PageRenderTime 44ms CodeModel.GetById 15ms RepoModel.GetById 0ms app.codeStats 0ms

/staffbox.php

https://github.com/delete66/sikevux-s-tracker
PHP | 385 lines | 278 code | 85 blank | 22 comment | 47 complexity | 81ee184ad2ac056f5edf92f0223e787d MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. <?php

    2. 

  2. require_once("include/bittorrent.php");

    3. 

  3. require_once("include/user_functions.php");

    4. 

  4. require_once("include/bbcode_functions.php");

    5. 

  5. dbconn(false);

    6. 

  6. maxcoder();

    7. 

  7. if(!logged_in())

    8. 

  8. {

    9. 

  9. header("HTTP/1.0 404 Not Found");

    10. 

  10. // moddifed logginorreturn by retro//Remember to change the following line to match your server

    11. 

  11. print("<html><h1>Not Found</h1><p>The requested URL /{$_SERVER['PHP_SELF']} was not found on this server.</p><hr /><address>Apache/1.1.11 (xxxxx) Server at ".$_SERVER['SERVER_NAME']." Port 80</address></body></html>\n");

    12. 

  12. die();

    13. 

  13. }

    14. 

  14. if (get_user_class() < UC_MODERATOR)

    15. 

  15. hacker_dork("Staff Messages - Nosey Cunt !");

    16. 

  16. 

    17. 

  17. $action = $HTTP_GET_VARS["action"];

    18. 

  18. 

    19. 

  19. ///////////////////////////

    20. 

  20. // SHOW PM'S //

    21. 

  21. /////////////////////////

    22. 

  22. 

    23. 

  23. if (!$action) {

    24. 

  24. 

    25. 

  25. if (get_user_class() < UC_MODERATOR)

    26. 

  26. stderr("Error", "Permission denied.");

    27. 

  27. 

    28. 

  28. stdhead("Staff PM's");

    29. 

  29. 

    30. 

  30. $res = mysql_query("SELECT count(id) FROM staffmessages") or die(mysql_error());

    31. 

  31. $row = mysql_fetch_array($res);

    32. 

  32. 

    33. 

  33. $url = " .$_SERVER[PHP_SELF]?";

    34. 

  34. $count = $row[0];

    35. 

  35. $perpage = 20;

    36. 

  36. list($pagertop, $pagerbottom, $limit) = pager($perpage, $count, $url);

    37. 

  37. 

    38. 

  38. print("<h1 align=center>Staff PM's</h1>");

    39. 

  39. 

    40. 

  40. if ($count == 0) {

    41. 

  41. print("<h2>No messages yet!</h2>");

    42. 

  42. }

    43. 

  43. else {

    44. 

  44. 

    45. 

  45. echo $pagertop;

    46. 

  46. 

    47. 

  47. begin_main_frame();

    48. 

  48. 

    49. 

  49. print("<table width=765 border=1 cellspacing=0 cellpadding=5 align=center>\n");

    50. 

  50. print("

    51. 

  51. <tr>

    52. 

  52. <td class=colhead align=left>Subject</td>

    53. 

  53. <td class=colhead align=left>Sender</td>

    54. 

  54. <td class=colhead align=left>Added</td>

    55. 

  55. <td class=colhead align=left>Answered</td>

    56. 

  56. <td class=colhead align=center>Set Answered</td>

    57. 

  57. <td class=colhead align=left>Del</td>

    58. 

  58. </tr>

    59. 

  59. ");

    60. 

  60. print("<form method=post action=?action=takecontactanswered>");

    61. 

  61. 

    62. 

  62. $res = mysql_query("SELECT staffmessages.id, staffmessages.added, staffmessages.subject, staffmessages.answered, staffmessages.answeredby, staffmessages.sender, staffmessages.answer, users.username FROM staffmessages INNER JOIN users on staffmessages.sender = users.id ORDER BY id desc $limit");

    63. 

  63. 

    64. 

  64. while ($arr = mysql_fetch_assoc($res))

    65. 

  65. {

    66. 

  66. if ($arr[answered])

    67. 

  67. {

    68. 

  68. $res3 = mysql_query("SELECT username FROM users WHERE id=$arr[answeredby]");

    69. 

  69. $arr3 = mysql_fetch_assoc($res3);

    70. 

  70. $answered = "<font color=green><b>Yes - <a href=userdetails.php?id=$arr[answeredby]><b>$arr3[username]</b></a> (<a href=staffbox.php?action=viewanswer&pmid=$arr[id]>View Answer</a>)</b></font>";

    71. 

  71. }

    72. 

  72. else

    73. 

  73. $answered = "<font color=red><b>No</b></font>";

    74. 

  74. 

    75. 

  75. $pmid = $arr["id"];

    76. 

  76. 

    77. 

  77. print("<tr>

    78. 

  78. <td><a href=/staffbox.php?action=viewpm&pmid=$pmid><b>$arr[subject]</b></td>

    79. 

  79. <td><a href=userdetails.php?id=$arr[sender]><b>$arr[username]</b></a></td>

    80. 

  80. <td>$arr[added]</td><td align=left>$answered</td>

    81. 

  81. <td><input type=\"checkbox\" name=\"setanswered[]\" value=\"" . $arr[id] . "\" /></td>

    82. 

  82. <td><a href=/staffbox.php?action=deletestaffmessage&id=$arr[id]>Del</a></td>

    83. 

  83. </tr>\n

    84. 

  84. ");

    85. 

  85. }

    86. 

  86. 

    87. 

  87. print("</table>\n");

    88. 

  88. 

    89. 

  89. print("<p align=right><input type=submit value=Confirm></p>");

    90. 

  90. print("</form>");

    91. 

  91. 

    92. 

  92. echo $pagerbottom;

    93. 

  93. 

    94. 

  94. end_main_frame();

    95. 

  95. }

    96. 

  96. stdfoot();

    97. 

  97. }

    98. 

  98. 

    99. 

  99. //////////////////////////

    100. 

  100. // VIEW PM'S //

    101. 

  101. //////////////////////////

    102. 

  102. 

    103. 

  103. if ($action == "viewpm")

    104. 

  104. {

    105. 

  105. 

    106. 

  106. if (get_user_class() < UC_MODERATOR)

    107. 

  107. stderr("Error", "Permission denied.");

    108. 

  108. 

    109. 

  109. $pmid = 0 + $_GET["pmid"];

    110. 

  110. 

    111. 

  111. $ress4 = mysql_query("SELECT id, subject, sender, added, msg, answeredby, answered FROM staffmessages WHERE id=$pmid");

    112. 

  112. $arr4 = mysql_fetch_assoc($ress4);

    113. 

  113. 

    114. 

  114. $answeredby = $arr4["answeredby"];

    115. 

  115. 

    116. 

  116. $rast = mysql_query("SELECT username FROM users WHERE id=$answeredby");

    117. 

  117. $arr5 = mysql_fetch_assoc($rast);

    118. 

  118. 

    119. 

  119. $senderr = "" . $arr4["sender"] . "";

    120. 

  120. 

    121. 

  121. if (is_valid_id($arr4["sender"]))

    122. 

  122. {

    123. 

  123. $res2 = mysql_query("SELECT username FROM users WHERE id=" . $arr4["sender"]) or sqlerr();

    124. 

  124. $arr2 = mysql_fetch_assoc($res2);

    125. 

  125. $sender = "<a href='userdetails.php?id=$senderr'>" . ($arr2["username"] ? $arr2["username"]:"[Deleted]") . "</a>";

    126. 

  126. }

    127. 

  127. else

    128. 

  128. $sender = "System";

    129. 

  129. 

    130. 

  130. $subject = $arr4["subject"];

    131. 

  131. 

    132. 

  132. if ($arr4["answered"] == '0') {

    133. 

  133. $answered = "<font color=red><b>No</b></font>";

    134. 

  134. }

    135. 

  135. else {

    136. 

  136. $answered = "<font color=blue><b>Yes</b></font> by <a href=userdetails.php?id=$answeredby>$arr5[username]</a> (<a href=staffbox.php?action=viewanswer&pmid=$pmid>Show Answer</a>)";

    137. 

  137. }

    138. 

  138. 

    139. 

  139. if ($arr4["answered"] == '0') {

    140. 

  140. $setanswered = "[<a href=/staffbox.php?action=setanswered&id=$arr4[id]>Mark Answered</a>]";

    141. 

  141. }

    142. 

  142. else {

    143. 

  143. $setanswered = "";

    144. 

  144. }

    145. 

  145. 

    146. 

  146. $iidee = $arr4["id"];

    147. 

  147. 

    148. 

  148. 

    149. 

  149. stdhead("Staff PM's");

    150. 

  150. print("<table class=bottom width=730 border=0 cellspacing=0 cellpadding=10><tr><td class=embedded width=700>\n");

    151. 

  151. print("<h1 align=center>Messages to staff</h1>\n");

    152. 

  152. 

    153. 

  153. $elapsed = get_elapsed_time(sql_timestamp_to_unix_timestamp($arr4["added"]));

    154. 

  154. 

    155. 

  155. print("<table width=750 border=1 cellspacing=0 cellpadding=10 style='margin-bottom: 10px'><tr><td class=text>\n");

    156. 

  156. print("From <b>$sender</b> at\n" . $arr4["added"] . " ($elapsed ago) GMT\n");

    157. 

  157. print("<br><br style='margin-bottom: -10px'><div align=left><b>Subject: <font color=darkred>$subject</b></font>

    158. 

  158. &nbsp;&nbsp;<br><b>Answered:</b> $answered&nbsp;&nbsp;$setanswered</div>

    159. 

  159. <br><table class=main width=730 border=1 cellspacing=0 cellpadding=10><tr><td class=staffpms>\n");

    160. 

  160. print(format_comment($arr4["msg"]));

    161. 

  161. print("</td></tr></table>\n");

    162. 

  162. print("<table width=730 border=0><tr><td class=embedded>\n");

    163. 

  163. print(($arr4["sender"] ? "<a href=/staffbox.php?action=answermessage&receiver=" . $arr4["sender"] . "&answeringto=$iidee><b>Reply</b></a>" : "<font class=gray><b>Reply</b></font>") .

    164. 

  164. " | <a href=/staffbox.php?action=deletestaffmessage&id=" . $arr4["id"] . "><b>Delete</b></a></td>");

    165. 

  165. 

    166. 

  166. print("</table></table>\n");

    167. 

  167. print("</table>\n");

    168. 

  168. stdfoot();

    169. 

  169. }

    170. 

  170. 

    171. 

  171. //////////////////////////

    172. 

  172. // VIEW ANSWERS //

    173. 

  173. //////////////////////////

    174. 

  174. 

    175. 

  175. if ($action == "viewanswer")

    176. 

  176. {

    177. 

  177. 

    178. 

  178. if (get_user_class() < UC_MODERATOR)

    179. 

  179. stderr("Error", "Permission denied.");

    180. 

  180. 

    181. 

  181. $pmid = 0 + $_GET["pmid"];

    182. 

  182. 

    183. 

  183. $ress4 = mysql_query("SELECT id, subject, sender, added, msg, answeredby, answered, answer FROM staffmessages WHERE id=$pmid");

    184. 

  184. $arr4 = mysql_fetch_assoc($ress4);

    185. 

  185. 

    186. 

  186. $answeredby = $arr4["answeredby"];

    187. 

  187. 

    188. 

  188. $rast = mysql_query("SELECT username FROM users WHERE id=$answeredby");

    189. 

  189. $arr5 = mysql_fetch_assoc($rast);

    190. 

  190. 

    191. 

  191. if (is_valid_id($arr4["sender"]))

    192. 

  192. {

    193. 

  193. $res2 = mysql_query("SELECT username FROM users WHERE id=" . $arr4["sender"]) or sqlerr();

    194. 

  194. $arr2 = mysql_fetch_assoc($res2);

    195. 

  195. $sender = "<a href=userdetails.php?id=" . $arr4["sender"] . ">" . ($arr2["username"]?$arr2["username"]:"[Deleted]") . "</a>";

    196. 

  196. }

    197. 

  197. else

    198. 

  198. $sender = "System";

    199. 

  199. 

    200. 

  200. if ($arr4['subject'] == "") {

    201. 

  201. $subject = "No subject";

    202. 

  202. }

    203. 

  203. 

    204. 

  204. else {

    205. 

  205. $subject = "<a style='color: darkred' href=staffbox.php?action=viewpm&pmid=$pmid>$arr4[subject]</a>";

    206. 

  206. }

    207. 

  207. 

    208. 

  208. 

    209. 

  209. $iidee = $arr4["id"];

    210. 

  210. 

    211. 

  211. if ($arr4[answer] == "") {

    212. 

  212. 

    213. 

  213. $answer = "This message has not been answered yet!";

    214. 

  214. }

    215. 

  215. 

    216. 

  216. else {

    217. 

  217. 

    218. 

  218. $answer = $arr4["answer"];

    219. 

  219. }

    220. 

  220. 

    221. 

  221. stdhead("Staff PM's");

    222. 

  222. 

    223. 

  223. print("<table class=bottom width=730 border=0 cellspacing=0 cellpadding=10><tr><td class=embedded width=700>\n");

    224. 

  224. print("<h1 align=center>Viewing Answer</h1>\n");

    225. 

  225. 

    226. 

  226. $elapsed = get_elapsed_time(sql_timestamp_to_unix_timestamp($arr4["added"]));

    227. 

  227. 

    228. 

  228. print("<table width=750 border=1 cellspacing=0 cellpadding=10 style='margin-bottom: 10px'><tr><td class=text>\n");

    229. 

  229. print("<b><a href=userdetails.php?id=$answeredby>$arr5[username]</a></b> answered this message sent by $sender");

    230. 

  230. print("<br><br style='margin-bottom: -10px'><div align=left><b>Subject: $subject</b>

    231. 

  231. &nbsp;&nbsp;<br><b>Answer:</b></div>

    232. 

  232. <br><table class=main width=730 border=1 cellspacing=0 cellpadding=10><tr><td class=staffpms>\n");

    233. 

  233. print(format_comment($answer));

    234. 

  234. 

    235. 

  235. print("</td></tr></table>\n");

    236. 

  236. print("</table>\n");

    237. 

  237. print("</table>\n");

    238. 

  238. 

    239. 

  239. stdfoot();

    240. 

  240. }

    241. 

  241. 

    242. 

  242. 

    243. 

  243. //////////////////////////

    244. 

  244. // ANSWER MESSAGE //

    245. 

  245. //////////////////////////

    246. 

  246. 

    247. 

  247. if ($action == "answermessage") {

    248. 

  248. 

    249. 

  249. if (get_user_class() < UC_MODERATOR)

    250. 

  250. stderr("Error", "Permission denied");

    251. 

  251. 

    252. 

  252. $answeringto = $_GET["answeringto"];

    253. 

  253. $receiver = 0 + $_GET["receiver"];

    254. 

  254. 

    255. 

  255. if (!is_valid_id($receiver))

    256. 

  256. die;

    257. 

  257. 

    258. 

  258. $res = mysql_query("SELECT * FROM users WHERE id=$receiver") or die(mysql_error());

    259. 

  259. $user = mysql_fetch_assoc($res);

    260. 

  260. 

    261. 

  261. if (!$user)

    262. 

  262. stderr("Error", "No user with that ID.");

    263. 

  263. 

    264. 

  264. $res2 = mysql_query("SELECT * FROM staffmessages WHERE id=$answeringto") or die(mysql_error());

    265. 

  265. $array = mysql_fetch_assoc($res2);

    266. 

  266. 

    267. 

  267. stdhead("Answer to Staff PM", false);

    268. 

  268. ?>

    269. 

  269. <table class=main width=450 border=0 cellspacing=0 cellpadding=0><tr><td class=embedded>

    270. 

  270. <div align=center>

    271. 

  271. <h2>Answering to <a href=/staffbox.php?action=viewpm&pmid=<?=$array['id']?>><i><?=$array["subject"]?></i></a> sent by <i><?=$user["username"]?></i></h2>

    272. 

  272. 

    273. 

  273. <form method=post name=message action=?action=takeanswer>

    274. 

  274. <? if ($_GET["returnto"] || $_SERVER["HTTP_REFERER"]) { ?>

    275. 

  275. <? } ?>

    276. 

  276. <table class=message cellspacing=0 cellpadding=5>

    277. 

  277. <tr><td colspan=2>

    278. 

  278. <?

    279. 

  279. textbbcode("message","msg","$body");

    280. 

  280. ?></td></tr>

    281. 

  281. <tr>

    282. 

  282. <tr><td<?=$replyto?" colspan=2":""?> align=center><input type=submit value="Send it!" class=btn></td></tr>

    283. 

  283. </table>

    284. 

  284. <input type=hidden name=receiver value=<?=$receiver?>>

    285. 

  285. <input type=hidden name=answeringto value=<?=$answeringto?>>

    286. 

  286. </form>

    287. 

  287. </div></td></tr></table>

    288. 

  288. 

    289. 

  289. <?

    290. 

  290. stdfoot();

    291. 

  291. }

    292. 

  292. 

    293. 

  293. //////////////////////////

    294. 

  294. // TAKE ANSWER //

    295. 

  295. //////////////////////////

    296. 

  296. 

    297. 

  297. 

    298. 

  298. if ($action == "takeanswer") {

    299. 

  299. 

    300. 

  300. 

    301. 

  301. if ($HTTP_SERVER_VARS["REQUEST_METHOD"] != "POST")

    302. 

  302. stderr("Error", "Method");

    303. 

  303. 

    304. 

  304. if (get_user_class() < UC_MODERATOR)

    305. 

  305. stderr("Error", "Permission denied");

    306. 

  306. 

    307. 

  307. $receiver = 0 + $_POST["receiver"];

    308. 

  308. $answeringto = $_POST["answeringto"];

    309. 

  309. 

    310. 

  310. if (!is_valid_id($receiver))

    311. 

  311. stderr("Error","Invalid ID");

    312. 

  312. 

    313. 

  313. $userid = $CURUSER["id"];

    314. 

  314. 

    315. 

  315. $msg = trim($_POST["msg"]);

    316. 

  316. 

    317. 

  317. $message = sqlesc($msg);

    318. 

  318. 

    319. 

  319. $added = "'" . get_date_time() . "'";

    320. 

  320. 

    321. 

  321. if (!$msg)

    322. 

  322. stderr("Error","Please enter something!");

    323. 

  323. 

    324. 

  324. mysql_query("INSERT INTO messages (poster, sender, receiver, added, msg) VALUES($userid, $userid, $receiver, $added, $message)") or sqlerr(__FILE__, __LINE__);

    325. 

  325. 

    326. 

  326. mysql_query("UPDATE staffmessages SET answer=$message WHERE id=$answeringto") or sqlerr(__FILE__, __LINE__);

    327. 

  327. 

    328. 

  328. mysql_query("UPDATE staffmessages SET answered='1', answeredby='$userid' WHERE id=$answeringto") or sqlerr(__FILE__, __LINE__);

    329. 

  329. 

    330. 

  330. header("Location: staffbox.php?action=viewpm&pmid=$answeringto");

    331. 

  331. die;

    332. 

  332. }

    333. 

  333. //////////////////////////

    334. 

  334. // DELETE STAFF MESSAGE //

    335. 

  335. //////////////////////////

    336. 

  336. 

    337. 

  337. if ($action == "deletestaffmessage") {

    338. 

  338. 

    339. 

  339. $id = 0 + $_GET["id"];

    340. 

  340. 

    341. 

  341. if (!is_numeric($id) || $id < 1 || floor($id) != $id)

    342. 

  342. die;

    343. 

  343. 

    344. 

  344. if (get_user_class() < UC_MODERATOR)

    345. 

  345. stderr("Error", "Permission denied.");

    346. 

  346. 

    347. 

  347. mysql_query("DELETE FROM staffmessages WHERE id=" . sqlesc($id)) or die();

    348. 

  348. 

    349. 

  349. header("Location: $BASEURL/staffbox.php");

    350. 

  350. }

    351. 

  351. 

    352. 

  352. //////////////////////////

    353. 

  353. // MARK AS ANSWERED //

    354. 

  354. //////////////////////////

    355. 

  355. 

    356. 

  356. if ($action == "setanswered") {

    357. 

  357. 

    358. 

  358. if (get_user_class() < UC_MODERATOR)

    359. 

  359. stderr("Error", "Permission denied.");

    360. 

  360. 

    361. 

  361. $id = 0 + $_GET["id"];

    362. 

  362. 

    363. 

  363. mysql_query ("UPDATE staffmessages SET answered=1, answeredby = $CURUSER[id] WHERE id = $id") or sqlerr();

    364. 

  364. 

    365. 

  365. header("Refresh: 0; url=staffbox.php?action=viewpm&pmid=$id");

    366. 

  366. }

    367. 

  367. 

    368. 

  368. //////////////////////////

    369. 

  369. // MARK AS ANSWERED #2 //

    370. 

  370. //////////////////////////

    371. 

  371. 

    372. 

  372. if ($action == "takecontactanswered") {

    373. 

  373. 

    374. 

  374. if (get_user_class() < UC_MODERATOR)

    375. 

  375. stderr("Error", "Permission denied.");

    376. 

  376. 

    377. 

  377. $res = mysql_query ("SELECT id FROM staffmessages WHERE answered=0 AND id IN (" . implode(", ", $_POST[setanswered]) . ")");

    378. 

  378. 

    379. 

  379. while ($arr = mysql_fetch_assoc($res))

    380. 

  380. mysql_query ("UPDATE staffmessages SET answered=1, answeredby = $CURUSER[id] WHERE id = $arr[id]") or sqlerr();

    381. 

  381. 

    382. 

  382. header("Refresh: 0; url=staffbox.php");

    383. 

  383. }

    384. 

  384. 

    385. 

  385. ?>
    386.