barbass: перевл на PDO. добавил проверку всех данных на стороне сервера + try/catch

b24b90d3 · Владислав Большаков · 52bb0536 · b24b90d3 · b24b90d3 · b24b90d3
Commit b24b90d3 authored Apr 27, 2012 by Владислав Большаков
Hide whitespace changes
Inline Side-by-side

Showing with 113 additions and 55 deletions

configuration.php configuration.php +0 -2

etersoft_typos.js etersoft_typos.js +7 -4

server.php server.php +106 -49

No files found.
--- a/configuration.php
+++ b/configuration.php
@@ -18,5 +18,3 @@ $mosConfig_smtpuser = '';
 $mosConfig_smtppass = '';
 $mosConfig_smtphost = 'localhost';

-
-?>
--- a/etersoft_typos.js
+++ b/etersoft_typos.js
@@ -41,7 +41,7 @@ function e_typos_close()  {
 function e_typos_post_data()  {
 	var this_url = window.location.href; //Текущая страница
 	var select_text = String(window.getSelection()).trim(); //Выделенный текст
-	var user_email = document.getElementById("e_typos_email").value.trim();
+	var user_email = document.getElementById("e_typos_email").value.trim().substr(0, 50);
 		if  (user_email == '')  {
 			user_email = "";
 		}  else  {
@@ -63,7 +63,7 @@ function e_typos_post_data()  {
 		e_typos_error("red", "Выделенный текст слишком длинный");
 	}  else  {
 		//Ajax-запрос
-		ajax_query("http://barbass.sandbox.eterhost.ru/typos/server.php"+"?url="+this_url+"&email="+user_email+"&comment="+user_comment+"&error_text="+select_text);	
+		ajax_query("http://barbass.pubsandbox.eterhost.ru/typos/server.php"+"?url="+this_url+"&email="+user_email+"&comment="+user_comment+"&error_text="+select_text);	
 	}
 	
 }
@@ -102,16 +102,19 @@ function ajax_query(url)  {
 			case '10siteerror': 
 				e_typos_error("red", "Данный сайт не поддерживается");
 				break;
-			case '10servererror': 
+			case '10emailerror': 
 				e_typos_error("red", "Сервер не смог отправить письмо");
 				break;
 			case '10win': 
 				e_typos_error("green", "Спасибо за ваше внимание");
-				window.setTimeout('e_typos_close()', 2500);
+				window.setTimeout('e_typos_close()', 2000);
 				break;
 			case '10inserterror': 
 				e_typos_error("red", "Ошибка добавления данных");
 				break;
+			case '10servererror': 
+				e_typos_error("red", "На сервере произошла ошибка");
+				break;
 			default:
 				e_typos_error("red", "На сервере произошла ошибка");
 				break;

--- a/server.php
+++ b/server.php
@@ -3,15 +3,26 @@
 *	@author: barbass@etersoft.ru
 * 	date: 2012-04-24
 */
+	header('Access-Control-Allow-Origin: *');
 	
-	defined( '_ACCESS' );
+	$db_name = 'barbass_typos';
+	$db_host = 'localhost';
+	$db_user = 'barbass';
+	$db_pass = 'fKrfQRhrQ9CeCY5F';
+	/*defined( '_ACCESS' );
 	define('_VALID_MOS',1);
 	require_once('configuration.php');
 	require_once('minimambo.php');
-	require_once('database.php');
-	header('Access-Control-Allow-Origin: *');
+	require_once('database.php');*/
+	//$database  = new database($config_db_host,$config_db_user,$config_db_pass,$config_db_name,'');

-$database  = new database($config_db_host,$config_db_user,$config_db_pass,$config_db_name,'');
+try  {
+	$DBH = new PDO("mysql:host=$db_host;dbname=$db_name", $db_user, $db_pass);
+}  catch  (PDOException $e)  {
+	$ajax_mess = "10servererror";
+	echo ($ajax_mess);
+	exit;
+}

 ////////////////////////////////////////////////////////////////////////
 //Проверка данных
@@ -30,20 +41,32 @@ if  (check_header() === 0 || get_ip() === 0)  {
 	if  (!isset($_REQUEST['email']))  {
 		$email = '';
 	}  else  {
-		$email = trim(htmlspecialchars(mysql_real_escape_string(substr($_REQUEST['email'],0,100))));
+		$email = trim(htmlspecialchars(substr($_REQUEST['email'], 0, 50)));
+		if  ($email != '')  {
+			if  (!preg_match("/^([a-z0-9_-]+\.)*[a-z0-9_-]+@[a-z0-9_-]+(\.[a-z0-9_-]+)*\.[a-z]{2,4}$/", $email))  {
+				$ajax_mess = "10dataerror";
+				echo ($ajax_mess);
+				exit;
+			}
+		}
 	}
 	if  (!isset($_REQUEST['comment']))  {
 		$comment = '';
 	}  else  {
-		$comment = trim(htmlspecialchars(mysql_real_escape_string(substr($_REQUEST['comment'],0,100))));
+		$comment = trim(htmlspecialchars(substr($_REQUEST['comment'], 0, 50)));
 	}
 	
-	$url = trim(htmlspecialchars(mysql_real_escape_string(substr($_REQUEST['url'],0,100))));
-	$error_text = trim(htmlspecialchars(mysql_real_escape_string(substr($_REQUEST['error_text'],0,100))));
-	
+	$url = trim(htmlspecialchars(substr($_REQUEST['url'], 0, 300)));
+	$error_text = trim(htmlspecialchars(substr($_REQUEST['error_text'], 0, 30)));

-$mas_url = parse_url($url);
-	if  ($url == '' || $error_text == '')  {
+	if  ($url == '' || $error_text == '' || strlen($error_text) < 5)  {
+		$ajax_mess = "10dataerror";
+		echo ($ajax_mess);
+		exit;
+	}
+
+	$mas_url = parse_url($url);
+	if  (!isset($mas_url['host']))  {
 		$ajax_mess = "10dataerror";
 		echo ($ajax_mess);
 		exit;
@@ -55,52 +78,85 @@ $mas_url = parse_url($url);

 ////////////////////////////////////////////////////////////////////////
 //Достаем номер сайта ?нужно ли? и емайлы пользователей
-$query_emails = "SELECT DISTINCT s.id AS site, u.email AS email
-			FROM sites AS s
-			JOIN users AS u
-			JOIN responsible AS r ON r.id_site = s.id
-			WHERE site = '".$mas_url["host"]."' AND r.status = '1' ";
-
-	$database->setQuery($query_emails);
-    $email_users = $database->loadAssocList();
-    
-if  (count($email_users)  != 0)  {
-	$query_insert = "INSERT INTO messages (id, id_site, link, error_text, email, comment, datetime, status) VALUES('NULL','".$email_users[0]['site']."','".$url."','".$error_text."','".$email."','".$comment."',DATE_FORMAT(NOW(), '%Y-%m-%d %H:%i:%s'),0)";
-	$database->setQuery($query_insert);
-	$res=$database->query();
-	if  (isset($res))  {
-		if  ($url == '')  		{$url = 'Пользователь не оставил email';}
-		if  ($comment == '')  	{$comment = 'Пользователь не оставил комментарий';}
-		
-		$message_email = "<p>Сайт: ".$mas_url["host"]."</p>";
-		$message_email .= "<p>Ссылка: <a href=$url>нажмите</a>"." (".$url.")"."</p>";
-		$message_email .= "<p>Текст с опечаткой: ".$error_text."</p>";
-		$message_email .= "<p>email пользователя: ".$email."</p>";
-		$message_email .= "<p>Комментарий: ".$comment."</p>";
-		
-		$subject = '=?utf-8?B?'.base64_encode("Сообщение об опечатке").'?=';
-		//$subject = mb_decode_mimeheader("Сообщение об опечатке");
-	/*FIXED !!!!!!!!*/	$to = $email; //to_email($email_users);
-		$from_email = "typos@etersoft.ru";
-		$from_name = '=?utf-8?B?'.base64_encode("Служба опечаток Etersoft").'?=';
-
-		$result = sendmail($subject, $message_email, $to, $from_email, $from_name, 'html');
-		if  ($result == 0)  {
-			$ajax_mess = "10servererror";
-			echo ($ajax_mess);
-		}  else  {
-			$ajax_mess = "10win";
-			echo ($ajax_mess);
+try  {
+	$query_emails =  "SELECT r.id_site AS site, u.email AS email
+						FROM users AS u, responsible AS r
+						WHERE u.id  IN (
+									SELECT r.id
+									FROM responsible AS r
+									JOIN sites AS s
+									WHERE s.site = ?
+									AND r.id_site = s.id
+									AND r.status = '1')
+						AND r.id_user=u.id";
+	$STH = $DBH->prepare($query_emails);
+	$STH->execute(array($mas_url["host"]));
+	if  ($STH->rowCount() != 0)  {
+		$i = 0;
+		while  ($row = $STH->fetch(PDO::FETCH_ASSOC))  {
+			$email_users[$i]['site'] = $row['site'];
+			$email_users[$i]['email'] = $row['email'];
+			$i++;
 		}
 	}  else  {
+		$email_users = 0;
+	}
+}  catch  (PDOException $e)  {
+	$ajax_mess = "10servererror";
+	echo  ($ajax_mess);
+	exit;
+}   
+if  (count($email_users) != 0)  {
+	try  {
+		$data = array('NULL', $email_users[0]['site'], $url, $error_text, $email, $comment, 0);
+		$STH = $DBH->prepare("INSERT INTO messages (id, id_site, link, error_text, email, comment, datetime, status) VALUES (?, ?, ?, ?, ?, ?, DATE_FORMAT(NOW(), '%Y-%m-%d %H:%i:%s'), ?)");
+		$STH->execute($data);
+	}  catch  (PDOException $e)  {
 		$ajax_mess = "10inserterror";
 		echo ($ajax_mess);
+		exit;
+	}
+	
+	if  ($email == '')  {
+		$email = 'Пользователь не оставил e-mail';
+	}
+	if  ($comment == '')  {
+		$comment = 'Пользователь не оставил комментарий';
+	}
+	
+	$message_email = "<p>Сайт: ".$mas_url["host"]."</p>";
+	$message_email .= "<p>Ссылка: <a href=$url>нажмите</a>"." (".$url.")"."</p>";
+	$message_email .= "<p>Текст с опечаткой: ".$error_text."</p>";
+	$message_email .= "<p>e-mail пользователя: ".$email."</p>";
+	$message_email .= "<p>Комментарий: ".$comment."</p>";
+		
+	$subject = '=?utf-8?B?'.base64_encode("Сообщение об опечатке").'?=';
+
+	/*FIXED !!!!!!!!*/	
+	$to = /*$email; //*/to_email($email_users);
+	/*FIXED какая почта?*/
+	$from_email = "typos@etersoft.ru";
+	$from_name = '=?utf-8?B?'.base64_encode("Служба опечаток Etersoft").'?=';
+
+	$result = sendmail($subject, $message_email, $to, $from_email, $from_name, 'html');
+	if  ($result == 0)  {
+		$ajax_mess = "10emailerror";
+		echo ($ajax_mess);
+		exit;
+	}  else  {
+		$ajax_mess = "10win";
+		echo ($ajax_mess);
+		exit;
 	}
 }  else  {
 	$ajax_mess = "10siteerror";
 	echo ($ajax_mess);
+	exit;
 }

+////////////////////////////////////////////////////////////////////////
+//Вспомогательные функции\\
+
 //Отправка email-ов
 function sendmail($subject,$body, $to, $from_email, $from_name, $type = 'plain')  {
 	$headers = "X-PHP-Script: ".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]." for ".$_SERVER['SERVER_ADDR']."\r\n";
@@ -113,7 +169,7 @@ function sendmail($subject,$body, $to, $from_email, $from_name, $type = 'plain')
 	$headers .= "X-Mailer: Automatic PHP Script\r\n";
 	$headers .= "From:".$from_name."<".$from_email.">\r\n";

-	if  (mail($to,$subject,$body,$headers))  {
+	if  (mail($to, $subject, $body, $headers))  {
 		return 1;
 	}  else  {
 		return 0;
@@ -133,6 +189,7 @@ function to_email($data)  {
 	return $to;
 }

+//Проверяем хэдеры на "человечость"
 function check_header()  {
 	if  ( ($_SERVER['HTTP_ACCEPT'] == '')  ||
 			($_SERVER['HTTP_ACCEPT_ENCODING'] == '') ||    
@@ -142,9 +199,9 @@ function check_header()  {
 	}  else  {
 		return 1;
 	}
-	
 }

+//Проверяем ip
 function get_ip()  {
 	if (!empty($_SERVER['HTTP_CLIENT_IP']))  {
        $ip = $_SERVER['HTTP_CLIENT_IP'];