diff --git a/src/system/common.func.php b/src/system/common.func.php
index 108a5485..5bc0972c 100755
--- a/src/system/common.func.php
+++ b/src/system/common.func.php
@@ -669,6 +669,7 @@ function AddFilter($channelid, $type=1, $fieldsnamef=array(), $defaulttid=0, $to
*/
function HideEmail($email)
{
+ if (empty($email)) return "空";
$em = explode("@",$email);
$name = implode('@', array_slice($em, 0, count($em)-1));
$len = floor(strlen($name)/2);
diff --git a/src/user/album_add.php b/src/user/album_add.php
index 45f94147..9781db5e 100755
--- a/src/user/album_add.php
+++ b/src/user/album_add.php
@@ -125,7 +125,8 @@ else if ($dopost == 'save') {
$description = HtmlReplace($description, -1);
$mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生
//保存到主表
- $inQuery = "INSERT INTO `#@__archives` (id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle,color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype) VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank','0','$money','$title','$shorttitle','$color','$writer','$source','','$pubdate','$senddate','$mid','$description','$keywords','$mtypesid'); ";
+ $litpic = isset($litpic)? HtmlReplace($litpic, 1) : '';
+ $inQuery = "INSERT INTO `#@__archives` (id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle,color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype) VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank','0','$money','$title','$shorttitle','$color','$writer','$source','$litpic','$pubdate','$senddate','$mid','$description','$keywords','$mtypesid'); ";
if (!$dsql->ExecuteNoneQuery($inQuery)) {
$gerr = $dsql->GetError();
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID' ");
diff --git a/src/user/album_edit.php b/src/user/album_edit.php
index 345777a8..a09ea9a6 100755
--- a/src/user/album_edit.php
+++ b/src/user/album_edit.php
@@ -114,8 +114,8 @@ else if ($dopost == 'save') {
}
$description = HtmlReplace($description, -1);
//更新数据库的SQL语句
- //更新数据库的SQL语句
- $upQuery = "UPDATE `#@__archives` SET ismake='$ismake',arcrank='$arcrank',typeid='$typeid',title='$title',description='$description',keywords='$keywords',mtype='$mtypesid',flag='$flag' WHERE id='$aid' AND mid='$mid'; ";
+ $litpic = isset($litpic)? HtmlReplace($litpic, 1) : '';
+ $upQuery = "UPDATE `#@__archives` SET ismake='$ismake',arcrank='$arcrank',typeid='$typeid',title='$title',description='$description',keywords='$keywords',mtype='$mtypesid',flag='$flag',litpic='$litpic' WHERE id='$aid' AND mid='$mid'; ";
if (!$dsql->ExecuteNoneQuery($upQuery)) {
ShowMsg("数据保存到数据库主表`#@__archives`时出错,请联系管理员".$dsql->GetError(), "-1");
exit();
diff --git a/src/user/api.php b/src/user/api.php
index 02578bc4..222cffcc 100755
--- a/src/user/api.php
+++ b/src/user/api.php
@@ -58,7 +58,7 @@ if ($action === 'is_need_check_code') {
"email" => $row['email'],
),
));
-} else if($action === 'upload_face'){
+} else if($action === 'upload'){
if (!$cfg_ml->IsLogin()) {
if ($format === 'json') {
echo json_encode(array(
@@ -72,6 +72,7 @@ if ($action === 'is_need_check_code') {
exit;
}
$target_dir = "uploads/"; //上传目录
+ $type = isset($type)? $type : '';
$allowedTypes = array('image/png', 'image/jpg', 'image/jpeg');
$uploadedFile = $_FILES['file']['tmp_name'];
@@ -85,18 +86,46 @@ if ($action === 'is_need_check_code') {
));
exit;
}
-
if (!is_dir($cfg_basedir.$cfg_user_dir."/{$cfg_ml->M_ID}")) {
MkdirAll($cfg_basedir.$cfg_user_dir."/{$cfg_ml->M_ID}", $cfg_dir_purview);
CloseFtp();
}
- $target_file = $cfg_basedir.$cfg_user_dir."/{$cfg_ml->M_ID}/newface.png"; //上传文件名
- $target_url = $cfg_mediasurl.'/userup'."/{$cfg_ml->M_ID}/newface.png";
+ if ($type === "face") {
+ $target_file = $cfg_basedir.$cfg_user_dir."/{$cfg_ml->M_ID}/newface.png"; //上传文件名
+ $target_url = $cfg_mediasurl.'/userup'."/{$cfg_ml->M_ID}/newface.png";
+ } else {
+ $nowtme = time();
+ $rnd = $nowtme.'-'.mt_rand(1000,9999);
+ $target_file = $cfg_basedir.$cfg_user_dir."/{$cfg_ml->M_ID}/".$rnd.'.png';
+ $fsize = filesize($_FILES["file"]["tmp_name"]);
+ $target_url = $cfg_mediasurl.'/userup'."/{$cfg_ml->M_ID}/".$rnd.".png";
+ $row = $dsql->GetOne("SELECT aid,title,url FROM `#@__uploads` WHERE url LIKE '$target_url' AND mid='".$cfg_ml->M_ID."'; ");
+ $uptime = time();
+ if(is_array($row))
+ {
+ $query = "UPDATE `#@__uploads` SET mediatype=1,
+ width='{$imgSize[0]}',height='{$imgSize[1]}',filesize='{$fsize}',uptime='$uptime'
+ WHERE aid='{$row['aid']}'; ";
+ $dsql->ExecuteNoneQuery($query);
+ }
+ else
+ {
+ $inquery = "INSERT INTO `#@__uploads`(url,mediatype,width,height,playtime,filesize,uptime,mid)
+ VALUES ('$target_url','1','".$imgSize[0]."','".$imgSize[1]."','0','".$fsize."','$uptime','".$cfg_ml->M_ID."'); ";
+ $dsql->ExecuteNoneQuery($inquery);
+ }
+ }
+
if (move_uploaded_file($_FILES["file"]["tmp_name"], $target_file)) {
require_once DEDEINC."/libraries/imageresize.class.php";
try{
$image = new ImageResize($target_file);
- $image->crop(150, 150);
+ if ($type === "face") {
+ $image->crop(150, 150);
+ } else {
+ $image->resize($cfg_ddimg_width, $cfg_ddimg_height);
+ }
+
$image->save($target_file);
echo json_encode(array(
"code" => 0,
diff --git a/src/user/archives_add.php b/src/user/archives_add.php
index 609bb00e..f56c2bed 100755
--- a/src/user/archives_add.php
+++ b/src/user/archives_add.php
@@ -14,6 +14,7 @@ require_once(DEDEINC."/userlogin.class.php");
require_once(DEDEINC."/customfields.func.php");
require_once(DEDEMEMBER."/inc/inc_catalog_options.php");
require_once(DEDEMEMBER."/inc/inc_archives_functions.php");
+CheckRank(0, 0);
$channelid = isset($channelid) && is_numeric($channelid) ? $channelid : 1;
$typeid = isset($typeid) && is_numeric($typeid) ? $typeid : 0;
$mtypesid = isset($mtypesid) && is_numeric($mtypesid) ? $mtypesid : 0;
@@ -95,6 +96,7 @@ else if ($dopost == 'save') {
exit();
}
//保存到主表
+ $litpic = isset($litpic)? HtmlReplace($litpic, 1) : '';
$inQuery = "INSERT INTO `#@__archives` (id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle,color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype) VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank','0','$money','$title','$shorttitle','$color','$writer','$source','$litpic','$pubdate','$senddate','$mid','$description','$keywords','$mtypesid'); ";
if (!$dsql->ExecuteNoneQuery($inQuery)) {
$gerr = $dsql->GetError();
diff --git a/src/user/archives_do.php b/src/user/archives_do.php
index 0bf15b90..0957b36e 100755
--- a/src/user/archives_do.php
+++ b/src/user/archives_do.php
@@ -37,6 +37,7 @@ function addArchives()
添加投稿
------------------*/
else if ($dopost == "addArc") {
+ CheckRank(0, 0);
if ($channelid == 1) {
$addcon = 'article_add.php?channelid='.$channelid;
} else if ($channelid == 2) {
diff --git a/src/user/archives_edit.php b/src/user/archives_edit.php
index f39d87ea..df0a31dc 100755
--- a/src/user/archives_edit.php
+++ b/src/user/archives_edit.php
@@ -14,6 +14,7 @@ require_once(DEDEINC."/dedetag.class.php");
require_once(DEDEINC."/customfields.func.php");
require_once(DEDEMEMBER."/inc/inc_catalog_options.php");
require_once(DEDEMEMBER."/inc/inc_archives_functions.php");
+CheckRank(0, 0);
$channelid = isset($channelid) && is_numeric($channelid) ? $channelid : 1;
$aid = isset($aid) && is_numeric($aid) ? $aid : 0;
$mtypesid = isset($mtypesid) && is_numeric($mtypesid) ? $mtypesid : 0;
@@ -82,6 +83,7 @@ else if ($dopost == 'save') {
//处理图片文档的自定义属性
if ($litpic != '') $flag = 'p';
//更新数据库的SQL语句
+ $litpic = isset($litpic)? HtmlReplace($litpic, 1) : '';
$upQuery = "UPDATE `#@__archives` SET ismake='$ismake',arcrank='$arcrank',typeid='$typeid',title='$title',litpic='$litpic',description='$description',keywords='$keywords',mtype='$mtypesid',flag='$flag' WHERE id='$aid' And mid='$mid'; ";
if (!$dsql->ExecuteNoneQuery($upQuery)) {
ShowMsg("数据保存到数据库主表`#@__archives`时出错,请联系管理员".$dsql->GetError(), "-1");
diff --git a/src/user/archives_sg_add.php b/src/user/archives_sg_add.php
index d3a2a6dc..77113793 100755
--- a/src/user/archives_sg_add.php
+++ b/src/user/archives_sg_add.php
@@ -14,6 +14,7 @@ require_once(DEDEINC."/userlogin.class.php");
require_once(DEDEINC."/customfields.func.php");
require_once(dirname(__FILE__)."/inc/inc_catalog_options.php");
require_once(dirname(__FILE__)."/inc/inc_archives_functions.php");
+CheckRank(0, 0);
$channelid = isset($channelid) && is_numeric($channelid) ? $channelid : 1;
$typeid = isset($typeid) && is_numeric($typeid) ? $typeid : 0;
$mtypesid = isset($mtypesid) && is_numeric($mtypesid) ? $mtypesid : 0;
@@ -146,7 +147,8 @@ else if ($dopost == 'save') {
ShowMsg("没找到当前模型{$channelid}主表信息,无法完成操作", "javascript:;");
exit();
} else {
- $inquery = "INSERT INTO `{$addtable}` (aid,typeid,arcrank,mid,channel,title,senddate,litpic,userip{$inadd_f}) VALUES ('$arcID','$typeid','$arcrank','$mid','$channelid','$title','$senddate','','$userip'{$inadd_v})";
+ $litpic = isset($litpic)? HtmlReplace($litpic, 1) : '';
+ $inquery = "INSERT INTO `{$addtable}` (aid,typeid,arcrank,mid,channel,title,senddate,litpic,userip{$inadd_f}) VALUES ('$arcID','$typeid','$arcrank','$mid','$channelid','$title','$senddate','$litpic','$userip'{$inadd_v})";
if (!$dsql->ExecuteNoneQuery($inquery)) {
$gerr = $dsql->GetError();
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'");
diff --git a/src/user/archives_sg_edit.php b/src/user/archives_sg_edit.php
index ece4dd0e..15ec1a9e 100755
--- a/src/user/archives_sg_edit.php
+++ b/src/user/archives_sg_edit.php
@@ -14,6 +14,7 @@ require_once(DEDEINC."/dedetag.class.php");
require_once(DEDEINC."/customfields.func.php");
require_once(DEDEMEMBER."/inc/inc_catalog_options.php");
require_once(DEDEMEMBER."/inc/inc_archives_functions.php");
+CheckRank(0, 0);
$channelid = isset($channelid) && is_numeric($channelid) ? $channelid : 1;
$aid = isset($aid) && is_numeric($aid) ? $aid : 0;
$mtypesid = isset($mtypesid) && is_numeric($mtypesid) ? $mtypesid : 0;
@@ -106,7 +107,8 @@ else if ($dopost == 'save') {
}
}
if ($addtable != '') {
- $upQuery = "UPDATE `$addtable` SET `title`='$title',`typeid`='$typeid',`arcrank`='$arcrank',userip='$userip'{$inadd_f} WHERE aid='$aid' ";
+ $litpic = isset($litpic)? HtmlReplace($litpic, 1) : '';
+ $upQuery = "UPDATE `$addtable` SET `title`='$title',`typeid`='$typeid',`arcrank`='$arcrank',litpic='$litpic',userip='$userip'{$inadd_f} WHERE aid='$aid' ";
if (!$dsql->ExecuteNoneQuery($upQuery)) {
ShowMsg("数据保存到数据库附加表时出错,请联系管理员", "javascript:;");
exit();
diff --git a/src/user/article_add.php b/src/user/article_add.php
index c89c7301..7699c680 100755
--- a/src/user/article_add.php
+++ b/src/user/article_add.php
@@ -14,6 +14,7 @@ require_once(DEDEINC."/userlogin.class.php");
require_once(DEDEINC."/customfields.func.php");
require_once(DEDEMEMBER."/inc/inc_catalog_options.php");
require_once(DEDEMEMBER."/inc/inc_archives_functions.php");
+CheckRank(0, 0);
$channelid = isset($channelid) && is_numeric($channelid) ? $channelid : 1;
$typeid = isset($typeid) && is_numeric($typeid) ? $typeid : 0;
$mtypesid = isset($mtypesid) && is_numeric($mtypesid) ? $mtypesid : 0;
@@ -76,6 +77,8 @@ else if ($dopost == 'save') {
}
$body = AnalyseHtmlBody($body, $description);
$body = HtmlReplace($body, -1);
+ $litpic = isset($litpic)? HtmlReplace($litpic, 1) : '';
+
//生成文档id
$arcID = GetIndexKey($arcrank, $typeid, $sortrank, $channelid, $senddate, $mid);
if (empty($arcID)) {
@@ -84,7 +87,7 @@ else if ($dopost == 'save') {
}
//保存到主表
$inQuery = "INSERT INTO `#@__archives` (id,typeid,sortrank,flag,ismake,channel,arcrank,click,`money`,title,shorttitle,color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype)
- VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank','0','$money','$title','$shorttitle','$color','$writer','$source','','$pubdate','$senddate','$mid','$description','$keywords','$mtypesid'); ";
+ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank','0','$money','$title','$shorttitle','$color','$writer','$source','$litpic','$pubdate','$senddate','$mid','$description','$keywords','$mtypesid'); ";
if (!$dsql->ExecuteNoneQuery($inQuery)) {
$gerr = $dsql->GetError();
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID' ");
diff --git a/src/user/article_edit.php b/src/user/article_edit.php
index 1f00c7c1..9391baee 100755
--- a/src/user/article_edit.php
+++ b/src/user/article_edit.php
@@ -14,6 +14,7 @@ require_once(DEDEINC."/dedetag.class.php");
require_once(DEDEINC."/customfields.func.php");
require_once(DEDEMEMBER."/inc/inc_catalog_options.php");
require_once(DEDEMEMBER."/inc/inc_archives_functions.php");
+CheckRank(0, 0);
$channelid = isset($channelid) && is_numeric($channelid) ? $channelid : 1;
$aid = isset($aid) && is_numeric($aid) ? $aid : 0;
$mtypesid = isset($mtypesid) && is_numeric($mtypesid) ? $mtypesid : 0;
@@ -77,8 +78,9 @@ else if ($dopost == 'save') {
}
$body = AnalyseHtmlBody($body, $description);
$body = HtmlReplace($body, -1);
+ $litpic = isset($litpic)? HtmlReplace($litpic, 1) : '';
//更新数据库的SQL语句
- $upQuery = "UPDATE `#@__archives` SET ismake='$ismake',arcrank='$arcrank',typeid='$typeid',title='$title',description='$description',mtype='$mtypesid',keywords='$keywords',flag='$flag' WHERE id='$aid' AND mid='$mid'; ";
+ $upQuery = "UPDATE `#@__archives` SET ismake='$ismake',arcrank='$arcrank',typeid='$typeid',title='$title',description='$description',mtype='$mtypesid',keywords='$keywords',flag='$flag',litpic='$litpic' WHERE id='$aid' AND mid='$mid'; ";
if (!$dsql->ExecuteNoneQuery($upQuery)) {
ShowMsg("数据保存到数据库主表`#@__archives`时出错,请联系管理员".$dsql->GetError(), "-1");
exit();
diff --git a/src/user/check_card.php b/src/user/check_card.php
index e7b6c495..3d4b9e13 100755
--- a/src/user/check_card.php
+++ b/src/user/check_card.php
@@ -7,6 +7,7 @@
* @link https://www.dedebiz.com
*/
require_once(dirname(__FILE__)."/config.php");
+CheckRank(0, 0);
$svali = GetCkVdValue();
if (strtolower($vdcode) != $svali || $svali == "") {
ShowMsg("验证码不正确", "-1");
diff --git a/src/user/config.php b/src/user/config.php
index f117334d..e1734a23 100755
--- a/src/user/config.php
+++ b/src/user/config.php
@@ -253,4 +253,9 @@ function GetSafequestion($selid=0,$formname='safequestion')
return $safequestions_form;
}
$enabledChannels = MemberLogin::GetEnabledChannels();
+
+function UserInclude($file)
+{
+ return DEDEMEMBER.'/'.$file;
+}
?>
\ No newline at end of file
diff --git a/src/user/edit_baseinfo.php b/src/user/edit_baseinfo.php
index 07611c82..0f17ba05 100755
--- a/src/user/edit_baseinfo.php
+++ b/src/user/edit_baseinfo.php
@@ -60,8 +60,9 @@ if ($dopost == 'save') {
//修改头像
$target_file = $cfg_basedir.$cfg_user_dir."/{$cfg_ml->M_ID}/newface.png";
if (!empty($newface) && file_exists($target_file)) {
- rename($target_file, $cfg_basedir.$cfg_user_dir."/{$cfg_ml->M_ID}/face.png");
- $target_url = $cfg_mediasurl.'/userup'."/{$cfg_ml->M_ID}/face.png";
+ $rnd = mt_rand(10000, 99999);
+ rename($target_file, $cfg_basedir.$cfg_user_dir."/{$cfg_ml->M_ID}/face{$rnd}.png");
+ $target_url = $cfg_mediasurl.'/userup'."/{$cfg_ml->M_ID}/face{$rnd}.png";
$addupquery = ",face='{$target_url}'";
@unlink($target_file);
}
diff --git a/src/user/soft_add.php b/src/user/soft_add.php
index c24e43ae..52bb4ed4 100755
--- a/src/user/soft_add.php
+++ b/src/user/soft_add.php
@@ -105,6 +105,8 @@ else if ($dopost == 'save') {
$flag = 'p';
}
$body = HtmlReplace($body, -1);
+ $litpic = isset($litpic)? HtmlReplace($litpic, 1) : '';
+
//保存到主表
$inQuery = "INSERT INTO `#@__archives`(id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle,color,writer,source,litpic,pubdate,senddate,mid,description,keywords) VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank','0','$money','$title','$shorttitle','$color','$writer','$source','$litpic','$pubdate','$senddate','$mid','$description','$keywords'); ";
if (!$dsql->ExecuteNoneQuery($inQuery)) {
diff --git a/src/user/soft_edit.php b/src/user/soft_edit.php
index 7782ebcc..272cdedf 100755
--- a/src/user/soft_edit.php
+++ b/src/user/soft_edit.php
@@ -129,6 +129,7 @@ else if ($dopost == 'save') {
}
}
//修改主文档表
+ $litpic = isset($litpic)? HtmlReplace($litpic, 1) : '';
$upQuery = "UPDATE `#@__archives` SET ismake='$ismake',arcrank='$arcrank',typeid='$typeid',title='$title',litpic='$litpic',description='$description',keywords='$keywords',flag='$flag' WHERE id='$aid' AND mid='$mid'; ";
if (!$dsql->ExecuteNoneQuery($upQuery)) {
ShowMsg("数据保存到数据库主表`#@__archives`时出错,请联系管理员", "-1");
diff --git a/src/user/templets/album_add.htm b/src/user/templets/album_add.htm
index abadd8c9..9e9c6ddc 100755
--- a/src/user/templets/album_add.htm
+++ b/src/user/templets/album_add.htm
@@ -26,7 +26,8 @@