opt(); session_start(); if (!isset($_SESSION["userid"])) { header("Location: " . getFullPath("login.php")); exit; } else { $userid = $_SESSION["userid"]; } // for security, let's make sure that if an itemid was passed in, it belongs // to $userid. all operations on this page should only be performed by // the item's owner. if (isset($_REQUEST["itemid"]) && $_REQUEST["itemid"] != "") { try { $stmt = $smarty->dbh()->prepare("SELECT * FROM {$opt["table_prefix"]}items WHERE userid = ? AND itemid = ?"); $stmt->bindParam(1, $userid, PDO::PARAM_INT); $stmt->bindValue(2, (int) $_REQUEST["itemid"], PDO::PARAM_INT); $stmt->execute(); if (!$stmt->fetch()) { die("Nice try! (That's not your item.)"); } } catch (PDOException $e) { die("sql exception: " . $e->getMessage()); } } $action = ""; if (!empty($_REQUEST["action"])) { $action = $_REQUEST["action"]; if ($action == "insert" || $action == "update") { /* validate the data. */ $description = trim($_REQUEST["description"]); $price = str_replace(",","",trim($_REQUEST["price"])); $source = trim($_REQUEST["source"]); $url = trim($_REQUEST["url"]); $category = trim($_REQUEST["category"]); $ranking = $_REQUEST["ranking"]; $comment = $_REQUEST["comment"]; $quantity = (int) $_REQUEST["quantity"]; $haserror = false; if ($description == "") { $haserror = true; $description_error = "A description is required."; } if ($price == "" || !preg_match("/^\d*(\.\d{2})?$/i",$price)) { $haserror = true; $price_error = "Price format is not valid.
Price is required and must be a number, either accurate or approximate.
Do not enter the currency symbol."; } if ($source == "") { $haserror = true; $source_error = "A source is required (i.e., where it can be purchased)."; } if ($url != "" && !preg_match("/^http(s)?:\/\/([^\/]+)/i",$url)) { $haserror = true; $url_error = "A well-formed URL is required in the format http://www.somesite.net/somedir/somefile.html."; } if ($ranking == "") { $haserror = true; $ranking_error = "A ranking is required."; } if ($quantity == "" || (int) $quantity < 1) { $haserror = true; $quantity_error = "A positive quantity is required."; } } if (isset($haserror) && !$haserror && isset($_REQUEST["image"])) { if ($_REQUEST["image"] == "remove" || $_REQUEST["image"] == "replace") { deleteImageForItem((int) $_REQUEST["itemid"], $smarty->dbh(), $smarty->opt()); } if ($_REQUEST["image"] == "upload" || $_REQUEST["image"] == "replace") { /* TODO: verify that it's an image using $_FILES["imagefile"]["type"] */ // what's the extension? $parts = pathinfo($_FILES["imagefile"]["name"]); $uploaded_file_ext = $parts['extension']; // what is full path to store images? get it from the currently executing script. $parts = pathinfo($_SERVER["SCRIPT_FILENAME"]); $upload_dir = $parts['dirname']; // generate a temporary file in the configured directory. $temp_name = tempnam($upload_dir . "/" . $opt["image_subdir"],""); // unlink it, we really want an extension on that. unlink($temp_name); // here's the name we really want to use. full path is included. $image_filename = $temp_name . "." . $uploaded_file_ext; // move the PHP temporary file to that filename. move_uploaded_file($_FILES["imagefile"]["tmp_name"],$image_filename); // the name we're going to record in the DB is the filename without the path. $image_base_filename = basename($image_filename); } } if ($action == "delete") { try { /* find out if this item is bought or reserved. */ $stmt = $smarty->dbh()->prepare("SELECT a.userid, a.quantity, a.bought, i.description FROM {$opt["table_prefix"]}allocs a LEFT OUTER JOIN {$opt["table_prefix"]}items i ON i.itemid = a.itemid WHERE a.itemid = ?"); $stmt->bindValue(1, (int) $_REQUEST["itemid"], PDO::PARAM_INT); $stmt->execute(); $description = ""; // need this outside of the while block. while ($row = $stmt->fetch()) { $buyerid = $row["userid"]; $quantity = $row["quantity"]; $bought = $row["bought"]; $description = $row["description"]; // need this for descriptions. if ($buyerid != null) { sendMessage($userid, $buyerid, "$description that you " . (($bought == 1) ? "bought" : "reserved") . " $quantity of for {$_SESSION["fullname"]} has been deleted. Check your reservation/purchase to ensure it's still needed.", $smarty->dbh(), $smarty->opt()); } } deleteImageForItem((int) $_REQUEST["itemid"], $smarty->dbh(), $smarty->opt()); $stmt = $smarty->dbh()->prepare("DELETE FROM {$opt["table_prefix"]}items WHERE itemid = ?"); $stmt->bindValue(1, (int) $_REQUEST["itemid"], PDO::PARAM_INT); $stmt->execute(); // TODO: are we leaking allocs records here? stampUser($userid, $smarty->dbh(), $smarty->opt()); processSubscriptions($userid, $action, $description, $smarty->dbh(), $smarty->opt()); header("Location: " . getFullPath("index.php?message=Item+deleted.")); exit; } catch (PDOException $e) { die("sql exception: " . $e->getMessage()); } } else if ($action == "edit") { $stmt = $smarty->dbh()->prepare("SELECT description, price, source, category, url, ranking, comment, quantity, image_filename FROM {$opt["table_prefix"]}items WHERE itemid = ?"); $stmt->bindValue(1, (int) $_REQUEST["itemid"], PDO::PARAM_INT); $stmt->execute(); if ($row = $stmt->fetch()) { $description = $row["description"]; $price = number_format($row["price"],2,".",","); $source = $row["source"]; $url = $row["url"]; $category = $row["category"]; $ranking = $row["ranking"]; $comment = $row["comment"]; $quantity = (int) $row["quantity"]; $image_filename = $row["image_filename"]; } } else if ($action == "add") { $description = ""; $price = 0.00; $source = ""; $url = ""; $category = NULL; $ranking = NULL; $comment = ""; $quantity = 1; $image_filename = ""; } else if ($action == "insert") { if (!$haserror) { $stmt = $smarty->dbh()->prepare("INSERT INTO {$opt["table_prefix"]}items(userid,description,price,source,category,url,ranking,comment,quantity" . ($image_base_filename != "" ? ",image_filename" : "") . ") " . "VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?" . ($image_base_filename != "" ? ", ?)" : ")")); $stmt->bindParam(1, $userid, PDO::PARAM_INT); $stmt->bindParam(2, $description, PDO::PARAM_STR); $stmt->bindParam(3, $price); $stmt->bindParam(4, $source, PDO::PARAM_STR); $stmt->bindParam(5, $category, PDO::PARAM_INT); $stmt->bindParam(6, $url, PDO::PARAM_STR); $stmt->bindParam(7, $ranking, PDO::PARAM_INT); $stmt->bindParam(8, $comment, PDO::PARAM_STR); $stmt->bindParam(9, $quantity, PDO::PARAM_INT); if ($image_base_filename != "") { $stmt->bindParam(10, $image_base_filename, PDO::PARAM_STR); } $stmt->execute(); stampUser($userid, $smarty->dbh(), $smarty->opt()); processSubscriptions($userid, $action, $description, $smarty->dbh(), $smarty->opt()); header("Location: " . getFullPath("index.php")); exit; } } else if ($action == "update") { if (!$haserror) { // TODO: if the quantity is updated, send a message to everyone who has an allocation for it. $stmt = $smarty->dbh()->prepare("UPDATE {$opt["table_prefix"]}items SET " . "description = ?, " . "price = ?, " . "source = ?, " . "category = ?, " . "url = ?, " . "ranking = ?, " . "comment = ?, " . "quantity = ? " . ($image_base_filename != "" ? ", image_filename = ? " : "") . "WHERE itemid = ?"); $stmt->bindParam(1, $description, PDO::PARAM_STR); $stmt->bindParam(2, $price); $stmt->bindParam(3, $source, PDO::PARAM_STR); $stmt->bindParam(4, $category, PDO::PARAM_INT); $stmt->bindParam(5, $url, PDO::PARAM_STR); $stmt->bindParam(6, $ranking, PDO::PARAM_INT); $stmt->bindParam(7, $comment, PDO::PARAM_STR); $stmt->bindParam(8, $quantity, PDO::PARAM_INT); if ($image_base_filename != "") { $stmt->bindParam(9, $image_base_filename, PDO::PARAM_STR); $stmt->bindValue(10, (int) $_REQUEST["itemid"], PDO::PARAM_INT); } else { $stmt->bindValue(9, (int) $_REQUEST["itemid"], PDO::PARAM_INT); } $stmt->execute(); stampUser($userid, $smarty->dbh(), $smarty->opt()); processSubscriptions($userid, $action, $description, $smarty->dbh(), $smarty->opt()); header("Location: " . getFullPath("index.php")); exit; } } else { echo "Unknown verb."; exit; } } $stmt = $smarty->dbh()->prepare("SELECT categoryid, category FROM {$opt["table_prefix"]}categories ORDER BY category"); $stmt->execute(); $categories = array(); while ($row = $stmt->fetch()) { $categories[] = $row; } $stmt = $smarty->dbh()->prepare("SELECT ranking, title FROM {$opt["table_prefix"]}ranks ORDER BY rankorder"); $stmt->execute(); $ranks = array(); while ($row = $stmt->fetch()) { $ranks[] = $row; } $smarty->assign('userid', $userid); $smarty->assign('action', $action); $smarty->assign('haserror', isset($haserror) ? $haserror : false); if (isset($_REQUEST['itemid'])) { $smarty->assign('itemid', (int) $_REQUEST['itemid']); } $smarty->assign('description', $description); if (isset($descripton_error)) { $smarty->assign('description_error', $description_error); } $smarty->assign('category', $category); if (isset($category_error)) { $smarty->assign('category_error', $category_error); } $smarty->assign('price', $price); if (isset($price_error)) { $smarty->assign('price_error', $price_error); } $smarty->assign('source', $source); if (isset($source_error)) { $smarty->assign('source_error', $source_error); } $smarty->assign('ranking', $ranking); if (isset($ranking_error)) { $smarty->assign('ranking_error', $ranking_error); } $smarty->assign('quantity', $quantity); if (isset($quantity_error)) { $smarty->assign('quantity_error', $quantity_error); } $smarty->assign('url', $url); if (isset($url_error)) { $smarty->assign('url_error', $url_error); } $smarty->assign('image_filename', $image_filename); $smarty->assign('comment', $comment); $smarty->assign('categories', $categories); $smarty->assign('ranks', $ranks); $smarty->display('item.tpl'); ?>