--- fenglin/bbs/section_setting_service.php 2025/04/08 11:23:00 1.3 +++ fenglin/bbs/section_setting_service.php 2025/04/23 05:13:56 1.5 @@ -1,4 +1,4 @@ - "sname", + "errMsg" => "不符合格式要求", + )); + } + + if ($title == "" || preg_match("/[[:space:]]/", $title) || + htmlspecialchars(split_line($title, "", 20, 1), ENT_QUOTES | ENT_HTML401, 'UTF-8') != $title) + { + $result_set["return"]["code"] = -1; + array_push($result_set["return"]["errorFields"], array( + "id" => "title", + "errMsg" => "不符合格式要求", + )); + } + $r_comment = check_badwords(split_line($comment, "", 80, 3), "****"); if ($comment != $r_comment) { @@ -63,13 +89,181 @@ } // Secure SQL statement + $title = mysqli_real_escape_string($db_conn, $title); $comment = mysqli_real_escape_string($db_conn, $comment); $announcement = mysqli_real_escape_string($db_conn, $announcement); - $sql = "UPDATE section_config SET comment = '$comment', - announcement = '$announcement', ex_update = $ex_update, - set_UID = " . $_SESSION["BBS_uid"] . ", set_dt = NOW(), set_ip='" . - client_addr() ."' WHERE SID = $sid AND enable"; + // Begin transaction + $rs = mysqli_query($db_conn, "SET autocommit=0"); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + $rs = mysqli_query($db_conn, "BEGIN"); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + // Query section + $sql = "SELECT CID FROM section_config WHERE SID = $sid FOR UPDATE"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Query section error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + if ($row = mysqli_fetch_array($rs)) + { + $cid = $row["CID"]; + } + else + { + $result_set["return"]["code"] = -1; + array_push($result_set["return"]["errorFields"], array( + "id" => "prompt", + "errMsg" => "版块不存在", + )); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + mysqli_free_result($rs); + + if ($_SESSION["BBS_priv"]->checklevel(P_ADMIN_M)) + { + // Set sort order of sections in the same section class + $sql = "SELECT SID, enable, sort_order FROM section_config WHERE CID = $cid + ORDER BY sort_order FOR UPDATE"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Query section list error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + + $i = 1; + $sid_disabled_list = "-1"; + $real_sort_order = 0; + while ($row = mysqli_fetch_array($rs)) + { + if ($sort_order == $i) + { + $real_sort_order = $i; + $i++; + + if ($row["SID"] == $sid) + { + if ($row["sort_order"] == $sort_order) + { + $real_sort_order = -1; + } + continue; + } + } + + if (!$row["enable"]) + { + if ($row["sort_order"] != 0) + { + $sid_disabled_list .= (", " . $row["SID"]); + } + continue; + } + + if ($row["SID"] != $sid) + { + if ($row["sort_order"] != $i) + { + // Set sort_order for section with updated value + $sql = "UPDATE section_config SET sort_order = $i WHERE SID = " . $row["SID"]; + + $ret = mysqli_query($db_conn, $sql); + if ($ret == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Update section error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + } + $i++; + } + } + mysqli_free_result($rs); + + if ($real_sort_order == 0) + { + $real_sort_order = $i; + } + + if ($real_sort_order > 0) + { + $sql = "UPDATE section_config SET sort_order = $real_sort_order WHERE SID = $sid"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Update section error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + } + + // Enforce sort_order of disabled sections to 0 + if ($sid_disabled_list != "-1") + { + $sql = "UPDATE section_config SET sort_order = 0 WHERE SID IN ($sid_disabled_list)"; + + $rs = mysqli_query($db_conn, $sql); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Update section error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); + } + } + } + + if ($_SESSION["BBS_priv"]->checklevel(P_ADMIN_M)) + { + $sql = "UPDATE section_config SET sname = '$sname', title = '$title', + exp_get = $exp_get, recommend = $recommend, read_user_level = $read_user_level, + write_user_level = $write_user_level, comment = '$comment', + announcement = '$announcement', ex_update = $ex_update, + set_UID = " . $_SESSION["BBS_uid"] . ", set_dt = NOW(), set_ip='" . + client_addr() ."' WHERE SID = $sid"; + } + else + { + $sql = "UPDATE section_config SET comment = '$comment', + announcement = '$announcement', ex_update = $ex_update, + set_UID = " . $_SESSION["BBS_uid"] . ", set_dt = NOW(), set_ip='" . + client_addr() ."' WHERE SID = $sid"; + } $rs = mysqli_query($db_conn, $sql); if ($rs == false) @@ -79,6 +273,17 @@ mysqli_close($db_conn); exit(json_encode($result_set)); + } + + // Commit transaction + $rs = mysqli_query($db_conn, "COMMIT"); + if ($rs == false) + { + $result_set["return"]["code"] = -2; + $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn); + + mysqli_close($db_conn); + exit(json_encode($result_set)); } mysqli_close($db_conn);