~pollka-devs/pollka/trunk : contents of index.php.active at revision 8

~pollka-devs/pollka/trunk : (revision 8)

<?php
# GPLv3 - http://www.gnu.org/copyleft/gpl.html
# By Melissa Draper melissa@meldraweb.com

#pull in other includes
include_once('includes/rfc3696.php');

if ( ! empty($_POST) ) {

	#insert votes

	#make a record of the voter so we can prevent recidivist voting
	#get the ip address
	$host = $_SERVER['REMOTE_ADDR'];
	#and email so we can try prevent fraud
	$email = mysql_real_escape_string($_POST['email']);//no SQL injection here thanks

        $result = mysql_query("SELECT * FROM voter WHERE email = '$email'")
        or die('Could not select question data: '  . mysql_error());

        while ( $row = mysql_fetch_array($result) ) {
		echo "The address '$email' has already voted.";
		die();
	}

	if (is_rfc3696_valid_email_address($_POST['email'])) {

		#insert voter details
		mysql_query("INSERT INTO voter (iphost, email)
		VALUES ('$host', '$email')") or die('Could not insert voter info: ' . mysql_error());
		mysql_query("SET CHARACTER SET utf8");
		mysql_query("SET NAMES utf8");
	        $result = mysql_query("SELECT * FROM questions")
        	or die('Could not select data: '  . mysql_error());

		$token = md5(microtime() . rand());
		$to = $_POST['email'];
		$subject = "Your World Play Day 2010 Photo Competition Vote";
		$message = "Hello!\n\nYour voting token is: " . $token . "\n\nYou *must* visit:\n\nhttp://".$conf['poll_site']."/token.php?token=" . $token . "\n\nto complete your vote.\n\nThanks!";
		$from = "no-reply@elkbuntu.net";
		$headers = "From: $from";
		mail($to,$subject,$message,$headers);

        	$i = 1;
        	while ( $row = mysql_fetch_array($result) ) {

			$vote_value = $_POST['vote' . $i];
			$question_id = $row['question_id'];

			mysql_query("INSERT INTO prevote (question_id, prevote_value, prevote_token)
	                VALUES ('$question_id', '$vote_value', '$token')") or die('Could not insert vote answers: ' . mysql_error());
			
                	$i++; 

        	}

		if ( ! empty($_POST['fave']) ) {
			$fave_id = $_POST['fave'];
        	        mysql_query("INSERT INTO prevote (question_id, prevote_value, prevote_token)
                	VALUES ('$fave_id', '1', '$token')") or die('Could not insert vote answers: ' . mysql_error());
		}

		#announce the success
		echo "Thanks for voting. Your confirmation token will appear in the inbox of the email you gave us.<br/>You <b>MUST</b> follow the instructions to make your vote count!";

		$result = mysql_query("SELECT * FROM questions")
        	or die('Could not select question data: '  . mysql_error());

	        while ( $row = mysql_fetch_array($result) ) {
			$question_id = $row['question_id'];
			$result2 = mysql_query("SELECT * FROM votes WHERE question_id = $question_id")
	                or die('Could not select question data: '  . mysql_error());
			while ( $row2 = mysql_fetch_array($result2) ) {
				
			}
		}

	} else {

		echo "Unsatisfactory email offering. Vote failed!";

	}

} else {

	$result = mysql_query("SELECT * FROM questions")
	or die('Could not select question data: '  . mysql_error());  

	$voteitems = null;
	$i = 1;

	$fave = '(optional) My absolute favourite is: <select name="fave"><option>None</option>';

	while ( $row = mysql_fetch_array($result) ) {

        if(file_exists($row['question_text'])){
            $content = '<a href="pics/full/' . $row['question_text'] . '"><img src="pics/thumbs/' . $row['question_text'] . '"></a>';
        } else {
            $content = $row['question_text'];
        }

		$voteitems .= '<div class="item"><div class="itemtitle">Photo #' . $i . ':</div><div class="itemauthor">' . $row['question_author'] . '</div><div class="itembody">' . $content . '</div><div class="itemvote"><select name="vote' . $i . '"><option value="0">Please choose:</option><option value="1">I like this photo (+1)</option><option value="0">I do not like this photo (+0)</option></select></div></div><br/>';
                $fave .= '<option value="' . $row['question_id'] . '">' . $row['question_author'] . '</option>';
		$i++;

	}

	$fave .= '</select><br/><br/>'; 

	$voteaudit = 	'Please sign with your email address:
			<input type="text" name="email" /><br/>
			<span style="font-style:italic; color:#666;">We hate spam and love privacy; this is for vote authorisation and private auditing purposes only.</span><br/>
			<input type="submit" value="Submit" />';

}

#close off mysql connection
mysql_close($con);

?>

<html>
	<head>
		<title><?php echo $conf['poll_name']; ?></title>
		<link rel="stylesheet" type="text/css" href="style.css" /> 
	</head>
	<body>
		<?php echo $conf['poll_intro']; ?>

		<form name="input" action="index.php" method="post">

			<?php if ( ! empty($voteitems) ) { echo $voteitems; } ?>

			<?php if ( ! empty($fave) && $conf['fave_status'] == 'active') { echo $fave; } ?>

			<?php if ( ! empty($voteaudit) ) { echo $voteaudit; } ?>

		</form> 
	</body>
</html>

1 by Melissa Draper initial commit	1	<?php
	2	# GPLv3 - http://www.gnu.org/copyleft/gpl.html
	3	# By Melissa Draper melissa@meldraweb.com
	4
	5	#pull in other includes
	6	include_once('includes/rfc3696.php');
	7
	8	if ( ! empty($_POST) ) {
	9
	10	#insert votes
	11
	12	#make a record of the voter so we can prevent recidivist voting
	13	#get the ip address
	14	$host = $_SERVER['REMOTE_ADDR'];
	15	#and email so we can try prevent fraud
8 by Alan Bell remove sql injection possibilities	16	$email = mysql_real_escape_string($_POST['email']);//no SQL injection here thanks
1 by Melissa Draper initial commit	17
	18	$result = mysql_query("SELECT * FROM voter WHERE email = '$email'")
	19	or die('Could not select question data: ' . mysql_error());
	20
	21	while ( $row = mysql_fetch_array($result) ) {
	22	echo "The address '$email' has already voted.";
	23	die();
	24	}
	25
	26	if (is_rfc3696_valid_email_address($_POST['email'])) {
	27
	28	#insert voter details
	29	mysql_query("INSERT INTO voter (iphost, email)
	30	VALUES ('$host', '$email')") or die('Could not insert voter info: ' . mysql_error());
	31	mysql_query("SET CHARACTER SET utf8");
	32	mysql_query("SET NAMES utf8");
	33	$result = mysql_query("SELECT * FROM questions")
	34	or die('Could not select data: ' . mysql_error());
	35
	36	$token = md5(microtime() . rand());
	37	$to = $_POST['email'];
	38	$subject = "Your World Play Day 2010 Photo Competition Vote";
	39	$message = "Hello!\n\nYour voting token is: " . $token . "\n\nYou must visit:\n\nhttp://".$conf['poll_site']."/token.php?token=" . $token . "\n\nto complete your vote.\n\nThanks!";
	40	$from = "no-reply@elkbuntu.net";
	41	$headers = "From: $from";
	42	mail($to,$subject,$message,$headers);
	43
	44	$i = 1;
	45	while ( $row = mysql_fetch_array($result) ) {
	46
	47	$vote_value = $_POST['vote' . $i];
	48	$question_id = $row['question_id'];
	49
	50	mysql_query("INSERT INTO prevote (question_id, prevote_value, prevote_token)
	51	VALUES ('$question_id', '$vote_value', '$token')") or die('Could not insert vote answers: ' . mysql_error());
	52
	53	$i++;
	54
	55	}
	56
	57	if ( ! empty($_POST['fave']) ) {
	58	$fave_id = $_POST['fave'];
	59	mysql_query("INSERT INTO prevote (question_id, prevote_value, prevote_token)
	60	VALUES ('$fave_id', '1', '$token')") or die('Could not insert vote answers: ' . mysql_error());
	61	}
	62
	63	#announce the success
	64	echo "Thanks for voting. Your confirmation token will appear in the inbox of the email you gave us.<br/>You <b>MUST</b> follow the instructions to make your vote count!";
	65
	66	$result = mysql_query("SELECT * FROM questions")
	67	or die('Could not select question data: ' . mysql_error());
	68
	69	while ( $row = mysql_fetch_array($result) ) {
	70	$question_id = $row['question_id'];
	71	$result2 = mysql_query("SELECT * FROM votes WHERE question_id = $question_id")
	72	or die('Could not select question data: ' . mysql_error());
	73	while ( $row2 = mysql_fetch_array($result2) ) {
	74
	75	}
	76	}
	77
	78	} else {
	79
	80	echo "Unsatisfactory email offering. Vote failed!";
81
82	}
83
84	} else {
85
86	$result = mysql_query("SELECT * FROM questions")
87	or die('Could not select question data: ' . mysql_error());
88
89	$voteitems = null;
90	$i = 1;
91
92	$fave = '(optional) My absolute favourite is: <select name="fave"><option>None</option>';
93
94	while ( $row = mysql_fetch_array($result) ) {
95
96	if(file_exists($row['question_text'])){
97	$content = '<a href="pics/full/' . $row['question_text'] . '"><img src="pics/thumbs/' . $row['question_text'] . '"></a>';
98	} else {
99	$content = $row['question_text'];
100	}
101
102	$voteitems .= '<div class="item"><div class="itemtitle">Photo #' . $i . ':</div><div class="itemauthor">' . $row['question_author'] . '</div><div class="itembody">' . $content . '</div><div class="itemvote"><select name="vote' . $i . '"><option value="0">Please choose:</option><option value="1">I like this photo (+1)</option><option value="0">I do not like this photo (+0)</option></select></div></div><br/>';
103	$fave .= '<option value="' . $row['question_id'] . '">' . $row['question_author'] . '</option>';
104	$i++;
105
106	}
107
108	$fave .= '</select><br/><br/>';
109
110	$voteaudit = 'Please sign with your email address:
111	<input type="text" name="email" /><br/>
112	<span style="font-style:italic; color:#666;">We hate spam and love privacy; this is for vote authorisation and private auditing purposes only.</span><br/>
113	<input type="submit" value="Submit" />';
114
115	}
116
117	#close off mysql connection
118	mysql_close($con);
119
120	?>
121
122	<html>
123	<head>
124	<title><?php echo $conf['poll_name']; ?></title>
125	<link rel="stylesheet" type="text/css" href="style.css" />
126	</head>
127	<body>
128	<?php echo $conf['poll_intro']; ?>
129
130	<form name="input" action="index.php" method="post">
131
132	<?php if ( ! empty($voteitems) ) { echo $voteitems; } ?>
133
134	<?php if ( ! empty($fave) && $conf['fave_status'] == 'active') { echo $fave; } ?>
135
136	<?php if ( ! empty($voteaudit) ) { echo $voteaudit; } ?>
137
138	</form>
139	</body>
140	</html>