Added a confirmation panel to the "delete news" page, made everything a little

safer.
This commit is contained in:
Jeff Teunissen 2007-03-18 09:27:20 +00:00
parent a0a47c2b2c
commit 84bd320514
5 changed files with 82 additions and 66 deletions

View file

@ -3,14 +3,13 @@
$need = 'auth'; $need = 'auth';
require "parts/preamble.php"; // Load most of document require "parts/preamble.php"; // Load most of document
$newsText = $_REQUEST['newsText']; $newsText = addSlashes ($_REQUEST['newsText']);
$mode = $_REQUEST['mode']; $mode = $_REQUEST['mode'];
$user = $userInfo['u_displayname']; $user = $userInfo['u_displayname'];
if ($newsText && $mode == "Post") { if ($newsText && $mode == "Post") {
need ('sql'); need ('sql');
$newsText = addSlashes ($newsText);
$query = 'INSERT into news_main (n_date, n_user, n_news) VALUES (' $query = 'INSERT into news_main (n_date, n_user, n_news) VALUES ('
."NOW(), '$user', '$newsText')"; ."NOW(), '$user', '$newsText')";

View file

@ -1,12 +1,12 @@
<? // Preamble <? // Preamble
$pageName = "Delete News"; $pageName = "Delete News";
$need = 'auth'; $need = 'auth';
require "parts/preamble.php"; // Load most of document require 'parts/preamble.php'; // Load most of document
if (!$userInfo['u_admin']) // no access from non-admin if (!$userInfo['u_admin']) // no access from non-admin yet
bailout ('<P>You don\'t have access to this page. Bug an admin to delete a news post.</P>'); bailout ("<P>You don't have access to this page (yet?). Bug an admin to delete a news post.</P>");
need ('sql'); need ('boxes news sql');
function convertToHTML ($string) function convertToHTML ($string)
{ {
@ -18,67 +18,88 @@
function convertFromHTML ($string) function convertFromHTML ($string)
{ {
$table = get_html_translation_table (HTML_ENTITIES); $table = get_html_translation_table (HTML_ENTITIES);
return strtr ($string, $table); return strtr ($string, $table);
} }
function newsEntry ($array) function newsEntrySummary ($it)
{ {
need ('date'); need ("date");
return return
'<TR>' '<TR>'
.' <TD><A href="news_del.php?newsID=' . $array[n_id] . '">' . $array[n_id] . '</A></TD>' .' <TD><A href="' . thisURL . '?newsID=' . $it['n_id'] . '">' . $it['n_id'] . '</A></TD>'
.' <TD>' . dateFromSQLDateTime ($array[n_date]) . '</TD>' .' <TD>' . dateFromSQLDateTime ($it['n_date']) . '</TD>'
.' <TD>' . $array[n_user] . '</TD>' .' <TD>' . $it['n_user'] . '</TD>'
.' <TD>' . substr (convertFromHTML (stripSlashes ($array[n_news])), 0, 50) . '&#8230;</TD>' .' <TD>' . substr (convertFromHTML (stripSlashes ($it['n_news'])), 0, 50) . '&#8230;</TD>'
.'</TR>'; .'</TR>';
} }
$newsID = $_REQUEST['newsID']; function newsEntryConfirmation ($a)
{
need ("date");
$id = $a['n_id'];
newsBoxOpen ();
newsBoxTitle ("Confirmation: Delete #$id?", thisURL . "?newsID=$id&confirm=yes");
printNewsArray ($a);
newsBoxClose ();
}
$newsID = addSlashes ($_REQUEST['newsID']);
$confirm = $_REQUEST['confirm'];
if ($conn = mysql_pconnect (sqlHost, sqlRWUser, sqlRWPass)) {
if ($newsID) { if ($newsID) {
if ($confirm) {
$query = "DELETE FROM news_main WHERE n_id='$newsID'"; $query = "DELETE FROM news_main WHERE n_id='$newsID'";
if ($result = mysql_db_query (sqlDB, $query, $conn)) {
if ($numRows = mysql_affected_rows ($conn)) {
echo "<P>News entry $newsID has been deleted successfully.";
} else {
echo '<P>There was an error in your input. If you don\'t know what it is, I\'m not going to tell you.';
}
}
}
?> $rows = sqlWriteQuery ($query);
<DIV class="newsBox"> if ($rows === null) {
<DIV class="newsTitle"><H2>Delete News</H2></DIV> echo "<P>Bad mojo, man. I couldn't talk to the SQL server. It said '$sqlError'.</P>";
<TABLE width="100%"> } elseif ($rows === false) {
<? echo "<P>Something bad happened, and MySQL said '$sqlError'. Bug an admin.</P>";
} elseif (!$rows) {
echo "<P>News entry $newsID didn't exist.";
} else {
echo "<P>News entry $newsID has been deleted.";
}
} else {
$query = 'SELECT n_id, n_date, n_user, n_news FROM news_main'
." WHERE n_id='$newsID'";
$entries = sqlReadQuery ($query);
if ($entries === null) {
echo "<P>Bad mojo, man. I couldn't talk to the SQL server. It said '$sqlError'.</P>";
} elseif ($entries === false) {
echo "<P>Something bad happened, and MySQL said '$sqlError'. Bug an admin.</P>";
} elseif (count ($entries) == 1) {
newsEntryConfirmation ($entries[0]);
} else {
echo "<P>This shouldn't even be possible, but there's more than one news entry with ID '$newsID'!</P>";
}
}
} else {
newsBoxOpen ("All News Postings");
$query = 'SELECT n_id, n_date, n_user, n_news FROM news_main' $query = 'SELECT n_id, n_date, n_user, n_news FROM news_main'
.' ORDER BY n_date DESC'; .' ORDER BY n_date DESC';
if ($result = mysql_db_query (sqlDB, $query, $conn)) {
if ($numRows = mysql_num_rows ($result)) {?> $entries = sqlReadQuery ($query);
<TR> if ($entries && is_array ($entries) && count ($entries)) {
tableHeader ("100%");
?><TR>
<TH align="left">ID</TH> <TH align="left">ID</TH>
<TH align="left">Date</TH> <TH align="left">Date</TH>
<TH align="left">User</TH> <TH align="left">User</TH>
<TH align="left">Text</TH> <TH align="left">Text</TH>
</TR><? </TR><?
for ($i = 0; $i < count ($entries); $i++) {
for ($i = 0; $i < $numRows; $i++) { echo newsEntrySummary ($entries[$i]);
$news[$i] = mysql_fetch_assoc ($result);
echo newsEntry ($news[$i]);
} }
tableFooter ();
} else { } else {
echo '<P>No matching news entries.</P>'; echo "<P>No news available.";
} }
} else { newsBoxClose ();
echo '<P>Somebody screwed up, and MySQL said "' . mysql_error() . '". Bug a project admin or somethin\' eh?</P>';
}
?>
</TABLE>
</DIV>
<?
} else {
echo '<P>Couldn\'t connect to the SQL server with the password you gave. <STRONG>(&quot;You suck, butthead.&quot;)</STRONG></P>';
} }
?> ?>

View file

@ -1,10 +1,10 @@
<? // Preamble <? // Preamble
$pageName = "Edit News"; $pageName = "Edit News";
$need = 'auth'; $need = 'auth';
require "parts/preamble.php"; // Load most of document require 'parts/preamble.php'; // Load most of document
if (!$userInfo['u_admin']) // no access from non-admin if (!$userInfo['u_admin']) // no access from non-admin yet
bailout ('<P>You don\'t have access to this page (yet?). Bug an admin to delete a news post.</P>'); bailout ("<P>You don't have access to this page (yet?). Bug an admin to delete a news post.</P>");
need ('sql'); need ('sql');
@ -65,13 +65,12 @@
need ('boxes sql table'); need ('boxes sql table');
$newsID = $_GET['newsID']; $newsID = addSlashes ($_REQUEST['newsID']);
$newsText = $_POST['newsText']; $newsText = addSlashes ($_REQUEST['newsText']);
$newsUser = $_POST['newsUser']; $newsUser = addSlashes ($_REQUEST['newsUser']);
if ($newsID) { if ($newsID) {
if ($newsUser && $newsText) { if ($newsUser && $newsText) {
$newsText = addSlashes ($newsText);
$query = 'UPDATE news_main SET' $query = 'UPDATE news_main SET'
." n_user='$newsUser', n_news='$newsText'" ." n_user='$newsUser', n_news='$newsText'"
." WHERE n_id='$newsID'"; ." WHERE n_id='$newsID'";

View file

@ -7,13 +7,11 @@
// set up local vars // set up local vars
$mode = $_REQUEST['mode']; $mode = $_REQUEST['mode'];
$planSubj = $_REQUEST['planSubj']; $planSubj = addSlashes ($_REQUEST['planSubj']);
$planText = $_REQUEST['planText']; $planText = addSlashes ($_REQUEST['planText']);
$user = $userInfo['u_displayname']; $user = $userInfo['u_displayname'];
if ($planText && $planSubj && $mode == "Post") { if ($planText && $planSubj && $mode == "Post") {
$planSubj = addSlashes ($planSubj);
$planText = addSlashes ($planText);
$query = 'INSERT INTO plans (p_date, p_user, p_title, p_plan) VALUES (' $query = 'INSERT INTO plans (p_date, p_user, p_title, p_plan) VALUES ('
."NOW(), '$user', '$planSubj', '$planText')"; ."NOW(), '$user', '$planSubj', '$planText')";

View file

@ -67,14 +67,13 @@
need ('boxes sql table'); need ('boxes sql table');
$planID = $_GET['planID']; $planID = addSlashes ($_REQUEST['planID']);
$planSubj = $_POST['planSubj']; $planSubj = addSlashes ($_REQUEST['planSubj']);
$planText = $_POST['planText']; $planText = addSlashes ($_REQUEST['planText']);
$planUser = $_POST['planUser']; $planUser = addSlashes ($_REQUEST['planUser']);
if ($planID) { if ($planID) {
if ($planSubj && $planText && $planUser) { if ($planSubj && $planText && $planUser) {
$planText = addSlashes ($planText);
$query = 'UPDATE plans SET' $query = 'UPDATE plans SET'
." p_user='$planUser', p_title='$planSubj', p_plan='$planText'" ." p_user='$planUser', p_title='$planSubj', p_plan='$planText'"
." WHERE p_id='$planID'"; ." WHERE p_id='$planID'";