Added a confirmation panel to the "delete news" page, made everything a little

safer.

news_add.php

@@ -3,14 +3,13 @@
 	$need = 'auth';
 	require "parts/preamble.php";	// Load most of document
 
-	$newsText = $_REQUEST['newsText'];
+	$newsText = addSlashes ($_REQUEST['newsText']);
 	$mode = $_REQUEST['mode'];
 	$user = $userInfo['u_displayname'];
 
 	if ($newsText && $mode == "Post") {
 		need ('sql');
 
-		$newsText = addSlashes ($newsText);
 		$query = 'INSERT into news_main (n_date, n_user, n_news) VALUES ('
 				."NOW(), '$user', '$newsText')";
 

news_del.php

@@ -1,12 +1,12 @@
 <?	// Preamble
 	$pageName = "Delete News";
 	$need = 'auth';
-	require "parts/preamble.php";		// Load most of document
+	require 'parts/preamble.php';	// Load most of document
 
-	if (!$userInfo['u_admin'])	// no access from non-admin
+	if (!$userInfo['u_admin'])	// no access from non-admin yet
-		bailout ('<P>You don\'t have access to this page. Bug an admin to delete a news post.</P>');
+		bailout ("<P>You don't have access to this page (yet?). Bug an admin to delete a news post.</P>");
 
-	need ('sql');
+	need ('boxes news sql');
 
 	function convertToHTML ($string)
 	{
@@ -18,67 +18,88 @@
 	function convertFromHTML ($string)
 	{
 		$table = get_html_translation_table (HTML_ENTITIES);
+
 		return strtr ($string, $table);
 	}
 
-	function newsEntry ($array)
+	function newsEntrySummary ($it)
 	{
-		need ('date');
+		need ("date");
 
 		return
 			'<TR>'
-			.'	<TD><A href="news_del.php?newsID=' . $array[n_id] . '">' . $array[n_id] . '</A></TD>'
+			.'	<TD><A href="' . thisURL . '?newsID=' . $it['n_id'] . '">' . $it['n_id'] . '</A></TD>'
-			.'	<TD>' . dateFromSQLDateTime ($array[n_date]) . '</TD>'
+			.'	<TD>' . dateFromSQLDateTime ($it['n_date']) . '</TD>'
-			.'	<TD>' . $array[n_user] . '</TD>'
+			.'	<TD>' . $it['n_user'] . '</TD>'
-			.'	<TD>' . substr (convertFromHTML (stripSlashes ($array[n_news])), 0, 50) . '&#8230;</TD>'
+			.'	<TD>' . substr (convertFromHTML (stripSlashes ($it['n_news'])), 0, 50) . '&#8230;</TD>'
 			.'</TR>';
 	}
 
-	$newsID = $_REQUEST['newsID'];
+	function newsEntryConfirmation ($a)
+	{
+		need ("date");
 
-	if ($conn = mysql_pconnect (sqlHost, sqlRWUser, sqlRWPass)) {
+		$id = $a['n_id'];
-		if ($newsID) {
+
+		newsBoxOpen ();
+		newsBoxTitle ("Confirmation: Delete #$id?", thisURL . "?newsID=$id&confirm=yes");
+		printNewsArray ($a);
+		newsBoxClose ();
+	}
+
+	$newsID = addSlashes ($_REQUEST['newsID']);
+	$confirm = $_REQUEST['confirm'];
+
+	if ($newsID) {
+		if ($confirm) {
 			$query = "DELETE FROM news_main WHERE n_id='$newsID'";
-			if ($result = mysql_db_query (sqlDB, $query, $conn)) {
-				if ($numRows = mysql_affected_rows ($conn)) {
-					echo "<P>News entry $newsID has been deleted successfully.";
-				} else {
-					echo '<P>There was an error in your input. If you don\'t know what it is, I\'m not going to tell you.';
-				}
-			}
-		}
 
-		?>
+			$rows = sqlWriteQuery ($query);
-		<DIV class="newsBox">
+			if ($rows === null) {
-			<DIV class="newsTitle"><H2>Delete News</H2></DIV>
+				echo "<P>Bad mojo, man. I couldn't talk to the SQL server. It said '$sqlError'.</P>";
-			<TABLE width="100%">
+			} elseif ($rows === false) {
-		<?
+				echo "<P>Something bad happened, and MySQL said '$sqlError'. Bug an admin.</P>";
-		$query = 'SELECT n_id, n_date, n_user, n_news FROM news_main'
+			} elseif (!$rows) {
-				.' ORDER BY n_date DESC';
+				echo "<P>News entry $newsID didn't exist.";
-		if ($result = mysql_db_query (sqlDB, $query, $conn)) {
-			if ($numRows = mysql_num_rows ($result)) {?>
-				<TR>
-					<TH align="left">ID</TH>
-					<TH align="left">Date</TH>
-					<TH align="left">User</TH>
-					<TH align="left">Text</TH>
-				</TR><?
-
-				for ($i = 0; $i < $numRows; $i++) {
-					$news[$i] = mysql_fetch_assoc ($result);
-					echo newsEntry ($news[$i]);
-				}
 			} else {
-				echo '<P>No matching news entries.</P>';
+				echo "<P>News entry $newsID has been deleted.";
 			}
 		} else {
-			echo '<P>Somebody screwed up, and MySQL said "' . mysql_error() . '". Bug a project admin or somethin\' eh?</P>';
+			$query = 'SELECT n_id, n_date, n_user, n_news FROM news_main'
+					." WHERE n_id='$newsID'";
+			$entries = sqlReadQuery ($query);
+			if ($entries === null) {
+				echo "<P>Bad mojo, man. I couldn't talk to the SQL server. It said '$sqlError'.</P>";
+			} elseif ($entries === false) {
+				echo "<P>Something bad happened, and MySQL said '$sqlError'. Bug an admin.</P>";
+			} elseif (count ($entries) == 1) {
+				newsEntryConfirmation ($entries[0]);
+			} else {
+				echo "<P>This shouldn't even be possible, but there's more than one news entry with ID '$newsID'!</P>";
+			}
 		}
-		?>
-			</TABLE>
-		</DIV>
-		<?
 	} else {
-		echo '<P>Couldn\'t connect to the SQL server with the password you gave. <STRONG>(&quot;You suck, butthead.&quot;)</STRONG></P>';
+		newsBoxOpen ("All News Postings");
+
+		$query = 'SELECT n_id, n_date, n_user, n_news FROM news_main'
+				.' ORDER BY n_date DESC';
+
+		$entries = sqlReadQuery ($query);
+		if ($entries && is_array ($entries) && count ($entries)) {
+			tableHeader ("100%");
+			?><TR>
+				<TH align="left">ID</TH>
+				<TH align="left">Date</TH>
+				<TH align="left">User</TH>
+				<TH align="left">Text</TH>
+			</TR><?
+			for ($i = 0; $i < count ($entries); $i++) {
+				echo newsEntrySummary ($entries[$i]);
+			}
+			tableFooter ();
+		} else {
+			echo "<P>No news available.";
+		}
+		newsBoxClose ();
 	}
 ?>

news_edit.php

@@ -1,10 +1,10 @@
 <?	// Preamble
 	$pageName = "Edit News";
 	$need = 'auth';
-	require "parts/preamble.php";	// Load most of document
+	require 'parts/preamble.php';	// Load most of document
 
-	if (!$userInfo['u_admin'])	// no access from non-admin
+	if (!$userInfo['u_admin'])	// no access from non-admin yet
-		bailout ('<P>You don\'t have access to this page (yet?). Bug an admin to delete a news post.</P>');
+		bailout ("<P>You don't have access to this page (yet?). Bug an admin to delete a news post.</P>");
 
 	need ('sql');
 
@@ -65,13 +65,12 @@
 
 	need ('boxes sql table');
 
-	$newsID = $_GET['newsID'];
+	$newsID = addSlashes ($_REQUEST['newsID']);
-	$newsText = $_POST['newsText'];
+	$newsText = addSlashes ($_REQUEST['newsText']);
-	$newsUser = $_POST['newsUser'];
+	$newsUser = addSlashes ($_REQUEST['newsUser']);
 
 	if ($newsID) {
 		if ($newsUser && $newsText) {
-			$newsText = addSlashes ($newsText);
 			$query = 'UPDATE news_main SET'
 					." n_user='$newsUser', n_news='$newsText'"
 					." WHERE n_id='$newsID'";

plan_add.php

@@ -7,13 +7,11 @@
 
 	// set up local vars
 	$mode = $_REQUEST['mode'];
-	$planSubj = $_REQUEST['planSubj'];
+	$planSubj = addSlashes ($_REQUEST['planSubj']);
-	$planText = $_REQUEST['planText'];
+	$planText = addSlashes ($_REQUEST['planText']);
 	$user = $userInfo['u_displayname'];
 
 	if ($planText && $planSubj && $mode == "Post") {
-		$planSubj = addSlashes ($planSubj);
-		$planText = addSlashes ($planText);
 		$query = 'INSERT INTO plans (p_date, p_user, p_title, p_plan) VALUES ('
 				."NOW(), '$user', '$planSubj', '$planText')";
 

plan_edit.php

@@ -67,14 +67,13 @@
 
 	need ('boxes sql table');
 
-	$planID = $_GET['planID'];
+	$planID = addSlashes ($_REQUEST['planID']);
-	$planSubj = $_POST['planSubj'];
+	$planSubj = addSlashes ($_REQUEST['planSubj']);
-	$planText = $_POST['planText'];
+	$planText = addSlashes ($_REQUEST['planText']);
-	$planUser = $_POST['planUser'];
+	$planUser = addSlashes ($_REQUEST['planUser']);
 
 	if ($planID) {
 		if ($planSubj && $planText && $planUser) {
-			$planText = addSlashes ($planText);
 			$query = 'UPDATE plans SET'
 					." p_user='$planUser', p_title='$planSubj', p_plan='$planText'"
 					." WHERE p_id='$planID'";