Joined: Aug 29, 2004 Posts: 7264 Location: Arizona
Posted:
Sat Apr 12, 2008 8:55 am
You could try taking the Reviews module from the latest RavenNuke distribution and see if that works better. I do recall having to change quite a bit of code in there to get it to work properly as well as to produce XHTML compliant output. I don't recall if it was Reviews, but I remember having to change a couple of modules to use nukeW properly as well as the check_html() function. Some modules were doing some squirrelly things.
this letting the ability for normal users to use the input tag. but still FCKeditor adds the image code wrong. it should not be as input. should be just a simple img.
That looks like the correct image button, though I don't recognize the skin.
Did you upgrade or change the configuration for FCKeditor? I'm not sure how to make it use input tags instead of images, but it doesn't do that by default.
The skin is office 2003, here is my index.php review module file and fckconfig.js:
Code:
<?php
/************************************************************************/
/* PHP-NUKE: Web Portal System */
/* =========================== */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* ===================== */
/* Base on Reviews Addon */
/* Copyright (c) 2000 by Jeff Lambert (jeffx@ican.net) */
/* http://www.qchc.com */
/* More scripts on http://www.jeffx.qchc.com */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
/* Additional security & Abstraction layer conversion */
/* 2003 chatserv */
/* http://www.nukefixes.com -- http://www.nukeresources.com */
/************************************************************************/
if (!eregi("modules.php", $_SERVER['SCRIPT_NAME'])) {
die ("You can't access this file directly...");
}
if (stristr($_SERVER['QUERY_STRING'], '%25')) header('Location: index.php');
require_once('mainfile.php');
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
$advanced_editor = 1;
if (!isset($rop)) { $rop = ''; }
if (!isset($page)) { $page = ''; }
if (!isset($field)) { $field = ''; }
if (!isset($order)) { $order = ''; }
if (!isset($date)) { $date = ''; }
if (!isset($hits)) { $hits = ''; }
if (!isset($id)) { $id = ''; }
if (!isset($xanonpost)) { $xanonpost = ''; }
if (strlen($rop) == 1 AND ctype_alnum($rop)) {
$order = strtoupper($order);
if ($order != '' && $order != 'DESC' && $order != 'ASC') $order = ''; //security measure as $order was not sanitized - montego
reviews($rop, $field, $order);
} else {
switch ($rop) {
default:
reviews_index();
break;
case 'showcontent':
showcontent($id, $page);
break;
case 'write_review':
write_review();
break;
case 'preview_review':
preview_review($date, $title, $text, $reviewer, $email, $score, $cover, $url, $url_title, $hits, $id, $rlanguage);
break;
case 'send_review':
send_review($date, $title, $text, $reviewer, $email, $score, $cover, $url, $url_title, $hits, $id, $rlanguage);
break;
case 'del_review':
del_review($id_del);
break;
case 'mod_review':
mod_review($id);
break;
case 'postcomment':
postcomment($id, $title);
break;
case 'savecomment':
savecomment($xanonpost, $uname, $id, $score, $comments);
break;
case 'del_comment':
del_comment($cid, $id);
break;
}
}
die();
function display_score($score) {
$image = '<img src="images/blue.gif" alt="" />';
$halfimage = '<img src="images/bluehalf.gif" alt="" />';
$full = '<img src="images/star.gif" alt="" />';
echo $score . ' ';
if ($score == 10) {
for ($i = 0;$i < 5;$i++) {
echo $full;
}
} else if ($score%2) {
$score -= 1;
$score /= 2;
for ($i = 0;$i < $score;$i++) {
echo $image;
}
echo $halfimage;
} else {
$score /= 2;
for ($i = 0;$i < $score;$i++) {
echo $image;
}
}
}
function write_review() {
global $language, $admin, $sitename, $user, $cookie, $prefix, $user_prefix, $currentlang, $multilingual, $db, $module_name;
include_once('header.php');
echo "<center><font class=\"title\">"._RWELCOME."</font></center><br /><br />";
if (is_user($user)) {
echo '
<table width="95%" align="center" cellpadding="3" cellspacing="3"><tr><td>
<center><a href="reviews.html"><b><u>*חזרה לעמוד הראשי של סיפורי טייסים*</u></b></a></center><br><br><i>' . _ENTERINFO . '</i><br /><br />
<form method="post" action="modules.php?name=' . $module_name . '">
<b>' . _PRODUCTTITLE . ':</b><br />
<input type="text" name="title" size="50" maxlength="150" /><br />';
if ($multilingual == 1) {
echo '<br /><b>' . _LANGUAGE . ': </b>'
. '<select name="rlanguage">';
$languageslist = '';
$handle = opendir('language');
while ($file = readdir($handle)) {
if (preg_match('/^lang\-(.+)\.php/', $file, $matches)) {
$langFound = $matches[1];
$languageslist .= $langFound . ' ';
}
}
closedir($handle);
$languageslist = explode(' ', $languageslist);
for ($i = 0;$i < sizeof($languageslist);$i++) {
if (!empty($languageslist[$i])) {
echo '<option value="' . $languageslist[$i] . '" ';
if ($languageslist[$i] == strtolower($currentlang)) echo 'selected="selected"';
echo '>' . $languageslist[$i] . '</option>' . "\n";
}
}
echo '</select><br /><br />';
} else {
echo '<input type="hidden" name="rlanguage" value="' . $language . '" /><br /><br />';
}
echo '<b>' . _REVIEW . ':</b><br />';
//<textarea name="text" rows="15" wrap="virtual" cols="60"></textarea><br />";
wysiwyg_textarea('text', '', 'NukeUser', 60, 18);
echo '<br />';
if (is_admin($admin)) {
echo '<font class="content">' . _PAGEBREAK . '</font><br />';
}
echo '
<b>' . _YOURNAME . ':</b><br />';
if (is_user($user)) {
$result = $db->sql_query('SELECT username, user_email FROM ' . $user_prefix . '_users WHERE user_id = \'' . intval($cookie[0]) . '\'');
list($rname, $email) = $db->sql_fetchrow($result);
$rname = check_html($rname, 'nohtml'); // montego:0000763 - check_html already strips slashes if GPC is on
$email = check_html($email, 'nohtml'); // montego:0000763 - same as above
} else {
$rname = '';
$email = '';
}
echo '<input type="text" name="reviewer" size="41" maxlength="40" value="' . $rname . '" /><br />
<i>' . _FULLNAMEREQ . '</i><br /><br />
<b>' . _REMAIL . ':</b><br />
<input type="text" name="email" size="40" maxlength="80" value="' . $email . '" /><br />
';
if (is_admin($admin)) {
echo '<b>' . _RIMAGEFILE . ':</b><br />
<input type="text" name="cover" size="40" maxlength="100" /><br />
<i>' . _RIMAGEFILEREQ . '</i><br /><br />
';
} else echo '<input type="hidden" name="cover" value="" /><br />';
echo '<i>' . _CHECKINFO . '</i><br /><br />
<center><input type="hidden" name="rop" value="preview_review" />
<input type="submit" value="' . _PREVIEW . '" /> <input type="button" onclick="history.go(-1)" value="' . _CANCEL . '" /></form></center></td></tr></table>
';
} else {
echo "<center><font color=\"red\"><b>חובה להתחבר על מנת לשלוח סיפור. אם אינך משתמש רשום באפשרותך להרשם בחינם <a href=\"account-new_user.html\">כאן.</a></b></font><br><br>";
echo "<center><a href=\"reviews.html\"><b><u>*חזרה לעמוד הראשי של סיפורי טייסים*</u></b></a></center><br>";
}
include_once('footer.php');
}
function preview_review($date, $title, $text, $reviewer, $email, $score, $cover, $url, $url_title, $hits, $id, $rlanguage) {
global $admin, $multilingual, $module_name;
if (eregi('<!--pagebreak-->', $text)) {
$text = ereg_replace('<!--pagebreak-->', '<!--pagebreak-->', $text);
}
/*
* montego:0000763 - the following code had stripslashes. RavenNuke check_html() function
* already checks for magic quotes being on and does a strip if needed. Therefore,
* these are unnecessary and potentially even problematic (strips user entered backslashes).
* Additional note, though, at this writing, check_html will also strip out anything after a < or >.
* Unfortunately, something for another day... a newer kses is out in July, 2007 which might be
* worth looking into more.
*/
$title = check_html($title, 'nohtml');
$text = check_html($text, '');
$reviewer = check_html($reviewer, 'nohtml');
$url_title = check_html($url_title, 'nohtml');
$email = check_html($email, 'nohtml');
$score = intval($score);
$cover = check_html($cover, 'nohtml');
$url = check_html($url, 'nohtml');
$hits = intval($hits);
$id = intval($id);
include_once('header.php');
echo '<table width="95%" align="center" cellpadding="3" cellspacing="3"><tr><td><form method="post" action="modules.php?name=' . $module_name . '">';
if (empty($title)) {
$error = 1;
echo _INVALIDTITLE . '<br />';
}
if (empty($text)) {
$error = 1;
echo _INVALIDTEXT . '<br />';
}
if (($hits < 0) && ($id != 0)) {
$error = 1;
echo _INVALIDHITS . '<br />';
}
if (empty($reviewer) || empty($email)) {
$error = 1;
echo _CHECKNAME . '<br />';
} elseif (!empty($reviewer) && !empty($email)) if (!(eregi('^[0-9a-z]([-_.]?[0-9a-z])*@[0-9a-z]([-.]?[0-9a-z])*\\.[a-z]{2,3}$', $email))) {
$error = 1;
/* eregi checks for a valid email! works nicely for me! */
echo _INVALIDEMAIL . '<br />';
}
if (($url_title != '' && $url == '') || ($url_title == '' && $url != '')) {
$error = 1;
echo _INVALIDLINK . '<br />';
} else if (($url != '') && (!(eregi('(^http[s]*:[/]+)(.*)', $url)))) $url = 'http://' . urlencode($url);
/* If the user ommited the http, this nifty eregi will add it */
if (isset($error) AND ($error == 1)) echo '<br />' . _GOBACK;
else {
if (empty($date)) $date = date('Y-m-d');
$year2 = substr($date, 0, 4);
$month = substr($date, 5, 2);
$day = substr($date, 8, 2);
$fdate = date('F jS Y', mktime(0, 0, 0, $month, $day, $year2));
echo '<p class="title"><i>' . $title . '</i></p><div>';
if (!empty($cover)) echo '<img src="images/reviews/' . urlencode($cover) . '" border="1" alt="" />';
echo $text;
echo '</div><p><b>' . _ADDED . '</b> ' . $fdate . '<br />';
if ($multilingual == 1) {
echo '<b>' . _LANGUAGE . '</b> ' . $rlanguage . '<br />';
}
echo '<b>' . _REVIEWER . '</b> <a href="mailto:' . $email . '">' . $reviewer . '</a><br />';
if (!empty($url)) echo '<br /><b>' . _RELATEDLINK . ':</b> <a href="' . $url . '" target="_blank">' . $url_title . '</a>';
// $id = intval($id); // montego:0000763 - unnecessary as already taken care of above.
if ($id != 0) {
echo '<br /><b>' . _REVIEWID . ':</b> ' . $id . '<br />';
echo '<b>' . _HITS . ':</b> ' . $hits . '<br />';
}
echo '</p>';
echo '<p><i><b>' . _LOOKSRIGHT . '</b></i></p>';
/*
* montego:0000763 - added htmlspecialchars to ensure values are passed properly as if entered in the form,
* as well as to help ensure XHTML compliance. I am a bit unsure on the $date; wondering if some validation
* is needed.
*/
echo '<input type="hidden" name="id" value="' . $id . '" />
<input type="hidden" name="hits" value="' . $hits . '" />
<input type="hidden" name="rop" value="send_review" />
<input type="hidden" name="date" value="' . $date . '" />
<input type="hidden" name="title" value="' . htmlspecialchars($title) . '" />
<input type="hidden" name="text" value="' . htmlspecialchars($text) . '" />
<input type="hidden" name="reviewer" value="' . htmlspecialchars($reviewer) . '" />
<input type="hidden" name="email" value="' . $email . '" />
<input type="hidden" name="score" value="' . $score . '" />
<input type="hidden" name="url" value="' . htmlspecialchars($url) . '" />
<input type="hidden" name="url_title" value="' . htmlspecialchars($url_title) . '" />
<input type="hidden" name="cover" value="' . htmlspecialchars($cover) . '" />
';
echo '<input type="hidden" name="rlanguage" value="' . $rlanguage . '" />';
echo '<input type="submit" value="' . _YES . '" /> <input type="button" onclick="history.go(-1)" value="' . _NO . '" />';
$id = intval($id);
if ($id != 0) $word = _RMODIFIED;
else $word = _RADDED;
if (is_admin($admin)) echo '<p><b>' . _NOTE . '</b> ' . _ADMINLOGGED . ' ' . $word . '</p>';
}
echo '</td></tr></table></form>';
include_once('footer.php');
}
function send_review($date, $title, $text, $reviewer, $email, $score, $cover, $url, $url_title, $hits, $id, $rlanguage) {
global $admin, $EditedMessage, $prefix, $db, $module_name;
include_once('header.php');
/*
* montego:0000763 - if the above captcha code is ever "broken" by a hacker/spammer, it will be possible
* to add reviews via this function alone, therefore, the input would need to be sanitized here as in preview_review().
*/
if (eregi('<!--pagebreak-->', $text)) {
$text = ereg_replace('<!--pagebreak-->', '<!--pagebreak-->;', $text);
}
/*
* montego:0000763 - the following code had stripslashes. RavenNuke check_html() function
* already checks for magic quotes being on and does a strip if needed. Therefore,
* these are unnecessary. In addition, these values are being used in SQL updates
* therefore, they really should be addslashes(). FixQuotes was removed as well as it is
* a very poor-man's escape tool.
*
* Unfortunately, because check_html() will leave any "&" signs in its entity form of "&"
* I am not sure what to do with this... I will have to do an entity decode coming out of the db.
*/
$id = intval($id);
$title = addslashes(check_html($title, 'nohtml'));
$text = addslashes(check_html($text, ''));
$reviewer = check_html($reviewer, 'nohtml'); // montego:0000763 - this one is different as its used within the page
$url_title = addslashes(check_html($url_title, 'nohtml'));
$email = addslashes(check_html($email, 'nohtml'));
$score = intval($score);
$cover = addslashes(check_html($cover, 'nohtml'));
$url = addslashes(check_html($url, 'nohtml'));
$url_title = addslashes(check_html($url_title, 'nohtml'));
$hits = intval($hits);
if (eregi('<!--pagebreak-->', $text)) {
$text = ereg_replace('<!--pagebreak-->', '<!--pagebreak-->', $text);
}
echo '<br /><center>' . _RTHANKS;
$id = intval($id);
if ($id != 0) echo ' ' . _MODIFICATION;
else echo ', ' . $reviewer;
echo '!<br />';
if ($score < 0 OR $score > 10) {
$score = 0;
}
$reviewer = addslashes($reviewer); // montego:0000763 - now going to be used in a SQL string so need to escape it
if ((is_admin($admin)) && ($id == 0)) {
$db->sql_query('INSERT INTO ' . $prefix . '_reviews VALUES ' . '(NULL, \'' . $date . '\', \'' . $title . '\', \'' . $text . '\', \'' . $reviewer . '\', \'' . $email . '\', \'' . $score . '\', \'' . $cover . '\', \'' . $url . '\', \'' . $url_title . '\', \'1\', \'' . $rlanguage . '\')');
echo _ISAVAILABLE;
} elseif ((is_admin($admin)) && ($id != 0)) {
$db->sql_query('UPDATE ' . $prefix . '_reviews SET ' . 'date=\'' . $date . '\', title=\'' . $title . '\', text=\'' . $text . '\', reviewer=\'' . $reviewer . '\', email=\'' . $email . '\', score=\'' . $score . '\', cover=\'' . $cover . '\', url=\'' . $url . '\', url_title=\'' . $url_title . '\', hits=\'' . $hits . '\', rlanguage=\'' . $rlanguage . '\' where id = \'' . $id . '\'');
echo _ISAVAILABLE;
} else {
$db->sql_query('INSERT INTO ' . $prefix . '_reviews_add VALUES ' . '(NULL, \'' . $date . '\', \'' . $title . '\', \'' . $text . '\', \'' . $reviewer . '\', \'' . $email . '\', \'' . $score . '\', \'' . $url . '\', \'' . $url_title . '\', \'' . $rlanguage . '\')');
echo _EDITORWILLLOOK;
}
echo '<br /><br />[ <a href="modules.php?name=' . $module_name . '">' . _RBACK . '</a> ]<br /></center>';
include_once('footer.php');
}
function reviews_index() {
global $bgcolor3, $bgcolor2, $prefix, $multilingual, $currentlang, $db, $module_name;
include ('header.php');
if ($multilingual == 1) {
$querylang = "WHERE rlanguage='$currentlang'";
} else {
$querylang = "";
}
OpenTable();
echo "<table border=\"0\" width=\"95%\" CELLPADDING=\"2\" CELLSPACING=\"4\" align=\"center\">
<tr><td><tr><td colspan=\"2\"><center><font class=\"title\">"._RWELCOME."</font></center>";
$result = $db->sql_query("select title, description from ".$prefix."_reviews_main");
list($title, $description) = $db->sql_fetchrow($result);
$title = stripslashes(check_html($title, "nohtml"));
$description = stripslashes($description);
echo "<b>$title</b><br><br>$description";
echo "</td></tr></table>";
echo "<table border=\"0\" width=\"95%\" CELLPADDING=\"2\" CELLSPACING=\"4\" align=\"center\"><tr><td><a href=\"reviews-new.html\"><img src=\"modules/Reviews/images/writestoy.jpg\" border=\"0\"></a><br><br></td><td align=\"left\"><img src=\"modules/Reviews/images/ss583a.jpg\" border=\"1\"> <img src=\"modules/Reviews/images/454469d5.jpg\" border=\"1\"> <img src=\"modules/Reviews/images/fs92008-03-2513-46-28-70.png\" border=\"1\"> <img src=\"modules/Reviews/images/ScreenShot_1192.jpg\" border=\"1\"><br><br></td></tr></table><table border=\"0\" width=\"95%\" CELLPADDING=\"2\" CELLSPACING=\"4\" align=\"center\"><tr><td width=\"50%\" bgcolor=\"#e1e1e1\"><b><center>"._10MOSTPOP."</center></b></td>";
echo "<td width=\"50%\" bgcolor=\"#e1e1e1\"><b><center>"._10MOSTREC."</center></b></td></tr>";
$result_pop = $db->sql_query("SELECT id, title, hits from ".$prefix."_reviews $querylang order by hits DESC limit 10");
$result_rec = $db->sql_query("SELECT id, title, date, hits from ".$prefix."_reviews $querylang order by date DESC limit 10");
$y = 1;
for ($x = 0; $x < 10; $x++) {
$myrow = $db->sql_fetchrow($result_pop);
$id = intval($myrow['id']);
$title = stripslashes(check_html($myrow['title'], "nohtml"));
$hits = intval($myrow['hits']);
echo "<tr><td width=\"50%\" bgcolor=\"#eaedf4\">$y) <a href=\"modules.php?name=$module_name&rop=showcontent&id=$id\">$title</a></td>";
$myrow2 = $db->sql_fetchrow($result_rec);
$id = intval($myrow2['id']);
$title = stripslashes(check_html($myrow2['title'], "nohtml"));
$hits = intval($myrow2['hits']);
echo "<td width=\"50%\" bgcolor=\"#f8f9fa\">$y) <a href=\"modules.php?name=$module_name&rop=showcontent&id=$id\">$title</a></td></tr>";
$y++;
}
echo "<tr><td colspan=\"2\"><br></td></tr>";
$result2 = $db->sql_query("SELECT * FROM ".$prefix."_reviews $querylang");
$numresults = $db->sql_numrows($result2);
echo "</td></tr></table>";
// ברגע שהרשימה נהיית ארוכה מידי, תכניס את הקוד הבא כפונקציה של עמוד חדש.
$result = mysql_query("SELECT id, title, date, hits, reviewer FROM ".$prefix."_reviews $querylang order by date");
echo "<center><u><h3>כל סיפורי הטייסים:</h3></u>";
echo "<table width=\"95%\" cellpadding=\"2\" cellspacing=\"1\" align=\"center\" style=\"border:1 solid $bgcolor2\">"
."<tr height=\"25\">"
."<td align=\"center\" bgcolor=\"#e1e1e1\"><b>שם הסיפור</b></td>"
."<td align=\"center\" bgcolor=\"#e1e1e1\"><b>כותב</b></td>"
."<td align=\"center\" bgcolor=\"#e1e1e1\"><b>נקרא</b></td>"
."</tr>";
while (list($id, $title, $date, $hits, $reviewer) = mysql_fetch_row($result)){
echo "<tr height=\"20\"><td align=\"center\" bgcolor=\"#eaedf4\"><a href=\"reviews-$id.html\"><font color=\"blue\"><b>$title</b></font></a></td><td align=\"center\" bgcolor=\"#f8f9fa\">$reviewer</td><td align=\"center\" bgcolor=\"#eaedf4\">$hits</td></tr>";
}
echo "</table><br><br>";
echo "<table CELLPADDING=\"2\" CELLSPACING=\"4\" align=\"center\" border=\"1\" bordercolor=\"#e1e1e1\"><tr><td bgcolor=\"#f8f9fa\"><center><b>"._THEREARE." $numresults "._REVIEWSINDB."</b></center></td></tr></td></tr></table>";
CloseTable();
include ("footer.php");
}
function reviews($letter, $field, $order) {
global $bgcolor4, $sitename, $prefix, $multilingual, $currentlang, $db, $module_name;
include_once('header.php');
$letter = substr($letter, 0, 1);
if ($multilingual == 1) {
$querylang = 'AND rlanguage=\'' . $currentlang . '\'';
} else {
$querylang = '';
}
OpenTable();
echo '<center><b>' . $sitename . ' ' . _REVIEWS . '</b><br />';
echo '<i>' . _REVIEWSLETTER . ' ' . $letter . '</i><br /><br /></center>';
switch ($field) {
default:
$result = $db->sql_query('SELECT id, title, hits, reviewer, score, email FROM ' . $prefix . '_reviews WHERE UPPER(title) LIKE \'' . $letter . '%\' ' . $querylang . ' ORDER by title ' . $order);
break;
case 'reviewer':
$result = $db->sql_query('SELECT id, title, hits, reviewer, score, email FROM ' . $prefix . '_reviews WHERE UPPER(title) LIKE \'' . $letter . '%\' ' . $querylang . ' ORDER by reviewer ' . $order);
break;
case 'score':
$result = $db->sql_query('SELECT id, title, hits, reviewer, score, email FROM ' . $prefix . '_reviews WHERE UPPER(title) LIKE \'' . $letter . '%\' ' . $querylang . ' ORDER by score ' . $order);
break;
case 'hits':
$result = $db->sql_query('SELECT id, title, hits, reviewer, score, email FROM ' . $prefix . '_reviews WHERE UPPER(title) LIKE \'' . $letter . '%\' ' . $querylang . ' ORDER by hits ' . $order);
break;
}
$numresults = $db->sql_numrows($result);
if ($numresults == 0) {
echo '<center><i><b>' . _NOREVIEWS . ' ' . $letter . '</b></i><br /><br /></center>';
} elseif ($numresults > 0) {
echo '<table border="0" width="100%" cellpadding="2" cellspacing="4">
<tr>
<td width="50%" bgcolor="' . $bgcolor4 . '" align="left">
<a href="modules.php?name=' . $module_name . '&rop=' . $letter . '&field=title&order=asc" title="' . _SORTASC . '"><img src="images/up.gif" border="0" width="15" height="9" alt="' . _SORTASC . '" /></a><b> ' . _PRODUCTTITLE . ' </b><a href="modules.php?name=' . $module_name . '&rop=' . $letter . '&field=title&order=DESC" title="' . _SORTDESC . '"><img src="images/down.gif" border="0" width="15" height="9" alt="' . _SORTDESC . '" /></a>
</td>
<td width="18%" bgcolor="' . $bgcolor4 . '" align="center">
<a href="modules.php?name=' . $module_name . '&rop=' . $letter . '&field=reviewer&order=asc" title="' . _SORTASC . '"><img src="images/up.gif" border="0" width="15" height="9" alt="' . _SORTASC . '" /></a><b> ' . _REVIEWER . ' </b><a href="modules.php?name=' . $module_name . '&rop=' . $letter . '&field=reviewer&order=desc" title="' . _SORTDESC . '"><img src="images/down.gif" border="0" width="15" height="9" alt="' . _SORTDESC . '" /></a>
</td>
<td width="18%" bgcolor="' . $bgcolor4 . '" align="center">
<a href="modules.php?name=' . $module_name . '&rop=' . $letter . '&field=score&order=asc" title="' . _SORTASC . '"><img src="images/up.gif" border="0" width="15" height="9" alt="' . _SORTASC . '" /></a><b> ' . _SCORE . ' </b><a href="modules.php?name=' . $module_name . '&rop=' . $letter . '&field=score&order=DESC" title="' . _SORTDESC . '"><img src="images/down.gif" border="0" width="15" height="9" alt="' . _SORTDESC . '" /></a>
</td>
<td width="14%" bgcolor="' . $bgcolor4 . '" align="center">
<a href="modules.php?name=' . $module_name . '&rop=' . $letter . '&field=hits&order=asc" title="' . _SORTASC . '"><img src="images/up.gif" border="0" width="15" height="9" alt="' . _SORTASC . '" /></a><b> ' . _HITS . ' </b><a href="modules.php?name=' . $module_name . '&rop=' . $letter . '&field=hits&order=DESC" title="' . _SORTDESC . '"><img src="images/down.gif" border="0" width="15" height="9" alt="' . _SORTDESC . '" /></a>
</td>
</tr>';
/*
* montego:0000763 - check_html was already done prior to adding to the DB and will end up stripping slashes again!
* check_html() is really not necessary coming out of the DB. If SQL injection is possible from another poorly coded
* module, then there will be much bigger problems than doing no checks here!
*/
while ($myrow = $db->sql_fetchrow($result)) {
$title = $myrow['title'];
$id = intval($myrow['id']);
$reviewer = $myrow['reviewer'];
$email = $myrow['email'];
$score = intval($myrow['score']);
$hits = intval($myrow['hits']);
echo '<tr>
<td width="50%" bgcolor="' . $bgcolor4 . '"><a href="modules.php?name=' . $module_name . '&rop=showcontent&id=' . $id . '">' . $title . '</a></td>
<td width="18%" bgcolor="' . $bgcolor4 . '">';
if (!empty($reviewer)) echo '<center>' . $reviewer . '</center>';
echo '</td><td width="18%" bgcolor="' . $bgcolor4 . '" align="center">';
display_score($score);
echo '</td><td width="14%" bgcolor="' . $bgcolor4 . '" align="center">' . $hits . '</td>
</tr>';
}
echo '</table>';
echo '<br />' . $numresults . ' ' . _TOTALREVIEWS . '<br /><br />';
}
echo '<center>[ <a href="modules.php?name=' . $module_name . '">' . _RETURN2MAIN . '</a> ]</center>';
CloseTable();
include_once('footer.php');
}
function postcomment($id, $title) {
global $user, $cookie, $AllowableHTML, $anonymous, $module_name;
cookiedecode($user);
$title = stripslashes(FixQuotes(check_html($title, nohtml)));
$title = htmlspecialchars(urldecode($title));
OpenTable();
echo "<form action=modules.php?name=$module_name method=post>";
if (!is_user($user)) {
echo "<center><font color=\"red\"><b>חובה להתחבר על מנת להגיב ולדרג. אם אינך משתמש רשום באפשרותך להרשם בחינם <a href=\"account-new_user.html\">כאן.</a></b></font><br><br>";
$uname = $anonymous;
} else {
echo "<center><font class=\"title\"><b>"._YOURNICK."</font> $cookie[1]</b><br>";
$uname = $cookie[1];
echo "
<input type=hidden name=uname value=$uname>
<input type=hidden name=id value=$id>
<font class=\"title\">"._YOURCOMMENT."</font><br>
<textarea name=comments rows=1 cols=100></textarea><br>";
echo "
<input type=hidden name=rop value=savecomment>
<input type=submit value=\"שלח תגובה\">
</form></center>
";
}
CloseTable();
}
/*
* FCKeditor - The text editor for internet
* Copyright (C) 2003-2006 Frederico Caldeira Knabben
*
* Licensed under the terms of the GNU Lesser General Public License:
* http://www.opensource.org/licenses/lgpl-license.php
*
* For further information visit:
* http://www.fckeditor.net/
*
* "Support Open Source software. What about a donation today?"
*
* File Name: fckconfig.js
* Editor configuration settings.
*
* Follow this link for more information:
* http://wiki.fckeditor.net/Developer%27s_Guide/Configuration/Configurations_Settings
*
* File Authors:
* Frederico Caldeira Knabben (fredck@fckeditor.net)
*/
