acl_get('m_approve', $forum_id)) ? $row['topic_replies_real'] : $row['topic_replies'];
$folder_img = $folder_alt = $topic_type = '';
topic_status($row, $replies, time(), time(), $folder_img, $folder_alt, $topic_type);
$tpl_ary = array(
'TOPIC_AUTHOR' => topic_topic_author($row),
'FIRST_POST_TIME' => $user->format_date($row['topic_time']),
'LAST_POST_TIME' => $user->format_date($row['topic_last_post_time']),
'LAST_VIEW_TIME' => $user->format_date($row['topic_last_view_time']),
'LAST_POST_AUTHOR' => ($row['topic_last_poster_name'] != '') ? $row['topic_last_poster_name'] : $user->lang['GUEST'],
'PAGINATION' => topic_generate_pagination($replies, $view_topic_url),
'REPLIES' => $replies,
'VIEWS' => $row['topic_views'],
'TOPIC_TYPE' => $topic_type,
'LAST_POST_IMG' => $user->img('icon_post_latest', 'VIEW_LATEST_POST'),
'TOPIC_FOLDER_IMG' => $user->img($folder_img, $folder_alt),
'TOPIC_ICON_IMG' => (!empty($icons[$row['icon_id']])) ? $icons[$row['icon_id']]['img'] : '',
'TOPIC_ICON_IMG_WIDTH' => (!empty($icons[$row['icon_id']])) ? $icons[$row['icon_id']]['width'] : '',
'TOPIC_ICON_IMG_HEIGHT' => (!empty($icons[$row['icon_id']])) ? $icons[$row['icon_id']]['height'] : '',
'ATTACH_ICON_IMG' => ($auth->acl_gets('f_download', 'u_download', $forum_id) && $row['topic_attachment']) ? $user->img('icon_attach', $user->lang['TOTAL_ATTACHMENTS']) : '',
'S_TOPIC_TYPE' => $row['topic_type'],
'S_USER_POSTED' => (!empty($row['mark_type'])) ? true : false,
'S_TOPIC_REPORTED' => (!empty($row['topic_reported']) && $auth->acl_gets('m_', $forum_id)) ? true : false,
'S_TOPIC_UNAPPROVED' => (!$row['topic_approved'] && $auth->acl_gets('m_approve', $forum_id)) ? true : false,
'U_LAST_POST' => $view_topic_url . '&p=' . $row['topic_last_post_id'] . '#' . $row['topic_last_post_id'],
'U_LAST_POST_AUTHOR'=> ($row['topic_last_poster_id'] != ANONYMOUS && $row['topic_last_poster_id']) ? "memberlist.$phpEx$SID&mode=viewprofile&u={$row['topic_last_poster_id']}" : '',
'U_MCP_REPORT' => "mcp.$phpEx?sid={$user->session_id}&mode=reports&t=$topic_id",
'U_MCP_QUEUE' => "mcp.$phpEx?sid={$user->session_id}&i=queue&mode=approve_details&t=$topic_id"
);
$sql = 'SELECT p.*, f.forum_id, f.forum_name, t.*, u.username, u.user_sig, u.user_sig_bbcode_uid
FROM ' . FORUMS_TABLE . ' f, ' . TOPICS_TABLE . ' t, ' . USERS_TABLE . ' u, ' . POSTS_TABLE . " p
WHERE $sql_where
AND f.forum_id = p.forum_id
AND p.topic_id = t.topic_id
AND p.poster_id = u.user_id";
}
else
{
if ((isset($zebra['foe']) && in_array($row['poster_id'], $zebra['foe'])) && (!$view || $view != 'show' || $post_id != $row['post_id']))
{
$template->assign_block_vars('searchresults', array(
'S_IGNORE_POST' => true,
'L_IGNORE_POST' => sprintf($user->lang['POST_BY_FOE'], $row['username'], "<a href=\"search.$phpEx$SID&amp;search_id=$search_id&amp;$u_sort_param&amp;p=" . $row['post_id'] . '&amp;view=show#' . $row['post_id'] . '">', '</a>'))
);
continue;
}
if ($row['enable_html'])
{
$row['post_text'] = preg_replace('#(<!\-\- h \-\-><)([\/]?.*?)(><!\-\- h \-\->)#is', "&lt;\\2&gt;", $row['post_text']);
}
$row['post_text'] = censor_text($row['post_text']);
decode_message($row['post_text'], $row['bbcode_uid']);
if ($return_chars)
{
$row['post_text'] = (strlen($row['post_text']) < $return_chars + 3) ? $row['post_text'] : substr($row['post_text'], 0, $return_chars) . '...';
}
// This was shamelessly 'borrowed' from volker at multiartstudio dot de
// via php.net's annotated manual
$row['post_text'] = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $hilit . ")\b#i', '<span class=\"posthilit\">\\\\1</span>', '\\0')", '>' . $row['post_text'] . '<'), 1, -1));
$row['post_text'] = smiley_text($row['post_text']);
$tpl_ary = array(
'POSTER_NAME' => ($row['poster_id'] == ANONYMOUS) ? ((!empty($row['post_username'])) ? $row['post_username'] : $user->lang['GUEST']) : $row['username'],
'POST_SUBJECT' => censor_text($row['post_subject']),
'POST_DATE' => (!empty($row['post_time'])) ? $user->format_date($row['post_time']) : '',
'MESSAGE' => (!empty($row['post_text'])) ? str_replace("\n", '<br />', $row['post_text']) : ''
);
$sql = 'SELECT t.*, f.forum_id, f.forum_name
FROM ' . TOPICS_TABLE . ' t, ' . FORUMS_TABLE . " f
WHERE $sql_where
AND f.forum_id = t.forum_id";
}
$sql .= ' ORDER BY ' . $sort_by_sql[$sort_key] . ' ' . (($sort_dir == 'd') ? 'DESC' : 'ASC') . " LIMIT $start, $per_page";
$result = $db->sql_query($sql);
$template->assign_block_vars('searchresults', array_merge($tpl_ary, array(
'FORUM_ID' => $forum_id,
'TOPIC_ID' => $topic_id,
'POST_ID' => ($show_results == 'posts') ? $row['post_id'] : false,
while ($row = $db->sql_fetchrow($result))
{
$forum_id = $row['forum_id'];
$topic_id = $row['topic_id'];
'FORUM_TITLE' => $row['forum_name'],
'TOPIC_TITLE' => censor_text($row['topic_title']),
$view_topic_url = "viewtopic.$phpEx$SID&amp;f=$forum_id&amp;t=$topic_id&amp;hilit=$u_hilit";
'U_VIEW_TOPIC' => $view_topic_url,
'U_VIEW_FORUM' => "viewforum.$phpEx$SID&amp;f=$forum_id",
'U_VIEW_POST' => (!empty($row['post_id'])) ? "viewtopic.$phpEx$SID&amp;f=$forum_id&amp;t=" . $row['topic_id'] . '&amp;p=' . $row['post_id'] . '&amp;hilit=' . $u_hilit . '#' . $row['post_id'] : '')
));
if ($show_results == 'topics')
{
$replies = ($auth->acl_get('m_approve', $forum_id)) ? $row['topic_replies_real'] : $row['topic_replies'];
$folder_img = $folder_alt = $topic_type = '';
topic_status($row, $replies, time(), time(), $folder_img, $folder_alt, $topic_type);
$tpl_ary = array(
'TOPIC_AUTHOR' => topic_topic_author($row),
'FIRST_POST_TIME' => $user->format_date($row['topic_time']),
'LAST_POST_TIME' => $user->format_date($row['topic_last_post_time']),
'LAST_VIEW_TIME' => $user->format_date($row['topic_last_view_time']),
'LAST_POST_AUTHOR' => ($row['topic_last_poster_name'] != '') ? $row['topic_last_poster_name'] : $user->lang['GUEST'],
'PAGINATION' => topic_generate_pagination($replies, $view_topic_url),
'REPLIES' => $replies,
'VIEWS' => $row['topic_views'],
'TOPIC_TYPE' => $topic_type,
'LAST_POST_IMG' => $user->img('icon_post_latest', 'VIEW_LATEST_POST'),
'TOPIC_FOLDER_IMG' => $user->img($folder_img, $folder_alt),
'TOPIC_ICON_IMG' => (!empty($icons[$row['icon_id']])) ? $icons[$row['icon_id']]['img'] : '',
'TOPIC_ICON_IMG_WIDTH' => (!empty($icons[$row['icon_id']])) ? $icons[$row['icon_id']]['width'] : '',
'TOPIC_ICON_IMG_HEIGHT' => (!empty($icons[$row['icon_id']])) ? $icons[$row['icon_id']]['height'] : '',
'ATTACH_ICON_IMG' => ($auth->acl_gets('f_download', 'u_download', $forum_id) && $row['topic_attachment']) ? $user->img('icon_attach', $user->lang['TOTAL_ATTACHMENTS']) : '',
'S_TOPIC_TYPE' => $row['topic_type'],
'S_USER_POSTED' => (!empty($row['mark_type'])) ? true : false,
'S_TOPIC_REPORTED' => (!empty($row['topic_reported']) && $auth->acl_gets('m_', $forum_id)) ? true : false,
'S_TOPIC_UNAPPROVED' => (!$row['topic_approved'] && $auth->acl_gets('m_approve', $forum_id)) ? true : false,
'U_LAST_POST' => $view_topic_url . '&amp;p=' . $row['topic_last_post_id'] . '#' . $row['topic_last_post_id'],
'U_LAST_POST_AUTHOR'=> ($row['topic_last_poster_id'] != ANONYMOUS && $row['topic_last_poster_id']) ? "memberlist.$phpEx$SID&amp;mode=viewprofile&amp;u={$row['topic_last_poster_id']}" : '',
'U_MCP_REPORT' => "mcp.$phpEx?sid={$user->session_id}&amp;mode=reports&amp;t=$topic_id",
'U_MCP_QUEUE' => "mcp.$phpEx?sid={$user->session_id}&amp;i=queue&amp;mode=approve_details&amp;t=$topic_id"
);
}
else
{
if ((isset($zebra['foe']) && in_array($row['poster_id'], $zebra['foe'])) && (!$view || $view != 'show' || $post_id != $row['post_id']))
{
$template->assign_block_vars('searchresults', array(
'S_IGNORE_POST' => true,
'L_IGNORE_POST' => sprintf($user->lang['POST_BY_FOE'], $row['username'], "<a href=\"search.$phpEx$SID&amp;search_session_id=$search_session_id&amp;$u_sort_param&amp;p=" . $row['post_id'] . '&amp;view=show#' . $row['post_id'] . '">', '</a>'))
);
continue;
}
if ($row['enable_html'])
{
$row['post_text'] = preg_replace('#(<!\-\- h \-\-><)([\/]?.*?)(><!\-\- h \-\->)#is', "&lt;\\2&gt;", $row['post_text']);
}
$row['post_text'] = censor_text($row['post_text']);
decode_message($row['post_text'], $row['bbcode_uid']);
if ($return_chars)
{
$row['post_text'] = (strlen($row['post_text']) < $return_chars + 3) ? $row['post_text'] : substr($row['post_text'], 0, $return_chars) . '...';
}
if ($hilit)
{
// This was shamelessly 'borrowed' from volker at multiartstudio dot de
// via php.net's annotated manual
$row['post_text'] = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . str_replace('\\', '\\\\', $hilit) . ")\b#i', '<span class=\"posthilit\">\\\\1</span>', '\\0')", '>' . $row['post_text'] . '<'), 1, -1));
}
$row['post_text'] = smiley_text($row['post_text']);
// Replace naughty words such as farty pants
$row['post_subject'] = censor_text($row['post_subject']);
$row['post_text'] = str_replace("\n", '<br />', censor_text($row['post_text']));
$tpl_ary = array(
'POSTER_NAME' => ($row['poster_id'] == ANONYMOUS) ? ((!empty($row['post_username'])) ? $row['post_username'] : $user->lang['GUEST']) : $row['username'],
'POST_SUBJECT' => censor_text($row['post_subject']),
'POST_DATE' => (!empty($row['post_time'])) ? $user->format_date($row['post_time']) : '',
'MESSAGE' => $row['post_text']
);
}
$template->assign_block_vars('searchresults', array_merge($tpl_ary, array(
'FORUM_ID' => $forum_id,
'TOPIC_ID' => $topic_id,
'POST_ID' => ($show_results == 'posts') ? $row['post_id'] : false,
'FORUM_TITLE' => $row['forum_name'],
'TOPIC_TITLE' => censor_text($row['topic_title']),
'U_VIEW_TOPIC' => $view_topic_url,
'U_VIEW_FORUM' => "viewforum.$phpEx$SID&amp;f=$forum_id",
'U_VIEW_POST' => (!empty($row['post_id'])) ? "viewtopic.$phpEx$SID&amp;f=$forum_id&amp;t=" . $row['topic_id'] . '&amp;p=' . $row['post_id'] . '&amp;hilit=' . $u_hilit . '#' . $row['post_id'] : '')
));
}
$db->sql_freeresult($result);
}
else
{
$template->assign_vars(array(
'S_NO_SEARCH_RESULTS' => true)
);
}
$db->sql_freeresult($result);
page_header($user->lang['SEARCH']);