From 84bd320514c83fc7a478e398182ffd320907fa55 Mon Sep 17 00:00:00 2001
From: Jeff Teunissen <deek@d2dc.net>
Date: Sun, 18 Mar 2007 09:27:20 +0000
Subject: [PATCH]  Added a confirmation panel to the "delete news" page, made
 everything a little  safer.

---
 news_add.php  |   3 +-
 news_del.php  | 117 +++++++++++++++++++++++++++++---------------------
 news_edit.php |  13 +++---
 plan_add.php  |   6 +--
 plan_edit.php |   9 ++--
 5 files changed, 82 insertions(+), 66 deletions(-)

diff --git a/news_add.php b/news_add.php
index 8ece112..d7c86f5 100644
--- a/news_add.php
+++ b/news_add.php
@@ -3,14 +3,13 @@
 	$need = 'auth';
 	require "parts/preamble.php";	// Load most of document
 
-	$newsText = $_REQUEST['newsText'];
+	$newsText = addSlashes ($_REQUEST['newsText']);
 	$mode = $_REQUEST['mode'];
 	$user = $userInfo['u_displayname'];
 
 	if ($newsText && $mode == "Post") {
 		need ('sql');
 
-		$newsText = addSlashes ($newsText);
 		$query = 'INSERT into news_main (n_date, n_user, n_news) VALUES ('
 				."NOW(), '$user', '$newsText')";
 
diff --git a/news_del.php b/news_del.php
index b0cf082..8035509 100644
--- a/news_del.php
+++ b/news_del.php
@@ -1,12 +1,12 @@
 <?	// Preamble
 	$pageName = "Delete News";
 	$need = 'auth';
-	require "parts/preamble.php";		// Load most of document
+	require 'parts/preamble.php';	// Load most of document
 
-	if (!$userInfo['u_admin'])	// no access from non-admin
-		bailout ('<P>You don\'t have access to this page. Bug an admin to delete a news post.</P>');
+	if (!$userInfo['u_admin'])	// no access from non-admin yet
+		bailout ("<P>You don't have access to this page (yet?). Bug an admin to delete a news post.</P>");
 
-	need ('sql');
+	need ('boxes news sql');
 
 	function convertToHTML ($string)
 	{
@@ -18,67 +18,88 @@
 	function convertFromHTML ($string)
 	{
 		$table = get_html_translation_table (HTML_ENTITIES);
+
 		return strtr ($string, $table);
 	}
 
-	function newsEntry ($array)
+	function newsEntrySummary ($it)
 	{
-		need ('date');
+		need ("date");
 
 		return
 			'<TR>'
-			.'	<TD><A href="news_del.php?newsID=' . $array[n_id] . '">' . $array[n_id] . '</A></TD>'
-			.'	<TD>' . dateFromSQLDateTime ($array[n_date]) . '</TD>'
-			.'	<TD>' . $array[n_user] . '</TD>'
-			.'	<TD>' . substr (convertFromHTML (stripSlashes ($array[n_news])), 0, 50) . '&#8230;</TD>'
+			.'	<TD><A href="' . thisURL . '?newsID=' . $it['n_id'] . '">' . $it['n_id'] . '</A></TD>'
+			.'	<TD>' . dateFromSQLDateTime ($it['n_date']) . '</TD>'
+			.'	<TD>' . $it['n_user'] . '</TD>'
+			.'	<TD>' . substr (convertFromHTML (stripSlashes ($it['n_news'])), 0, 50) . '&#8230;</TD>'
 			.'</TR>';
 	}
 
-	$newsID = $_REQUEST['newsID'];
+	function newsEntryConfirmation ($a)
+	{
+		need ("date");
 
-	if ($conn = mysql_pconnect (sqlHost, sqlRWUser, sqlRWPass)) {
-		if ($newsID) {
+		$id = $a['n_id'];
+
+		newsBoxOpen ();
+		newsBoxTitle ("Confirmation: Delete #$id?", thisURL . "?newsID=$id&confirm=yes");
+		printNewsArray ($a);
+		newsBoxClose ();
+	}
+
+	$newsID = addSlashes ($_REQUEST['newsID']);
+	$confirm = $_REQUEST['confirm'];
+
+	if ($newsID) {
+		if ($confirm) {
 			$query = "DELETE FROM news_main WHERE n_id='$newsID'";
-			if ($result = mysql_db_query (sqlDB, $query, $conn)) {
-				if ($numRows = mysql_affected_rows ($conn)) {
-					echo "<P>News entry $newsID has been deleted successfully.";
-				} else {
-					echo '<P>There was an error in your input. If you don\'t know what it is, I\'m not going to tell you.';
-				}
-			}
-		}
 
-		?>
-		<DIV class="newsBox">
-			<DIV class="newsTitle"><H2>Delete News</H2></DIV>
-			<TABLE width="100%">
-		<?
-		$query = 'SELECT n_id, n_date, n_user, n_news FROM news_main'
-				.' ORDER BY n_date DESC';
-		if ($result = mysql_db_query (sqlDB, $query, $conn)) {
-			if ($numRows = mysql_num_rows ($result)) {?>
-				<TR>
-					<TH align="left">ID</TH>
-					<TH align="left">Date</TH>
-					<TH align="left">User</TH>
-					<TH align="left">Text</TH>
-				</TR><?
-
-				for ($i = 0; $i < $numRows; $i++) {
-					$news[$i] = mysql_fetch_assoc ($result);
-					echo newsEntry ($news[$i]);
-				}
+			$rows = sqlWriteQuery ($query);
+			if ($rows === null) {
+				echo "<P>Bad mojo, man. I couldn't talk to the SQL server. It said '$sqlError'.</P>";
+			} elseif ($rows === false) {
+				echo "<P>Something bad happened, and MySQL said '$sqlError'. Bug an admin.</P>";
+			} elseif (!$rows) {
+				echo "<P>News entry $newsID didn't exist.";
 			} else {
-				echo '<P>No matching news entries.</P>';
+				echo "<P>News entry $newsID has been deleted.";
 			}
 		} else {
-			echo '<P>Somebody screwed up, and MySQL said "' . mysql_error() . '". Bug a project admin or somethin\' eh?</P>';
+			$query = 'SELECT n_id, n_date, n_user, n_news FROM news_main'
+					." WHERE n_id='$newsID'";
+			$entries = sqlReadQuery ($query);
+			if ($entries === null) {
+				echo "<P>Bad mojo, man. I couldn't talk to the SQL server. It said '$sqlError'.</P>";
+			} elseif ($entries === false) {
+				echo "<P>Something bad happened, and MySQL said '$sqlError'. Bug an admin.</P>";
+			} elseif (count ($entries) == 1) {
+				newsEntryConfirmation ($entries[0]);
+			} else {
+				echo "<P>This shouldn't even be possible, but there's more than one news entry with ID '$newsID'!</P>";
+			}
 		}
-		?>
-			</TABLE>
-		</DIV>
-		<?
 	} else {
-		echo '<P>Couldn\'t connect to the SQL server with the password you gave. <STRONG>(&quot;You suck, butthead.&quot;)</STRONG></P>';
+		newsBoxOpen ("All News Postings");
+
+		$query = 'SELECT n_id, n_date, n_user, n_news FROM news_main'
+				.' ORDER BY n_date DESC';
+
+		$entries = sqlReadQuery ($query);
+		if ($entries && is_array ($entries) && count ($entries)) {
+			tableHeader ("100%");
+			?><TR>
+				<TH align="left">ID</TH>
+				<TH align="left">Date</TH>
+				<TH align="left">User</TH>
+				<TH align="left">Text</TH>
+			</TR><?
+			for ($i = 0; $i < count ($entries); $i++) {
+				echo newsEntrySummary ($entries[$i]);
+			}
+			tableFooter ();
+		} else {
+			echo "<P>No news available.";
+		}
+		newsBoxClose ();
 	}
 ?>
\ No newline at end of file
diff --git a/news_edit.php b/news_edit.php
index eca543a..aef72b8 100644
--- a/news_edit.php
+++ b/news_edit.php
@@ -1,10 +1,10 @@
 <?	// Preamble
 	$pageName = "Edit News";
 	$need = 'auth';
-	require "parts/preamble.php";	// Load most of document
+	require 'parts/preamble.php';	// Load most of document
 
-	if (!$userInfo['u_admin'])	// no access from non-admin
-		bailout ('<P>You don\'t have access to this page (yet?). Bug an admin to delete a news post.</P>');
+	if (!$userInfo['u_admin'])	// no access from non-admin yet
+		bailout ("<P>You don't have access to this page (yet?). Bug an admin to delete a news post.</P>");
 
 	need ('sql');
 
@@ -65,13 +65,12 @@
 
 	need ('boxes sql table');
 
-	$newsID = $_GET['newsID'];
-	$newsText = $_POST['newsText'];
-	$newsUser = $_POST['newsUser'];
+	$newsID = addSlashes ($_REQUEST['newsID']);
+	$newsText = addSlashes ($_REQUEST['newsText']);
+	$newsUser = addSlashes ($_REQUEST['newsUser']);
 
 	if ($newsID) {
 		if ($newsUser && $newsText) {
-			$newsText = addSlashes ($newsText);
 			$query = 'UPDATE news_main SET'
 					." n_user='$newsUser', n_news='$newsText'"
 					." WHERE n_id='$newsID'";
diff --git a/plan_add.php b/plan_add.php
index d88a942..9105f2b 100644
--- a/plan_add.php
+++ b/plan_add.php
@@ -7,13 +7,11 @@
 
 	// set up local vars
 	$mode = $_REQUEST['mode'];
-	$planSubj = $_REQUEST['planSubj'];
-	$planText = $_REQUEST['planText'];
+	$planSubj = addSlashes ($_REQUEST['planSubj']);
+	$planText = addSlashes ($_REQUEST['planText']);
 	$user = $userInfo['u_displayname'];
 
 	if ($planText && $planSubj && $mode == "Post") {
-		$planSubj = addSlashes ($planSubj);
-		$planText = addSlashes ($planText);
 		$query = 'INSERT INTO plans (p_date, p_user, p_title, p_plan) VALUES ('
 				."NOW(), '$user', '$planSubj', '$planText')";
 
diff --git a/plan_edit.php b/plan_edit.php
index 5698c56..2bc6d89 100644
--- a/plan_edit.php
+++ b/plan_edit.php
@@ -67,14 +67,13 @@
 
 	need ('boxes sql table');
 
-	$planID = $_GET['planID'];
-	$planSubj = $_POST['planSubj'];
-	$planText = $_POST['planText'];
-	$planUser = $_POST['planUser'];
+	$planID = addSlashes ($_REQUEST['planID']);
+	$planSubj = addSlashes ($_REQUEST['planSubj']);
+	$planText = addSlashes ($_REQUEST['planText']);
+	$planUser = addSlashes ($_REQUEST['planUser']);
 
 	if ($planID) {
 		if ($planSubj && $planText && $planUser) {
-			$planText = addSlashes ($planText);
 			$query = 'UPDATE plans SET'
 					." p_user='$planUser', p_title='$planSubj', p_plan='$planText'"
 					." WHERE p_id='$planID'";