// Automatically get $tpath to avoid possible security holes
$tpath = realpath(__FILE__);
$tpath = substr($tpath,0,strrpos($tpath,DIRECTORY_SEPARATOR)+1);
// Check if the file exists on local server and include it
if(file_exists($tpath . "cn_config.php")) {
require_once($tpath . "cn_config.php");
} else {
die("Unable to include required configuration file. Please check to ensure 'cn_config.php' file has been uploaded.");
}
// Set limits for multiple pages
if(!isset($pg)) { $pg = 1; }
// Number of news items to display per page
$pgset = $set['newslimit'];
$lims = ($pg-1)*$pgset;
// If article id is set [v1.01]
if(isset($_REQUEST['a'])) {
// Comment posting [v1.12]
if($_POST['post'] == "comment") {
$q['userchk'] = mysql_query("SELECT * FROM $t_user WHERE user = '" . cn_dbEscape( $_POST['name'] ) . "' LIMIT 1", $link) or E("Unable to check reserved usernames:
" . mysql_error());
$usernum = mysql_num_rows($q['userchk']);
if(!isset($_POST['passw']) || $usernum == "0") {
if($usernum == "1") {
?>
} else {
// Post comment
if(empty($_POST['name']) || empty($_POST['email']) || empty($_POST['comment'])) {
print( $lang['errorNewsRequiredFields'] );
} else {
// Strip HTML tags [v1.13]
$_POST['name'] = cn_htmltrans($_POST['name'],'text');
$_POST['comment'] = cn_htmltrans($_POST['comment'],'text');
$q[ins_com] = mysql_query("INSERT INTO $t_coms (id, news_id, name, email, website, comment, date, ip) VALUES ('', '$_POST[a]', '$_POST[name]', '$_POST[email]', '$_POST[website]', '$_POST[comment]', '$now', '$_SERVER[REMOTE_ADDR]')", $link) or E( $lang['errorNewsCommentInsert'] . "
" . mysql_error());
print "
" . $lang['msgNewsCommentAdded'] . "
[ $_POST['a'])) . "\">" . $lang['lblNewsBack'] . " ]
";
}
}
} else {
$q['userchk'] = mysql_query("SELECT * FROM $t_user WHERE user = '" . cn_dbEscape( $_POST['name'] ) . "' AND pass='" . cn_dbEscape( $_POST['passw'] ) . "' LIMIT 1", $link) or E( $lang['errorUserInfoCheck'] . "
" . mysql_error());
if(mysql_num_rows($q['userchk']) == "1") {
// Post comment with protected username
$_POST['name'] = cn_htmltrans($_POST['name'],'text');
$_POST['comment'] = cn_htmltrans($_POST['comment'],'text');
$q[ins_com] = mysql_query("INSERT INTO $t_coms (id, news_id, name, email, comment, date, ip) VALUES ('', '$_POST[a]', '$_POST[name]', '$_POST[email]', '$_POST[comment]', '$now', '$_SERVER[REMOTE_ADDR]')", $link) or E( $lang['errorNewsCommentInsert'] . "
" . mysql_error());
print "
" . $lang['msgNewsCommentAdded'] . "
[ $_POST['a'])) . "\"><< Go Back ]
";
} else {
print "
" . $lang['errorNewsCommentPassword'] . "
[ << Go Back ]
";
}
}
} else {
$q['info'] = mysql_query("SELECT * FROM $t_news WHERE id = '$_REQUEST[a]' LIMIT 1", $link) or E( $lang['errorNewsSelect'] . "
" . mysql_error());
$newsnum = mysql_num_rows($q['info']);
}
// If search is performed [v1.12]
} elseif(isset($_REQUEST['s'])) {
$q['info'] = mysql_query("SELECT * FROM $t_news WHERE content LIKE '%" . cn_dbEscape( $_REQUEST['s'] ) . "%' ORDER BY date DESC LIMIT $lims, $pgset", $link) or E( $lang['errorNewsSearch'] . "
" . mysql_error());
$newsnum = mysql_num_rows($q['info']);
// Retrieve all news items
} else {
$extra = "";
if(!empty($c)) { $_REQUEST['c'] = "$c"; }
if($_REQUEST['c'] != "") { $extra = "WHERE cat = '$_REQUEST[c]'"; }
$q['cats'] = mysql_query("SELECT * FROM $t_cats ORDER BY name ASC", $link) or E( $lang['errorCategorySelect'] . "
" . mysql_error());
$catnum = mysql_num_rows($q['cats']);
$q['info'] = mysql_query("SELECT * FROM $t_news $extra ORDER BY date DESC LIMIT $lims, $pgset", $link) or E( $lang['errorNewsSelect'] . "
" . mysql_error());
$q['countn'] = mysql_query("SELECT COUNT(id) as newscount FROM $t_news $extra", $link) or E( $lang['errorNewsSelect'] . "
" . mysql_error());
$newsnum = mysql_result($q['countn'],'newscount');
if($catnum > "1" && $set['catbox'] == "on") { ?>
}
}
if($newsnum == "0") {
print "
" . $lang['errorNewsNone'] . "
";
}
if(isset($q['info'])) { // $q[info] check
// Retrieve array of images from database [v1.14]
$q['images'] = mysql_query("SELECT id, filename, thumbname FROM $t_img", $link) or E( $lang['errorImagesSelect'] . "
" . mysql_error());
while($img = mysql_fetch_array($q['images'])) {
if(empty($img['thumbname'])) {
$imgarr[$img['id']] = $img['filename'];
} else {
$imgarr[$img['id']] = $img['thumbname'];
}
}
// Begin output of news items
while ($r = mysql_fetch_array($q['info'], MYSQL_ASSOC)) {
$auid = $r['author'];
$output = $set['output'];
$r['subject'] = "
$r[subject]";
$serv_tzone = (date("Z")/3600);
// Format date to current timezone, using format setting specified
$r['date'] = date("$set[dateform]", cn_zonechange("$serv_tzone", "$set[timezone]", "$r[date]"));
// Print category name for current news item [v1.13]
$catname = cn_getinfo($r['cat'],"name",$t_cats);
$output = str_replace("{cat}", "$catname", $output);
// Add line breaks to both content areas only [v1.13 fix]
$content = str_replace("\n", "
\n", $r['content']);
$content2 = str_replace("\n", "
\n", $r['content2']);
// Replace image tags with proper images [v1.14]
if(is_array($imgarr)) {
foreach($imgarr as $imgid => $filename) {
$content = str_replace("{img:$imgid}","" . cn_showImage($filename,"left") . "", $content);
$content = str_replace("{img:$imgid|left}","" . cn_showImage($filename,"left") . "", $content);
$content = str_replace("{img:$imgid|center}","" . cn_showImage($filename,"center") . "", $content);
$content = str_replace("{img:$imgid|right}","" . cn_showImage($filename,"right") . "", $content);
$content2 = str_replace("{img:$imgid}","" . cn_showImage($filename,"left") . "", $content2);
$content2 = str_replace("{img:$imgid|left}","" . cn_showImage($filename,"left") . "", $content2);
$content2 = str_replace("{img:$imgid|center}","" . cn_showImage($filename,"center") . "", $content2);
$content2 = str_replace("{img:$imgid|right}","" . cn_showImage($filename,"right") . "", $content2);
}
}
// Highlight searched item in returned news if search is performed and searches are allowed [v1.12]
if(isset($_REQUEST['s'])) {
$content = cn_highlight(stripslashes($content), $_REQUEST['s']); // case-insensitive or partial word search
//$output = str_replace("$_REQUEST[s]", "
$s", $output); // exact word search
}
// Summarize story option [v1.12]
if($r['sumstory'] == "on" && isset($_REQUEST['a'])) {
$output = str_replace("{news}", "$content
$content2", $output);
} elseif($r['sumstory'] == "on") {
$output = str_replace("{news}", "$content
" . $lang['lblNewsReadMore'] . "", $output);
} else {
$output = str_replace("{news}", "$content", $output);
}
// Use Keywords and word filter if filter is turned "on" [v1.12]
if($set['words'] == "on") {
$q['words'] = mysql_query("SELECT * FROM $t_words ORDER BY word ASC", $link) or E( $lang['errorKeywordsSelect'] . "
" . mysql_error());
while ($w = mysql_fetch_array($q['words'], MYSQL_ASSOC)) {
if($w['type'] == "link") {
$w['replaced'] = "
$w[word]";
} elseif($w['type'] == "picture") {
$w['replaced'] = "
";
}
$output = str_replace($w['word'], $w['replaced'], $output);
}
}
// Build user-defined source link [v1.12]
if(empty($r['source']) || empty($r['sourceurl'])) {
$output = str_replace("{source}", "", $output);
} else {
if(empty($set['source'])) {
$setsource = "
$r[source]";
$output = str_replace("{source}", "$setsource", $output);
} else {
$setsource = str_replace("{sname}", $r['source'], $set['source']);
$setsource = str_replace("{surl}", $r['sourceurl'], $setsource);
$output = str_replace("{source}", $setsource, $output);
}
}
// Build user-defined author link [v1.12]
if(empty($set['author'])) {
$setauthor = "
" . cn_getinfo($r['author']) . "";
$output = str_replace("{author}", "$setauthor", $output);
} else {
$setauthor = str_replace("{aemail}", "" . cn_getinfo($r['author'], "email") . "", $set['author']);
$setauthor = str_replace("{aname}", "" . cn_getinfo($r['author']) . "", $setauthor);
$output = str_replace("{author}", $setauthor, $output);
}
$output = str_replace("{subject}", $r['subject'], $output);
$output = str_replace("{date}", $r['date'], $output);
// Transform news output to HTML code
$output = cn_htmltrans($output,'html');
// View/Post Comments Link [v1.12]
if($set['comments'] == "on" && !isset($_REQUEST['a'])) {
$q['comsn'] = mysql_query("SELECT COUNT(id) as comscount FROM $t_coms WHERE news_id = '$r[id]'", $link) or E( $lang['errorNewsCommentSelect'] . "
" . mysql_error());
$comsnum = mysql_result($q['comsn'],comscount);
if(empty($set['coms_text'])) {
$output = str_replace("{comments}", "
$r['id'])) . "\">" .$lang['lblNewsPostComments'] . " ($comsnum)", $output);
} else {
$setcoms_text = str_replace("{cnum}", "$comsnum", $set['coms_text']);
$output = str_replace("{comments}", "
$r['id'])) . "\">$setcoms_text", $output);
}
} elseif(isset($_REQUEST['a'])) {
$output = str_replace("{comments}", "
[ '')) . "\">" . $lang['lblNewsReturn'] . " ]", $output);
} else {
$output = str_replace("{comments}", "", $output);
}
// Output formatted news
echo $output;
} // End While (output of news items)
// If single article is viewed, and comments are turned "on", list comments [v1.12]
if(isset($_REQUEST['a']) && $set['comments'] == "on") {
$q['coms'] = mysql_query("SELECT * FROM $t_coms WHERE news_id = '$_REQUEST[a]' ORDER BY date ASC", $link) or E( $lang['errorNewsCommentSelect'] . "
" . mysql_error());
$comsnum = mysql_num_rows($q['coms']);
if($comsnum != "0") {
?>
()
while ($c = mysql_fetch_array($q['coms'], MYSQL_ASSOC)) {
echo "
\n
" . $lang['lblNewsCommentName'] . ": $c[name]
\n
" . $lang['lblNewsCommentEmail'] . ": $c[email]
\n";
if( !empty( $c['website'] ) ) {
echo " " . $lang['lblNewsCommentWebsite'] . ": $c[website]
\n";
}
echo "
" . $lang['lblNewsCommentText'] . ": " . stripslashes(nl2br($c['comment'])) . "
\n
\n
";
}
}
?>
}
if(!isset($_REQUEST['a'])) {
?>
}
} // End $q[info] check
/*
###################################
PLEASE DO NOT REMOVE THE LINK BELOW
A lot of effort went into the creation of this script, and I give it away for free without
asking for any money in return. The least you can do is link back to www.czaries.net to
give me credit for making the script.
Please either:
a) Leave this link intact where it is
b) Remove the link and link to www.czaries.net somewhere else on your website
c) Pay $35 for full rights to remove the link and all mention of my authorship of the script
[ Paypal email: czaries@czaries.net ]. Please type in the URL of your website
in the 'comments' field if you choose this route.
Note: If you are re-selling CzarNews (like installing it on a client's website and charging for
it), please pay the $35 (option c) and remove the copyrights for a professional look.
I do appreciate that you have chosen to use my news script.
Vance Lucas aka "Czaries"
http://www.czaries.net
###################################
*/
?>