<% @ Language=VBScript %> <% Option Explicit %> <% '**************************************************************************************** '** Copyright Notice '** '** Web Wiz Forums(TM) '** http://www.webwizforums.com '** '** Copyright (C)2001-2008 Web Wiz(TM). All Rights Reserved. '** '** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS UNDER LICENSE FROM 'WEB WIZ'. '** '** IF YOU DO NOT AGREE TO THE LICENSE AGREEMENT THEN 'WEB WIZ' IS UNWILLING TO LICENSE '** THE SOFTWARE TO YOU, AND YOU SHOULD DESTROY ALL COPIES YOU HOLD OF 'WEB WIZ' SOFTWARE '** AND DERIVATIVE WORKS IMMEDIATELY. '** '** If you have not received a copy of the license with this work then a copy of the latest '** license contract can be found at:- '** '** http://www.webwizguide.com/license '** '** For more information about this software and for licensing information please contact '** 'Web Wiz' at the address and website below:- '** '** Web Wiz, Unit 10E, Dawkins Road Industrial Estate, Poole, Dorset, BH15 4JD, England '** http://www.webwizguide.com '** '** Removal or modification of this copyright notice will violate the license contract. '** '**************************************************************************************** '*************************** SOFTWARE AND CODE MODIFICATIONS **************************** '** '** MODIFICATION OF THE FREE EDITIONS OF THIS SOFTWARE IS A VIOLATION OF THE LICENSE '** AGREEMENT AND IS STRICTLY PROHIBITED '** '** If you wish to modify any part of this software a license must be purchased '** '**************************************************************************************** 'Set the response buffer to true as we maybe redirecting Response.Buffer = True 'If in demo mode redirect If blnDemoMode Then Call closeDatabase() Response.Redirect("insufficient_permission.asp?M=DEMO" & strQsSID3) End If 'Dimension variables Dim blnEmailNotify 'Set to true if the users want to be notified by e-mail of a post Dim strMessage 'Holds the Users Message Dim lngMessageID 'Holds the message ID number Dim strMode 'Holds the mode of the page so we know whether we are editing, updating, or new topic Dim lngTopicID 'Holds the topic ID number Dim strSubject 'Holds the subject Dim blnSignature 'Holds wether a signature is to be shown or not Dim intPriority 'Holds the priority of tipics Dim intReturnPageNum 'Holds the page number to return to Dim strReturnCode 'Holds the code if the post is not valid and we need to return to forum without posting Dim strPollQuestion 'Holds the poll question Dim blnMultipleVotes 'Set to true if multiple votes are allowed Dim blnPollReply 'Set to true if users can't reply to a poll Dim saryPollChoice() 'Array to hold the poll choices Dim intPollChoice 'Holds the poll choices loop counter Dim strBadWord 'Holds the bad words Dim strBadWordReplace 'Holds the rplacment word for the bad word Dim lngPollID 'Holds the poll ID number Dim blnForumLocked 'Set to true if the forum is locked Dim blnTopicLocked 'Set to true if the topic is locked Dim strGuestName 'Holds the name of the guest if it is a guest posting Dim lngStartThreadID 'Holds the thread ID of the first post in the topic to use for security checking Dim saryFileUploads 'Holds the names of the files uploaded Dim objFSO 'Holds the file system object Dim intLoop 'Loop counter Dim strTopicIcon 'Holds the topic icon for the message Dim dtmEventDate 'Holds the Calendar event date Dim dtmEventDateEnd 'Holds the Calendar event date 'Initalise variables lngPollID = 0 blnForumLocked = False blnTopicLocked = False 'If the user has not logged in then redirect them to the main forum page If lngLoggedInUserID = 0 OR blnActiveMember = False OR blnBanned Then 'Clean up Call closeDatabase() 'Redirect Response.Redirect("default.asp" & strQsSID1) End If '****************************************** '*** Check IP address *** '****************************************** 'If the user is user is using a banned IP redirect to an error page If bannedIP() Then 'Clean up Call closeDatabase() 'Redirect Response.Redirect("insufficient_permission.asp?M=IP" & strQsSID3) End If '****************************************** '*** Read in form details *** '****************************************** 'Read in user deatils from the post message form strMode = Trim(Mid(Request.Form("mode"), 1, 10)) intForumID = CInt(Request.Form("FID")) lngTopicID = CLng(Request.Form("TID")) strSubject = Trim(Mid(Request.Form("subject"), 1, 50)) strMessage = Request.Form("Message") lngMessageID = CLng(Request.Form("PID")) blnEmailNotify = CBool(Request.Form("email")) blnSignature = CBool(Request.Form("signature")) intPriority = CInt(Request.Form("priority")) strTopicIcon = Request.Form("icon") 'If the user is in a guest then get there name If lngLoggedInUserID = 2 Then strGuestName = Trim(Mid(Request.Form("Gname"), 1, 20)) 'Read in Calendar event date If Request.Form("eventDay") <> 0 AND Request.Form("eventMonth") <> 0 AND Request.Form("eventYear") <> 0 Then dtmEventDate = internationalDateTime(DateSerial(Request.Form("eventYear"), Request.Form("eventMonth"), Request.Form("eventDay"))) End If 'Read in event end date If Request.Form("eventDayEnd") <> 0 AND Request.Form("eventMonthEnd") <> 0 AND Request.Form("eventYearEnd") <> 0 Then dtmEventDateEnd = internationalDateTime(DateSerial(Request.Form("eventYearEnd"), Request.Form("eventMonthEnd"), Request.Form("eventDayEnd"))) 'If the end date is before the start date don't add it to the database If dtmEventDate => dtmEventDateEnd OR dtmEventDate = "" Then dtmEventDateEnd = null End If '****************************************** '*** Get permissions ***** '****************************************** 'Get the forum permissions from the topic being posted in and also check if the topic is locked and who posted the topic strSQL = " " & _ "SELECT" & strDBTop1 & " " & strDbTable & "Forum.Password, " & strDbTable & "Forum.Forum_code, " & strDbTable & "Forum.Locked AS ForumLocked, " & strDbTable & "Forum.Password, " & strDbTable & "Topic.Locked AS TopicLocked, " & strDbTable & "Topic.Poll_ID, " & strDbTable & "Topic.Start_Thread_ID, " & strDbTable & "Permissions.* " & _ "FROM " & strDbTable & "Forum" & strDBNoLock & ", " & strDbTable & "Topic" & strDBNoLock & ", " & strDbTable & "Permissions" & strDBNoLock & " " & _ "WHERE " & strDbTable & "Forum.Forum_ID=" & strDbTable & "Topic.Forum_ID " & _ "AND " & strDbTable & "Forum.Forum_ID = " & strDbTable & "Permissions.Forum_ID " & _ "AND " & strDbTable & "Topic.Topic_ID = " & lngTopicID & " " & _ "AND (" & strDbTable & "Permissions.Author_ID=" & lngLoggedInUserID & " OR " & strDbTable & "Permissions.Group_ID = " & intGroupID & ") " & _ "ORDER BY " & strDbTable & "Permissions.Author_ID DESC" & strDBLimit1 & ";" 'Query the database rsCommon.Open strSQL, adoCon 'Check the forum permissions If NOT rsCommon.EOF Then 'Get forum ID intForumID = CInt(rsCommon("Forum_ID")) 'If this isn't the first post in the topic then it is just a plain edit and NOT a poll or topic subject edit!! If lngMessageID <> CLng(rsCommon("Start_Thread_ID")) Then strMode = "edit" 'Get the POLL ID if there is a poll to be edited If strMode = "editPoll" Then lngPollID = CLng(rsCommon("Poll_ID")) 'See if the topic is locked if this is not the admin If blnAdmin = False Then blnTopicLocked = CBool(rsCommon("TopicLocked")) 'See if the forum is locked if this is not the admin If blnAdmin = False Then blnForumLocked = CBool(rsCommon("ForumLocked")) 'Read in the forum permissions blnRead = CBool(rsCommon("View_Forum")) blnEdit = CBool(rsCommon("Edit_posts")) blnPriority = CBool(rsCommon("Priority_posts")) blnPollCreate = CBool(rsCommon("Poll_create")) blnModerator = CBool(rsCommon("Moderate")) blnEvents = CBool(rsCommon("Calendar_event")) 'If this is a modertor then make sure they have edit rights If blnAdmin OR blnModerator Then blnEdit = true 'If this in not an admin or moderator set the priority to 0 If (blnAdmin = false OR blnModerator = false) AND blnPriority = false Then intPriority = 0 'If the user has no read or edit rights then kick them If blnRead = False OR blnEdit = False Then 'Reset Server Objects rsCommon.Close Call closeDatabase() 'Redirect to a page asking for the user to enter the forum password Response.Redirect("insufficient_permission.asp" & strQsSID1) End If 'If the forum requires a password and a logged in forum code is not found on the users machine then send them to a login page If rsCommon("Password") <> "" AND (getCookie("fID", "Forum" & intForumID) <> rsCommon("Forum_code") AND getSessionItem("Forum" & intForumID) <> rsCommon("Forum_code")) Then 'Reset Server Objects rsCommon.Close Call closeDatabase() 'Redirect to a page asking for the user to enter the forum password Response.Redirect("forum_password_form.asp?FID=" & intForumID & strQsSID3) End If 'If this is the admin or moderator then set the post to be displayed If blnAdmin OR blnModerator Then blnCheckFirst = false End If 'Clean up rsCommon.Close '***************************************************** '*** Redirect if the forum or topic is locked **** '***************************************************** 'If the forum or topic is locked then don't let the user post a message If blnForumLocked OR blnTopicLocked Then 'Clean up Call closeDatabase() 'Redirect to error page If blnForumLocked Then Response.Redirect("not_posted.asp?mode=FLocked" & strQsSID3) Else Response.Redirect("not_posted.asp?mode=TClosed" & strQsSID3) End If End If '****************************************** '*** Get return page details ***** '****************************************** 'If there is no number must be a new post If Request.Form("PN") = "" Then intReturnPageNum = 1 Else intReturnPageNum = CInt(Request.Form("PN")) End If 'calcultae which page the tread is posted on If Request.Form("ThreadPos") <> "" Then 'If the position in the topic is on next page add 1 to the return page number If CInt(Request.Form("ThreadPos")) > (intThreadsPerPage * intReturnPageNum) Then intReturnPageNum = intReturnPageNum + 1 End If End If '******************************************** '*** Clean up and check in form details *** '******************************************** 'If there is no subject or message then don't post the message as won't be able to link to it If strSubject = "" AND (strMode = "editTopic" OR strMode = "poll") Then strReturnCode = "noSubject" If Trim(strMessage) = "" OR Trim(strMessage) = "

 

" OR Trim(strMessage) = "
" OR Trim(strMessage) = "
" & vbCrLf Then strReturnCode = "noSubject" 'Place format posts posted with the WYSIWYG Editor (RTE) If Request.Form("browser") = "RTE" Then 'Call the function to format WYSIWYG posts strMessage = WYSIWYGFormatPost(strMessage) 'Else standrd editor is used so convert forum codes Else 'Call the function to format posts strMessage = FormatPost(strMessage) End If 'If the user wants forum codes enabled then format the post using them If Request.Form("forumCodes") Then strMessage = FormatForumCodes(strMessage) 'Check the message for malicious HTML code strMessage = HTMLsafe(strMessage) 'Get rid of scripting tags in the subject strSubject = removeAllTags(strSubject) 'strSubject = formatInput(strSubject) 'This is manily for XSS and is now done when displayed in the forum for improved searching 'If the user is in a guest then clean up their username to remove malicious code If lngLoggedInUserID = 2 Then strGuestName = formatSQLInput(strGuestName) strGuestName = formatInput(strGuestName) End If 'If topic icons then clean up any input If blnTopicIcon Then 'If the topic icon is not selected don't fill the db with crap and leave field empty If strTopicIcon = strImagePath & "blank_smiley.gif" Then strTopicIcon = "" 'Clean up user input strTopicIcon = formatInput(strTopicIcon) strTopicIcon = removeAllTags(strTopicIcon) End If '******************************************** '*** Read in poll details (if Poll) *** '******************************************** 'If this is a poll then read in the poll details If strMode = "editPoll" AND lngPollID > 0 Then 'Read in poll question and multiple votes strPollQuestion = Trim(Mid(Request.Form("pollQuestion"), 1, 70)) blnMultipleVotes = CBool(Request.Form("multiVote")) blnPollReply = CBool(Request.Form("pollReply")) 'If there is no poll question then there initilise the error variable If strPollQuestion = "" Then strReturnCode = "noPoll" 'Clean up poll question strPollQuestion = removeAllTags(strPollQuestion) 'Loop through and read in the poll question For intPollChoice = 1 To intMaxPollChoices 'ReDimension the array for the correct number of choices 'ReDimensioning arrays is bad for performance but usful in this for what I need it for ReDim Preserve saryPollChoice(intPollChoice) 'Read in the poll choice saryPollChoice(intPollChoice) = Trim(Mid(Request.Form("choice" & intPollChoice), 1, 60)) 'If there is nothing in position 1 and 2 set a return error code If intPollChoice < 2 AND saryPollChoice(intPollChoice) = "" Then strReturnCode = "noPoll" 'Clean up input saryPollChoice(intPollChoice) = removeAllTags(saryPollChoice(intPollChoice)) Next End If '****************************************** '*** Filter Bad Words ***** '****************************************** 'Initalise the SQL string with a query to read in all the words from the smut table strSQL = "SELECT " & strDbTable & "Smut.* " & _ "FROM " & strDbTable & "Smut " & strDBNoLock & ";" 'Open the recordset rsCommon.Open strSQL, adoCon 'Loop through all the words to check for Do While NOT rsCommon.EOF 'Put the bad word into a string for imporoved perfoamnce strBadWord = rsCommon("Smut") strBadWordReplace = rsCommon("Word_replace") 'Replace the swear words with the words in the database the swear words strSubject = Replace(strSubject, strBadWord, strBadWordReplace, 1, -1, 1) strMessage = Replace(strMessage, strBadWord, strBadWordReplace, 1, -1, 1) 'If this is a poll run the poll choices through the bad word filter as well If strMode = "poll" Then 'Clean up the poll question strPollQuestion = Replace(strPollQuestion, strBadWord, strBadWordReplace, 1, -1, 1) 'Loop though and check all the strings in the Poll array For intPollChoice = 1 To UBound(saryPollChoice) saryPollChoice(intPollChoice) = Replace(saryPollChoice(intPollChoice), strBadWord, strBadWordReplace, 1, -1, 1) Next End If 'Move to the next word in the recordset rsCommon.MoveNext Loop 'Reset server varaible rsCommon.Close '********************************************** '*** If input problems send to error page *** '********************************************** 'If there is a return code then this post is not valid so redirect to error page If strReturnCode <> "" Then 'Clean up Call closeDatabase() 'Redirect to error page Response.Redirect("not_posted.asp?mode=" & strReturnCode & strQsSID3) End If '****************************************** '*** Edit Post Update *** '****************************************** 'If we are to show who edit the post and time then contantinet it to the end of the message If blnShowEditUser Then strMessage = strMessage & "" & strLoggedInUsername & "" & internationalDateTime(Now()) & "" End If 'Initalise the strSQL variable with an SQL statement to query the database get the message details strSQL = "SELECT " & strDbTable & "Thread.Thread_ID, " & strDbTable & "Thread.Author_ID, " & strDbTable & "Thread.Message, " & strDbTable & "Thread.Show_signature, " & strDbTable & "Thread.IP_addr, " & strDbTable & "Thread.Hide " & _ "FROM " & strDbTable & "Thread" & strRowLock & " " & _ "WHERE " & strDbTable & "Thread.Thread_ID = " & lngMessageID & ";" 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set rsCommon.CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated rsCommon.LockType = 3 'Open the author table rsCommon.Open strSQL, adoCon 'Only update the post if this is a moderator, forum admin, or the person who posted If (blnAdmin OR blnModerator) OR (CLng(rsCommon("Author_ID")) = lngLoggedInUserID) Then 'If this is a normal user let 'em know their post needs to be checked first before it is displayed (if hidden) If blnAdmin = false OR blnModerator = false Then blnCheckFirst = CBool(rsCommon("Hide")) 'Enter the updated post into the recordset rsCommon.Fields("Message") = strMessage rsCommon.Fields("Show_signature") = CBool(blnSignature) 'Only update the IP address if this is not the admin If blnAdmin = False Then rsCommon.Fields("IP_addr") = getIP() 'Update the database rsCommon.Update 'Close rs rsCommon.Close 'Else the user does not have permission to edit this post/topic/poll, so kick 'em Else 'Reset Server Objects rsCommon.Close Call closeDatabase() 'Redirect to a page asking for the user to enter the forum password Response.Redirect("insufficient_permission.asp" & strQsSID1) End If '******************************************** '*** Edit Poll *** '******************************************** 'If this is a poll then save the poll to the database If strMode = "editPoll" AND lngPollID > 0 Then '******************************************** '*** Update poll question *** '******************************************** 'Initalise the SQL string with a query to get the poll last poll details to get the poll ID number in next (use nolock as this is a new insert so a dirty read is OK) strSQL = "SELECT " & strDbTable & "Poll.* " & _ "FROM " & strDbTable & "Poll" & strRowLock & " " & _ "WHERE " & strDbTable & "Poll.Poll_ID=" & lngPollID & ";" With rsCommon 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set .CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated .LockType = 3 'Open the poll table .Open strSQL, adoCon 'Update recordset .Fields("Poll_question") = strPollQuestion .Fields("Multiple_votes") = blnMultipleVotes .Fields("Reply") = blnPollReply 'Update the database with the new poll question .Update 'Clean up .Close End With '******************************************** '*** Update poll choices *** '******************************************** 'Initalise the SQL string with a query to get the choice strSQL = "SELECT " & strDbTable & "PollChoice.Poll_ID, " & strDbTable & "PollChoice.Choice " & _ "FROM " & strDbTable & "PollChoice" & strRowLock & " " & _ "WHERE " & strDbTable & "PollChoice.Poll_ID=" & lngPollID & ";" With rsCommon 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set .CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated .LockType = 3 'Open the author table .Open strSQL, adoCon intPollChoice = 0 'Add the new poll choices to recordset Do While NOT .EOF 'Move to next poll choice If intPollChoice < UBound(saryPollChoice) Then intPollChoice = intPollChoice + 1 'Update recordset .Fields("Choice") = saryPollChoice(intPollChoice) 'Update the database with the poll choices (bad place to do it but this prevents errors) .Update 'Move to next record .MoveNext Loop 'Clean up .Close End With 'Change the mode to editTopic to save any updated topic subject strMode = "editTopic" End If '****************************************** '*** Edit Topic Update *** '****************************************** 'If the post is the first in the thread then update the topic details If strMode = "editTopic" Then 'Initalise the SQL string with a query to get the Topic details strSQL = "SELECT " & strDbTable & "Topic.Subject, " & strDbTable & "Topic.Icon, " & strDbTable & "Topic.Priority, " & strDbTable & "Topic.Event_date, " & strDbTable & "Topic.Event_date_end " & _ "FROM " & strDbTable & "Topic" & strRowLock & " " & _ "WHERE " & strDbTable & "Topic.Topic_ID=" & lngTopicID & ";" With rsCommon 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set .CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated .LockType = 3 'Open the author table .Open strSQL, adoCon 'Update the recorset .Fields("Subject") = strSubject If blnTopicIcon Then .Fields("Icon") = strTopicIcon .Fields("Priority") = intPriority 'If Calendar events allowed save If blnCalendar AND blnEvents Then .Fields("Event_date") = dtmEventDate If blnCalendar AND blnEvents Then .Fields("Event_date_end") = dtmEventDateEnd 'Update the database with the new topic details .Update 'Clean up .Close End With End If '********************************************************** '*** Update Email Notify if this is a reply *** '********************************************************** 'Delete or Save email notification for the user, if email notify is enabled If blnEmail = True Then 'Initalise the SQL string with a query to get the email notify details strSQL = "SELECT " & strDbTable & "EmailNotify.* " & _ "FROM " & strDbTable & "EmailNotify" & strRowLock & " " & _ "WHERE " & strDbTable & "EmailNotify.Author_ID=" & lngLoggedInUserID & " " & _ "AND " & strDbTable & "EmailNotify.Topic_ID=" & lngTopicID & ";" With rsCommon 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set .CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated .LockType = 3 'Query the database .Open strSQL, adoCon 'If the user no-longer wants email notification for this topic then remove the entry form the db If blnEmailNotify = False AND NOT .EOF Then 'Delete the db entry .Delete 'Else if this is a new post and the user wants to be notified add the new entry to the database ElseIf blnEmailNotify = True AND .EOF Then 'Add new rs .AddNew 'Create new entry .Fields("Author_ID") = lngLoggedInUserID .Fields("Topic_ID") = lngTopicID 'Upade db with new rs .Update End If 'Clean up .Close End With End If '****************************************** '*** Clean up objects *** '****************************************** 'Reset Server Objects Call closeDatabase() 'Redirect If blnCheckFirst Then 'Redirect to a page letting the user know their post is check first Response.Redirect("forum_posts.asp?TID=" & lngTopicID & "&PN=" & intReturnPageNum & "&MF=Y" & strQsSID3) Else 'Return to the page showing the posts Response.Redirect("forum_posts.asp?TID=" & lngTopicID & "&PN=" & intReturnPageNum & strQsSID3) End If %>