'; # $UpdateAttrs are the attributes we allow in output tags SDV($UpdateAttrs, array('name', 'value', 'id', 'class', 'rows', 'cols', 'size', 'maxlength', 'action', 'method', 'accesskey', 'checked', 'disabled', 'readonly', 'enctype', 'tabindex', 'onKeyDown')); # Set up formatting for text, submit, hidden, radio, etc. types foreach(array('text', 'submit', 'hidden', 'password', 'radio', 'checkbox', 'reset', 'file') as $t) SDV($UpdateTags[$t][':html'], ""); # (:update form:) SDVA($UpdateTags['form'], array( ':args' => array('action', 'method', 'table', 'fields', 'required', 'where', 'tabindex'), ':html' => "
", 'action' => ($EnablePathInfo ? $ScriptUrl.'/'.$pagename : $ScriptUrl.'?n='.$pagename), 'method' => 'post')); # (:update end:) SDV($UpdateTags['end'][':html'], '
'); # (:update textarea:) SDVA($UpdateTags['textarea'], array( ':html' => "")); # (:update select:) SDVA($UpdateTags['select'], array( ':args' => array('name', 'size', 'multiple', 'value', 'label', 'from', 'where', 'order', 'tabindex'), ':html' => "\n")); Markup('update', 'fulltext', '/\\(:update\\s+(\\w+)(.*?):\\)/ei', "UpdateMarkup(\$pagename, '$1', PSS('$2'))"); if (!function_exists('quote_smart')) { function quote_smart($value) { //such a useful function -- wish I remembered who wrote it if (get_magic_quotes_gpc()) {$value = stripslashes($value);} if (!is_numeric($value)) {$value = "'" . mysql_real_escape_string($value) . "'";} return $value; } } //define username depending on whether we're using UserAuth or AuthUser $UpdateUsername = (defined('USER_AUTH_VERSION') ? $_SESSION['username'] : $_SESSION['authid'][0]); SDVA($SQdata,$_REQUEST); function UpdateMarkup($pagename, $type, $args) { global $UpdateTags, $UpdateAttrs, $InputValues, $FmtV, $UpdateFields, $UpdateUserID, $UpdateUsername, $Author, $UpdateDependencies, $UpdateTabIndex, $SQdata; //this preprocessing is the same as in the InputMarkup function; only the names have been changed if (!@$UpdateTags[$type]) return "(:update $type $args:)"; $opt = array_merge($UpdateTags[$type], ParseArgs($args)); $args = @$opt[':args']; if (!$args) $args = array('name', 'value'); while (count(@$opt['']) > 0 && count($args) > 0) $opt[array_shift($args)] = array_shift($opt['']); if ($type == 'form') { //$out .= print_r($_POST,true); // Connect to Database $dblink = mysql_connect(DB_SERVER, DB_USER, DB_PASS) or die("Could not connect : " . mysql_error()); mysql_select_db(DB_NAME,$dblink) or die("Could not select database: ".mysql_error()); if (count($_POST)>0) { // Check for required fields $missing=0; foreach (explode(',',$opt['required']) as $req) { if (($req > '') and ($_POST[$req]=='')) $missing++; } if ($missing==0) { // process form $success = 0; $timestamp = date('Y-m-d H:i:s'); foreach (explode(',',$opt['where']) as $req) { if (!$_POST[$req]) $missing++; } if ($missing==0) { //we've got all the information we need unset ($where); unset ($dependencies); foreach (explode(',',$opt['where']) as $wherefield) { $where[] = $wherefield." = ".quote_smart($_POST[$wherefield]); //prepare to delete dependent entries, if necessary foreach (explode(',',$UpdateDependencies[$opt['table'].".$wherefield"]) as $dep) { list($deptable,$depfield) = explode('.',$dep); $dependencies[] = "DELETE FROM $deptable WHERE $depfield = ".quote_smart($_POST[$wherefield]); } } if ($_POST[$opt['delete']]) { //delete an existing entry $query = "DELETE FROM ".$opt['table']." WHERE ".implode(' AND ',$where); //$out.= "

$query

"; if (mysql_query($query)) { foreach ($dependencies as $dep) mysql_query($dep); $success = 1; $out.= "

Successfully deleted this record and its dependencies.

"; } else { $out.= "

Unable to delete this record.

$query

" . mysql_error()."

"; } } else { // update an existing entry $query = "UPDATE ".$opt['table']." SET "; foreach (explode(',',$opt['fields']) as $field) { if ((strpos(",".$opt['null'].",",",".$field.",") !== false) AND ($_POST[$field]=='')) { $query .= "`$field` = NULL, "; } else { $query .= "`$field` = ".quote_smart($_POST[$field]).", "; } } if ($opt['timestamp']>'') $query .= $opt['timestamp']." = '$timestamp'"; $query = rtrim($query, ', ')." WHERE ".implode(' AND ',$where); //$out.= "

$query

"; if (mysql_query($query)) { $success = 1; $out.= "

Successfully made your changes.

"; } else { $out.= "

Unable to make your changes.

$query

" . mysql_error()."

"; } } } else { // insert new entry $queryA = "INSERT INTO ".$opt['table']." ("; $queryB = ") VALUES ("; foreach (explode(',',$opt['fields']) as $field) { //is the field listed as having a default? If not, include it. if ((strpos(",".$opt['default'].",",",".$field.",") === false) OR ($_POST[$field])) { $queryA .= "`$field`,"; //if this is the UserID field and no value is given, use the UserID $queryB .= quote_smart(((in_array($UpdateUserID,explode(',',$opt['where'])) and ($field==$UpdateUserID) and (!$_POST[$field])) ? $UpdateUsername : $_POST[$field])).","; } } if ($opt['timestamp']>'') { $queryA .= $opt['timestamp']; $queryB .= "'$timestamp'"; } $query = rtrim($queryA, ',').rtrim($queryB, ',').")"; if (mysql_query($query)) { $success=1; $out.= "

Successfully added this information to the database.

"; $wherevalue = mysql_insert_id(); } else { $out.= "

Unable to add this information to the database.

$query

" . mysql_error()."

"; } } } else { //missing values $out .= "

Please fill in all required fields.

\n"; $UpdateFields = array(); $UpdateFields += $_POST; } } //endif $_POST if (($success == 1) and (isset($opt['redirect']))) { //redirect to specified page Redirect($opt['redirect']); } else { // Get existing info from database, if any unset ($where); foreach (explode(',',$opt['where']) as $wherefield) { if ($wherefield == $UpdateUserID) { // It's not "any kind of query," Sark. It's a *User* query. $where[] = $UpdateUserID." = ".quote_smart($UpdateUsername); } else { $where[] = $wherefield." = ".quote_smart($_REQUEST[$wherefield] ? $_REQUEST[$wherefield] : $wherevalue); SDV($SQdata[$wherefield],($_REQUEST[$wherefield] ? $_REQUEST[$wherefield] : $wherevalue)); } } if ((isset($opt['table'])) and (isset($opt['fields'])) and (isset($where))) { $query = "SELECT " . $opt['fields'] . " FROM " . $opt['table'] . " WHERE " . implode(" AND ",$where); //$out.="$query"; $UpdateFields = @mysql_fetch_assoc(mysql_query($query)); SDVA($UpdateFields,$_POST); if (defined($UpdateFields)) SDVA($SQdata,$UpdateFields); } } mysql_close(); //end of $type = 'form' //a little bit of magic to create drop-down menus from a query! } elseif (($type=='select') and (isset($opt['from']))) { //if value and/or label are not provided, fill them in with what we do know SDV($opt['value'],$opt['name']); SDV($opt['label'],$opt['value']); // Connect to Database $dblink = mysql_connect(DB_SERVER, DB_USER, DB_PASS) or die("Could not connect : " . mysql_error()); mysql_select_db(DB_NAME,$dblink) or die("Could not select database: ".mysql_error()); $selectq = "SELECT ". $opt['value'] .", ". $opt['label'] ." FROM ". $opt['from'] ." WHERE ". ($opt['where'] ? html_entity_decode($opt['where']) : 1) . ($opt['order'] ? " ORDER BY ".$opt['order'] : ""); $selectd = mysql_query($selectq); unset($FmtV['$UpdateSelectOptions']); if (isset($opt['null'])) $FmtV['$UpdateSelectOptions'] = "\n"; while ($option = mysql_fetch_row($selectd)) { $FmtV['$UpdateSelectOptions'] .= "\n"; } //don't display database info in HTML source unset($opt['value']); mysql_close(); } // endif $type // if given a parameter with no value, set the value to the name of the parameter // for example, "checked" should become "checked='checked'" to be valid HTML foreach ((array)@$opt[''] as $a) if (!isset($opt[$a])) $opt[$a] = $a; //insert $SQdata info into field, if value given is a parameter name in `backquotes` if (strrpos('`',$opt['value'])!==false) { $opt['value'] = $SQdata[str_replace("`","",$opt['value'])]; } if (($type=='text') or ($type=='hidden') or ($type=='password')) { // insert database info into field if (isset($UpdateFields[$opt['name']])) $opt['value'] = $UpdateFields[$opt['name']]; // insert $_GET info into field, if any if (isset($_GET[$opt['name']])) $opt['value'] = $_GET[$opt['name']]; } // another bit of magic to allow values in textareas if ($type=='textarea') $FmtV['$UpdateTextarea'] = $UpdateFields[$opt['name']]? $UpdateFields[$opt['name']]: ""; // auto-input user ID into text or hidden fields when no other value given if ((($type=='text') or ($type=='hidden')) and ($opt['name']==$UpdateUserID)) SDV($opt['value'],$UpdateUsername); //content masking with optional Javascript unset($opt['onKeyDown']); if ($opt['mask']>'') $opt['onKeyDown']='javascript:return dFilter (event.keyCode, this, "'.$opt['mask'].'");'; //automatic tabindex if ($opt['tabindex']>0) { $UpdateTabIndex = $opt['tabindex']+1; } elseif ($opt['tabindex']===0) { $UpdateTabIndex = 0; } elseif (($UpdateTabIndex > 0) and ($type!='form') and ($type != 'end') and ($type != 'hidden')) { $opt['tabindex'] = $UpdateTabIndex++; } //not sure what this little loophole is for, but it's in forms.php, so I copied it if (!isset($opt['value']) && isset($InputValues[@$opt['name']])) $opt['value'] = $InputValues[$opt['name']]; //put quotes around values for HTML compliance $attr = array(); foreach ($UpdateAttrs as $a) { if (!isset($opt[$a])) continue; $attr[] = "$a='".str_replace("'", ''', $opt[$a])."'"; } //set radio and checkboxes to match database info if ((($type=='radio') or ($type=='checkbox')) and ($opt['value'] == $UpdateFields[$opt['name']])) $attr[] = "checked='checked'"; //exit code copied bodily from forms.php $FmtV['$UpdateFormArgs'] = implode(' ', $attr); $out .= FmtPageName($opt[':html'], $pagename); return preg_replace('/<(\\w+\\s)(.*)$/es',"'<$1'.Keep(PSS('$2'))", $out); }