From 74db7a24d9c2230b104979f4e4981c57ff73de71 Mon Sep 17 00:00:00 2001
From: Starla Insigna <starla4444@gmail.com>
Date: Sat, 11 Dec 2010 14:05:05 -0500
Subject: Made Four Island 2 a little more sane

I spent the last few hours sanitizing the database and fixing huge bugs in the code. Among the changes made were:
- "Theoretically related posts" have been removed due to the lack of FULLTEXT index support in InnoDB tables
- Removed tons of stripslashes() calls that were used to remove slashes from records before I realized (while doing all of this work) that magic_quotes_gpc was on for some reason. I mean, like, come on!
- Replaced all non-library uses of htmlentities() with htmlspecialchars(), which basically does the same thing except it doesn't mangle Unicode.
- Completely eradicated polls.
Note that this does mean that all database backups prior to December 11th 2010 are now incompatible with Four Island.
---
 pages/archive.php  |  2 +-
 pages/blog.php     | 16 +++++++---------
 pages/post.php     |  4 ++--
 pages/quotes.php   |  4 ++--
 pages/viewPost.php |  2 +-
 5 files changed, 13 insertions(+), 15 deletions(-)

(limited to 'pages')

diff --git a/pages/archive.php b/pages/archive.php
index 024d3b5..73d0162 100755
--- a/pages/archive.php
+++ b/pages/archive.php
@@ -87,7 +87,7 @@ while ($getposts3[$i] = mysql_fetch_array($getposts2))
 
 	$template->adds_ref_sub($curID, 'SMALL',array(	'DATE' => date('m-d-Y',strtotime($getposts3[$i]['pubDate'])),
 							'CODED' => $getposts3[$i]['slug'],
-							'TITLE' => doAprilFoolsDay(htmlentities(stripslashes($getposts3[$i]['title'])))));
+							'TITLE' => doAprilFoolsDay(htmlspecialchars($getposts3[$i]['title']))));
 	$i++;
 }
 if ($i==0)
diff --git a/pages/blog.php b/pages/blog.php
index e7163ce..72e96bf 100755
--- a/pages/blog.php
+++ b/pages/blog.php
@@ -46,7 +46,7 @@ if (isset($_GET['post']))
 	{
 		updatePop($getpost3['id'],'views');
 
-		$title = stripslashes(htmlentities($getpost3['title'])) . ' - Blog Archive';
+		$title = htmlspecialchars($getpost3['title']) . ' - Blog Archive';
 
 		$getback = "SELECT * FROM updates WHERE id < " . $getpost3['id'] . " ORDER BY id DESC LIMIT 0,1";
 		$getback2 = mysql_query($getback);
@@ -54,7 +54,7 @@ if (isset($_GET['post']))
 		if (isset($getback3['title']))
 		{
 			$template->adds_block('BACK', array(	'CODED' => $getback3['slug'],
-								'TITLE' => doAprilFoolsDay(htmlentities(stripslashes($getback3['title'])))));
+								'TITLE' => doAprilFoolsDay(htmlspecialchars($getback3['title']))));
 		}
 
 		$getnext = "SELECT * FROM updates WHERE id > " . $getpost3['id'] . " ORDER BY id ASC LIMIT 0,1";
@@ -63,7 +63,7 @@ if (isset($_GET['post']))
 		if (isset($getnext3['title']))
 		{
 			$template->adds_block('NEXT', array(	'CODED' => $getnext3['slug'],
-								'TITLE' => doAprilFoolsDay(htmlentities(stripslashes($getnext3['title'])))));
+								'TITLE' => doAprilFoolsDay(htmlspecialchars($getnext3['title']))));
 		}
 
 		$template->add_ref(0, 'POST', array(	'ID' => $getpost3['id'],
@@ -72,10 +72,10 @@ if (isset($_GET['post']))
 							'MONTH' => date('M',strtotime($getpost3['pubDate'])),
 							'DAY' => date('d',strtotime($getpost3['pubDate'])),
 							'CODED' => $getpost3['slug'],
-							'TITLE' => doAprilFoolsDay(htmlentities(stripslashes($getpost3['title']))),
+							'TITLE' => doAprilFoolsDay(htmlspecialchars($getpost3['title'])),
 							'AUTHOR' => $getpost3['author'],
 							'RATING' => $getpost3['rating'],
-							'TEXT' => parseText(stripslashes($getpost3['text']))));
+							'TEXT' => parseText($getpost3['text'])));
 
 		$tags = getTags($getpost3['id']);
 		foreach ($tags as $tag)
@@ -121,8 +121,6 @@ if (isset($_GET['post']))
 
 		$page_id = 'updates-' . $getpost3['id'];
 		include('includes/comments.php');
-
-		displayRelated($getpost3['title'], $getpost3['id']);
 	} else {
 		generateError('404');
 	}
@@ -171,12 +169,12 @@ if (isset($_GET['post']))
 								'MONTH' => date('M',strtotime($getpost3['pubDate'])),
 								'DAY' => date('d',strtotime($getpost3['pubDate'])),
 								'CODED' => $getpost3['slug'],
-								'TITLE' => doAprilFoolsDay(htmlentities(stripslashes($getpost3['title']))),
+								'TITLE' => doAprilFoolsDay(htmlspecialchars($getpost3['title'])),
 								'AUTHOR' => $getpost3['author'],
 								'PLURALCOMMENT' => (isset($plural) ? $plural : ''),
 								'COMMENTS' => $comText,
 								'RATING' => $getpost3['rating'],
-								'TEXT' => parseText(stripslashes($getpost3['text']))));
+								'TEXT' => parseText($getpost3['text'])));
 
 		$tags = getTags($getpost3['id']);
 		foreach ($tags as $tag)
diff --git a/pages/post.php b/pages/post.php
index 3f728c8..a5435c9 100755
--- a/pages/post.php
+++ b/pages/post.php
@@ -68,7 +68,7 @@ if (!isset($_POST['id']))
 								$template = new FITemplate('new-comment');
 								$template->add('ID', $cid);
 								$template->add('CODEDEMAIL', md5(strtolower($getanon3['email'])));
-								$template->add('TEXT', stripslashes($_POST['comment']));
+								$template->add('TEXT', $_POST['comment']);
 								$template->add('USERNAME', $getanon3['username']);
 								$template->add('DATE', date("F jS Y \a\\t g:i:s a"));
 								$template->display();
@@ -108,7 +108,7 @@ if (!isset($_POST['id']))
 			$template = new FITemplate('new-comment');
 			$template->add('ID', $cid);
 			$template->add('CODEDEMAIL', md5(strtolower($getuser3['user_email'])));
-			$template->add('TEXT', stripslashes($_POST['comment']));
+			$template->add('TEXT', $_POST['comment']);
 			$template->add('USERNAME', getSessionUsername());
 			$template->add('DATE', date("F jS Y \a\\t g:i:s a"));
 			$template->display();
diff --git a/pages/quotes.php b/pages/quotes.php
index 3b00878..f47dbd3 100755
--- a/pages/quotes.php
+++ b/pages/quotes.php
@@ -70,7 +70,7 @@ if (isset($_GET['id']) && !(is_numeric($_GET['id'])))
 	$template = new FITemplate('quotes/add');
 	if (isset($_GET['submit']))
 	{
-		$template->adds_block('SUBMITTED',array('QUOTE' => str_replace("\n","<br />",htmlspecialchars(stripslashes($_POST['rash_quote'])))));
+		$template->adds_block('SUBMITTED',array('QUOTE' => str_replace("\n","<br />",htmlspecialchars($_POST['rash_quote']))));
 		if (!isLoggedIn())
 		{
 			$insquote = "INSERT INTO rash_queue (quote) VALUES(\"" . mysql_real_escape_string(htmlspecialchars($_POST['rash_quote'])) . "\")";
@@ -236,7 +236,7 @@ function quote_generation($query, $origin, $page = 1, $quote_limit = 50, $page_l
 		$template->add_ref($curID,'QUOTES',array(	'NUMBER' => $getquotes3[$i]['id'],
 								'RATING' => $getquotes3[$i]['rating'],
 								'DATE' => ($getquotes3[$i]['date'] != 0 ? date('F jS Y \a\\t g:i:s a', $getquotes3[$i]['date']) : ''),
-								'QUOTE' => doAprilFoolsDay(str_replace("\n","<br />",htmlspecialchars(stripslashes($getquotes3[$i]['quote'])))),
+								'QUOTE' => doAprilFoolsDay(str_replace("\n","<br />",htmlspecialchars($getquotes3[$i]['quote']))),
 								'COMMENTS' => $comments));
 
 		if (($gettrack3['ip'] != $_SERVER['REMOTE_ADDR']) || (array_search($getquotes3[$i]['id'],$trackArr) === FALSE))
diff --git a/pages/viewPost.php b/pages/viewPost.php
index 0d84df7..fa371cf 100755
--- a/pages/viewPost.php
+++ b/pages/viewPost.php
@@ -44,7 +44,7 @@ if (!isAdmin())
 							'TITLE' => $getpost3['title'],
 							'AUTHOR' => $getpost3['author'],
 							'RATING' => $getpost3['rating'],
-							'TEXT' => parseText(stripslashes($getpost3['text']))));
+							'TEXT' => parseText($getpost3['text'])));
 
 		$tags = getTags($getpost3['id']);
 		foreach ($tags as $tag)
-- 
cgit 1.4.1