<% @ Language=VBScript %> <% Option Explicit %> <% '**************************************************************************************** '** Copyright Notice '** '** Web Wiz Guide - Web Wiz Forums '** http://www.webwizforums.com '** '** Copyright 2001-2006 Bruce Corkhill All Rights Reserved. '** '** This program is free software; you can modify (at your own risk) any part of it '** under the terms of the License that accompanies this software and use it both '** privately and commercially. '** '** All copyright notices must remain in tacked in the scripts and the '** outputted HTML. '** '** You may use parts of this program in your own private work, but you may NOT '** redistribute, repackage, or sell the whole or any part of this program even '** if it is modified or reverse engineered in whole or in part without express '** permission from the author. '** '** You may not pass the whole or any part of this application off as your own work. '** '** All links to Web Wiz Guide and powered by logo's must remain unchanged and in place '** and must remain visible when the pages are viewed unless permission is first granted '** by the copyright holder. '** '** This program is distributed in the hope that it will be useful, '** but WITHOUT ANY WARRANTY; without even the implied warranty of '** MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR ANY OTHER '** WARRANTIES WHETHER EXPRESSED OR IMPLIED. '** '** You should have received a copy of the License along with this program; '** if not, write to:- Web Wiz Guide, PO Box 4982, Bournemouth, BH8 8XP, United Kingdom. '** '** '** No official support is available for this program but you may post support questions at: - '** http://www.webwizguide.info/forum '** '** Support questions are NOT answered by e-mail ever! '** '** For correspondence or non support questions contact: - '** '** or at: - '** '** Web Wiz Guide, Unit 10E, Dawkins Road Industrial Estate, Poole, Dorset, UK, BH15 4JD '** '**************************************************************************************** 'Set the response buffer to true as we maybe redirecting Response.Buffer = True 'Dimension variables Dim blnEmailNotify 'Set to true if the users want to be notified by e-mail of a post Dim strMessage 'Holds the Users Message Dim lngMessageID 'Holds the message ID number Dim strMode 'Holds the mode of the page so we know whether we are editing, updating, or new topic Dim intForumID 'Holds the forum ID number Dim lngTopicID 'Holds the topic ID number Dim strSubject 'Holds the subject Dim blnSignature 'Holds wether a signature is to be shown or not Dim intPriority 'Holds the priority of tipics Dim intReturnPageNum 'Holds the page number to return to Dim strReturnCode 'Holds the code if the post is not valid and we need to return to forum without posting Dim strPollQuestion 'Holds the poll question Dim blnMultipleVotes 'Set to true if multiple votes are allowed Dim blnPollReply 'Set to true if users can't reply to a poll Dim saryPollChoice() 'Array to hold the poll choices Dim intPollChoice 'Holds the poll choices loop counter Dim strBadWord 'Holds the bad words Dim strBadWordReplace 'Holds the rplacment word for the bad word Dim lngPollID 'Holds the poll ID number Dim blnForumLocked 'Set to true if the forum is locked Dim blnTopicLocked 'Set to true if the topic is locked Dim strGuestName 'Holds the name of the guest if it is a guest posting Dim lngStartThreadID 'Holds the thread ID of the first post in the topic to use for security checking Dim strFileUploads 'Holds any files or images uploaded in the post Dim saryFileUploads 'Holds the names of the files uploaded Dim objFSO 'Holds the file system object Dim intLoop 'Loop counter Dim strTopicIcon 'Holds the topic icon for the message Dim dtmEventDate 'Holds the Calendar event date 'Initalise variables lngPollID = 0 blnForumLocked = False blnTopicLocked = False 'If the user has not logged in then redirect them to the main forum page If lngLoggedInUserID = 0 OR blnActiveMember = False OR blnBanned Then 'Clean up Call closeDatabase() 'Redirect Response.Redirect("default.asp" & strQsSID1) End If '****************************************** '*** Check IP address *** '****************************************** 'If the user is user is using a banned IP redirect to an error page If bannedIP() Then 'Clean up Call closeDatabase() 'Redirect Response.Redirect("insufficient_permission.asp?M=IP" & strQsSID2) End If '****************************************** '*** Read in form details *** '****************************************** 'Read in user deatils from the post message form strMode = Trim(Mid(Request.Form("mode"), 1, 10)) intForumID = CInt(Request.Form("FID")) lngTopicID = CLng(Request.Form("TID")) strSubject = Trim(Mid(Request.Form("subject"), 1, 50)) strMessage = Request.Form("Message") lngMessageID = CLng(Request.Form("PID")) blnEmailNotify = CBool(Request.Form("email")) blnSignature = CBool(Request.Form("signature")) intPriority = CInt(Request.Form("priority")) strFileUploads = Trim(Mid(Request.Form("uploads"), 1, 255)) strTopicIcon = Request.Form("icon") 'If the user is in a guest then get there name If lngLoggedInUserID = 2 Then strGuestName = Trim(Mid(Request.Form("Gname"), 1, 20)) 'Read in Calendar event date If Request.Form("eventDay") <> 0 AND Request.Form("eventMonth") <> 0 AND Request.Form("eventYear") <> 0 Then dtmEventDate = internationalDateTime(DateSerial(Request.Form("eventYear"), Request.Form("eventMonth"), Request.Form("eventDay"))) End If '****************************************** '*** Get permissions ***** '****************************************** 'Get the forum permissions from the topic being posted in and also check if the topic is locked and who posted the topic strSQL = " " & _ "SELECT" & strDBTop1 & " " & strDbTable & "Forum.Password, " & strDbTable & "Forum.Forum_code, " & strDbTable & "Forum.Locked AS ForumLocked, " & strDbTable & "Forum.Password, " & strDbTable & "Topic.Locked AS TopicLocked, " & strDbTable & "Topic.Poll_ID, " & strDbTable & "Topic.Start_Thread_ID, " & strDbTable & "Permissions.* " & _ "FROM " & strDbTable & "Forum" & strDBNoLock & ", " & strDbTable & "Topic" & strDBNoLock & ", " & strDbTable & "Permissions" & strDBNoLock & " " & _ "WHERE " & strDbTable & "Forum.Forum_ID=" & strDbTable & "Topic.Forum_ID " & _ "AND " & strDbTable & "Forum.Forum_ID=" & strDbTable & "Permissions.Forum_ID " & _ "AND " & strDbTable & "Topic.Topic_ID = " & lngTopicID & " " & _ "AND (" & strDbTable & "Permissions.Author_ID=" & lngLoggedInUserID & " OR " & strDbTable & "Permissions.Group_ID=" & intGroupID & ") " & _ "ORDER BY " & strDbTable & "Permissions.Author_ID DESC" & strDBLimit1 & ";" 'Query the database rsCommon.Open strSQL, adoCon 'Check the forum permissions If NOT rsCommon.EOF Then 'Get forum ID intForumID = CInt(rsCommon("Forum_ID")) 'If this isn't the first post in the topic then it is just a plain edit and NOT a poll or topic subject edit!! If lngMessageID <> CLng(rsCommon("Start_Thread_ID")) Then strMode = "edit" 'Get the POLL ID if there is a poll to be edited If strMode = "editPoll" Then lngPollID = CLng(rsCommon("Poll_ID")) 'See if the topic is locked if this is not the admin If blnAdmin = False Then blnTopicLocked = CBool(rsCommon("TopicLocked")) 'See if the forum is locked if this is not the admin If blnAdmin = False Then blnForumLocked = CBool(rsCommon("ForumLocked")) 'Read in the forum permissions blnRead = CBool(rsCommon("View_Forum")) blnEdit = CBool(rsCommon("Edit_posts")) blnPriority = CBool(rsCommon("Priority_posts")) blnPollCreate = CBool(rsCommon("Poll_create")) blnModerator = CBool(rsCommon("Moderate")) blnAttachments = CBool(rsCommon("Attachments")) blnImageUpload = CBool(rsCommon("Image_upload")) blnEvents = CBool(rsCommon("Calendar_event")) 'If this is a modertor then make sure they have edit rights If blnAdmin OR blnModerator Then blnEdit = true 'If this in not an admin or moderator set the priority to 0 If (blnAdmin = false OR blnModerator = false) AND blnPriority = false Then intPriority = 0 'If the user has no read or edit rights then kick them If blnRead = False OR blnEdit = False Then 'Reset Server Objects rsCommon.Close Call closeDatabase() 'Redirect to a page asking for the user to enter the forum password Response.Redirect("insufficient_permission.asp" & strQsSID1) End If 'If the forum requires a password and a logged in forum code is not found on the users machine then send them to a login page If rsCommon("Password") <> "" AND (Request.Cookies(strCookieName)("Forum" & intForumID) <> rsCommon("Forum_code") AND getSessionItem("Forum" & intForumID) <> rsCommon("Forum_code")) Then 'Reset Server Objects rsCommon.Close Call closeDatabase() 'Redirect to a page asking for the user to enter the forum password Response.Redirect("forum_password_form.asp?FID=" & intForumID & strQsSID2) End If 'If this is the admin or moderator then set the post to be displayed If blnAdmin OR blnModerator Then blnCheckFirst = false End If 'Clean up rsCommon.Close '***************************************************** '*** Redirect if the forum or topic is locked **** '***************************************************** 'If the forum or topic is locked then don't let the user post a message If blnForumLocked OR blnTopicLocked Then 'Clean up Call closeDatabase() 'Redirect to error page If blnForumLocked Then Response.Redirect("not_posted.asp?mode=FLocked" & strQsSID2) Else Response.Redirect("not_posted.asp?mode=TClosed" & strQsSID2) End If End If '****************************************** '*** File and Image Upload ***** '****************************************** 'If there are files or images uploaded move them out the temp directory and update the links within the post '(This needs to completed now before any filters are run on the post incase the file names gets altered by the filters) If strFileUploads <> "" AND (blnAttachments OR blnImageUpload) Then 'Strip wildcard characters that can be a security issue '(wildcard characters could be used by a hacker to trick the FSO object into moving, deleting, etc. all files) saryFileUploads = Replace(saryFileUploads, "*", "", 1, -1, 1) saryFileUploads = Replace(saryFileUploads, "?", "", 1, -1, 1) saryFileUploads = Replace(saryFileUploads, "/", "", 1, -1, 1) saryFileUploads = Replace(saryFileUploads, "\", "", 1, -1, 1) 'Split the uploads form field into file names saryFileUploads = Split(strFileUploads, ";") 'Clear the strFileUploads variable strFileUploads = "" 'Creat an instance of the FSO object Set objFSO = Server.CreateObject("Scripting.FileSystemObject") 'Loop through the array to move all files from temp folder For intLoop = 0 to UBound(saryFileUploads) 'See if file exsists If objFSO.FileExists(Server.MapPath(strUploadFilePath & "\temp\" & saryFileUploads(intLoop))) Then 'Move file objFSO.MoveFile Server.MapPath(strUploadFilePath & "\temp\" & saryFileUploads(intLoop)), Server.MapPath(strUploadFilePath & "\" & saryFileUploads(intLoop)) 'Update path to the uploaded file/image in post strMessage = Replace(strMessage, strUploadFilePath & "/temp/" & saryFileUploads(intLoop), strUploadFilePath & "/" & saryFileUploads(intLoop), 1, -1, 1) 'Rebuild the strFileUploads variable, for extra security, so if the file doesn't exsist it's not added to the database field strFileUploads = strFileUploads & saryFileUploads(intLoop) & ";" End If Next 'Release the FSO object Set objFSO = Nothing End If '****************************************** '*** Get return page details ***** '****************************************** 'If there is no number must be a new post If Request.Form("PN") = "" Then intReturnPageNum = 1 Else intReturnPageNum = CInt(Request.Form("PN")) End If 'calcultae which page the tread is posted on If Request.Form("ThreadPos") <> "" Then 'If the position in the topic is on next page add 1 to the return page number If CInt(Request.Form("ThreadPos")) > (intThreadsPerPage * intReturnPageNum) Then intReturnPageNum = intReturnPageNum + 1 End If End If '******************************************** '*** Clean up and check in form details *** '******************************************** 'If there is no subject or message then don't post the message as won't be able to link to it If strSubject = "" AND (strMode = "editTopic" OR strMode = "poll") Then strReturnCode = "noSubject" If Trim(strMessage) = "" OR Trim(strMessage) = "

 

" OR Trim(strMessage) = "
" OR Trim(strMessage) = "
" & vbCrLf Then strReturnCode = "noSubject" 'Place format posts posted with the WYSIWYG Editor (RTE) If Request.Form("browser") = "RTE" Then 'Call the function to format WYSIWYG posts strMessage = WYSIWYGFormatPost(strMessage) 'Else standrd editor is used so convert forum codes Else 'Call the function to format posts strMessage = FormatPost(strMessage) End If 'If the user wants forum codes enabled then format the post using them If Request.Form("forumCodes") Then strMessage = FormatForumCodes(strMessage) 'Check the message for malicious HTML code strMessage = checkHTML(strMessage) 'Get rid of scripting tags in the subject strSubject = removeAllTags(strSubject) 'strSubject = formatInput(strSubject) 'This is manily for XSS and is now done when displayed in the forum for improved searching 'If the user is in a guest then clean up their username to remove malicious code If lngLoggedInUserID = 2 Then strGuestName = formatSQLInput(strGuestName) strGuestName = formatInput(strGuestName) End If 'If topic icons then clean up any input If blnTopicIcon Then 'If the topic icon is not selected don't fill the db with crap and leave field empty If strTopicIcon = strImagePath & "topic_icon.gif" Then strTopicIcon = "" 'Clean up user input strTopicIcon = formatInput(strTopicIcon) strTopicIcon = removeAllTags(strTopicIcon) End If '******************************************** '*** Read in poll details (if Poll) *** '******************************************** 'If this is a poll then read in the poll details If strMode = "editPoll" AND lngPollID > 0 Then 'Read in poll question and multiple votes strPollQuestion = Trim(Mid(Request.Form("pollQuestion"), 1, 70)) blnMultipleVotes = CBool(Request.Form("multiVote")) blnPollReply = CBool(Request.Form("pollReply")) 'If there is no poll question then there initilise the error variable If strPollQuestion = "" Then strReturnCode = "noPoll" 'Clean up poll question strPollQuestion = removeAllTags(strPollQuestion) 'Loop through and read in the poll question For intPollChoice = 1 To intMaxPollChoices 'ReDimension the array for the correct number of choices 'ReDimensioning arrays is bad for performance but usful in this for what I need it for ReDim Preserve saryPollChoice(intPollChoice) 'Read in the poll choice saryPollChoice(intPollChoice) = Trim(Mid(Request.Form("choice" & intPollChoice), 1, 60)) 'If there is nothing in position 1 and 2 set a return error code If intPollChoice < 2 AND saryPollChoice(intPollChoice) = "" Then strReturnCode = "noPoll" 'Clean up input saryPollChoice(intPollChoice) = removeAllTags(saryPollChoice(intPollChoice)) Next End If '****************************************** '*** Filter Bad Words ***** '****************************************** 'Initalise the SQL string with a query to read in all the words from the smut table strSQL = "SELECT " & strDbTable & "Smut.* " & _ "FROM " & strDbTable & "Smut " & strDBNoLock & ";" 'Open the recordset rsCommon.Open strSQL, adoCon 'Loop through all the words to check for Do While NOT rsCommon.EOF 'Put the bad word into a string for imporoved perfoamnce strBadWord = rsCommon("Smut") strBadWordReplace = rsCommon("Word_replace") 'Replace the swear words with the words in the database the swear words strSubject = Replace(strSubject, strBadWord, strBadWordReplace, 1, -1, 1) strMessage = Replace(strMessage, strBadWord, strBadWordReplace, 1, -1, 1) 'If this is a poll run the poll choices through the bad word filter as well If strMode = "poll" Then 'Clean up the poll question strPollQuestion = Replace(strPollQuestion, strBadWord, strBadWordReplace, 1, -1, 1) 'Loop though and check all the strings in the Poll array For intPollChoice = 1 To UBound(saryPollChoice) saryPollChoice(intPollChoice) = Replace(saryPollChoice(intPollChoice), strBadWord, strBadWordReplace, 1, -1, 1) Next End If 'Move to the next word in the recordset rsCommon.MoveNext Loop 'Reset server varaible rsCommon.Close '********************************************** '*** If input problems send to error page *** '********************************************** 'If there is a return code then this post is not valid so redirect to error page If strReturnCode <> "" Then 'Clean up Call closeDatabase() 'Redirect to error page Response.Redirect "not_posted.asp?mode=" & strReturnCode End If '****************************************** '*** Edit Post Update *** '****************************************** 'If we are to show who edit the post and time then contantinet it to the end of the message If blnShowEditUser Then strMessage = strMessage & "" & strLoggedInUsername & "" & internationalDateTime(Now()) & "" End If 'Initalise the strSQL variable with an SQL statement to query the database get the message details strSQL = "SELECT " & strDbTable & "Thread.Thread_ID, " & strDbTable & "Thread.Author_ID, " & strDbTable & "Thread.Message, " & strDbTable & "Thread.Show_signature, " & strDbTable & "Thread.IP_addr, " & strDbTable & "Thread.Hide, " & strDbTable & "Thread.File_uploads " & _ "FROM " & strDbTable & "Thread" & strRowLock & " " & _ "WHERE " & strDbTable & "Thread.Thread_ID=" & lngMessageID & ";" 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set rsCommon.CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated rsCommon.LockType = 3 Response.Write(strSQL) 'Open the author table rsCommon.Open strSQL, adoCon 'Only update the post if this is a moderator, forum admin, or the person who posted If (blnAdmin OR blnModerator) OR (CLng(rsCommon("Author_ID")) = lngLoggedInUserID) Then 'If this is a normal user let 'em know their post needs to be checked first before it is displayed (if hidden) If blnAdmin = false OR blnModerator = false Then blnCheckFirst = CBool(rsCommon("Hide")) 'Enter the updated post into the recordset rsCommon.Fields("Message") = strMessage rsCommon.Fields("Show_signature") = CBool(blnSignature) 'Only update the IP address if this is not the admin If blnAdmin = False Then rsCommon.Fields("IP_addr") = getIP() 'If we have an image/file upload then add the new file names to the old If strFileUploads <> "" AND (blnAttachments OR blnImageUpload) Then rsCommon.Fields("File_uploads") = rsCommon("File_uploads") & strFileUploads End If 'Update the database rsCommon.Update 'Close rs rsCommon.Close 'Else the user does not have permission to edit this post/topic/poll, so kick 'em Else 'Reset Server Objects rsCommon.Close Call closeDatabase() 'Redirect to a page asking for the user to enter the forum password Response.Redirect("insufficient_permission.asp" & strQsSID1) End If '******************************************** '*** Edit Poll *** '******************************************** 'If this is a poll then save the poll to the database If strMode = "editPoll" AND lngPollID > 0 Then '******************************************** '*** Update poll question *** '******************************************** 'Initalise the SQL string with a query to get the poll last poll details to get the poll ID number in next (use nolock as this is a new insert so a dirty read is OK) strSQL = "SELECT " & strDbTable & "Poll.* " & _ "FROM " & strDbTable & "Poll" & strRowLock & " " & _ "WHERE " & strDbTable & "Poll.Poll_ID=" & lngPollID & ";" With rsCommon 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set .CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated .LockType = 3 'Open the poll table .Open strSQL, adoCon 'Update recordset .Fields("Poll_question") = strPollQuestion .Fields("Multiple_votes") = blnMultipleVotes .Fields("Reply") = blnPollReply 'Update the database with the new poll question .Update 'Clean up .Close End With '******************************************** '*** Update poll choices *** '******************************************** 'Initalise the SQL string with a query to get the choice strSQL = "SELECT " & strDbTable & "PollChoice.Poll_ID, " & strDbTable & "PollChoice.Choice " & _ "FROM " & strDbTable & "PollChoice" & strRowLock & " " & _ "WHERE " & strDbTable & "PollChoice.Poll_ID=" & lngPollID & ";" With rsCommon 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set .CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated .LockType = 3 'Open the author table .Open strSQL, adoCon intPollChoice = 0 'Add the new poll choices to recordset Do While NOT .EOF 'Move to next poll choice If intPollChoice < UBound(saryPollChoice) Then intPollChoice = intPollChoice + 1 'Update recordset .Fields("Choice") = saryPollChoice(intPollChoice) 'Update the database with the poll choices (bad place to do it but this prevents errors) .Update 'Move to next record .MoveNext Loop 'Clean up .Close End With 'Change the mode to editTopic to save any updated topic subject strMode = "editTopic" End If '****************************************** '*** Edit Topic Update *** '****************************************** 'If the post is the first in the thread then update the topic details If strMode = "editTopic" Then 'Initalise the SQL string with a query to get the Topic details strSQL = "SELECT " & strDbTable & "Topic.Subject, " & strDbTable & "Topic.Icon, " & strDbTable & "Topic.Priority, " & strDbTable & "Topic.Event_date " & _ "FROM " & strDbTable & "Topic" & strRowLock & " " & _ "WHERE " & strDbTable & "Topic.Topic_ID=" & lngTopicID & ";" With rsCommon 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set .CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated .LockType = 3 'Open the author table .Open strSQL, adoCon 'Update the recorset .Fields("Subject") = strSubject If blnTopicIcon Then .Fields("Icon") = strTopicIcon .Fields("Priority") = intPriority 'If Calendar events allowed save If blnCalendar AND blnEvents Then .Fields("Event_date") = dtmEventDate 'Update the database with the new topic details .Update 'Clean up .Close End With End If '********************************************************** '*** Update Email Notify if this is a reply *** '********************************************************** 'Delete or Save email notification for the user, if email notify is enabled If blnEmail = True Then 'Initalise the SQL string with a query to get the email notify details strSQL = "SELECT " & strDbTable & "EmailNotify.* " & _ "FROM " & strDbTable & "EmailNotify" & strRowLock & " " & _ "WHERE " & strDbTable & "EmailNotify.Author_ID=" & lngLoggedInUserID & " " & _ "AND " & strDbTable & "EmailNotify.Topic_ID=" & lngTopicID & ";" With rsCommon 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set .CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated .LockType = 3 'Query the database .Open strSQL, adoCon 'If the user no-longer wants email notification for this topic then remove the entry form the db If blnEmailNotify = False AND NOT .EOF Then 'Delete the db entry .Delete 'Else if this is a new post and the user wants to be notified add the new entry to the database ElseIf blnEmailNotify = True AND .EOF Then 'Add new rs .AddNew 'Create new entry .Fields("Author_ID") = lngLoggedInUserID .Fields("Topic_ID") = lngTopicID 'Upade db with new rs .Update End If 'Clean up .Close End With End If '****************************************** '*** Clean up objects *** '****************************************** 'Reset Server Objects Call closeDatabase() 'Redirect If blnCheckFirst Then 'Redirect to a page letting the user know their post is check first Response.Redirect("forum_posts.asp?TID=" & lngTopicID & "&PN=" & intReturnPageNum & "&MF=Y" & strQsSID2) Else 'Return to the page showing the posts Response.Redirect("forum_posts.asp?TID=" & lngTopicID & "&PN=" & intReturnPageNum & strQsSID2) End If %>