122 lines
2.9 KiB
PHP
122 lines
2.9 KiB
PHP
|
<?php
|
||
|
|
include("header.php");
|
||
|
|
|
||
|
|
//check if user has sufficient privileges to write articles, and kill the process if not.
|
||
|
|
if(!$_SESSION["is_admin"])
|
||
|
|
{
|
||
|
|
include("header.php");
|
||
|
|
echo "<article><h1>nedostatecna opravneni</h1></article>";
|
||
|
|
include("footer.php");
|
||
|
|
die;
|
||
|
|
}
|
||
|
|
|
||
|
|
$viewingId=htmlspecialchars($_GET["id"]);
|
||
|
|
header_remove();
|
||
|
|
$prefillName="";
|
||
|
|
$prefillContent="";
|
||
|
|
|
||
|
|
if(! $viewingId == NULL)
|
||
|
|
{
|
||
|
|
// Prepare a select statement
|
||
|
|
$sql = "SELECT name, content FROM news WHERE id = ?";
|
||
|
|
|
||
|
|
if($stmt = mysqli_prepare($link, $sql))
|
||
|
|
{
|
||
|
|
// Bind variables to the prepared statement as parameters
|
||
|
|
mysqli_stmt_bind_param($stmt, "s", $param_id);
|
||
|
|
|
||
|
|
// Set parameters
|
||
|
|
$param_id = $viewingId;
|
||
|
|
|
||
|
|
// Attempt to execute the prepared statement
|
||
|
|
if(mysqli_stmt_execute($stmt))
|
||
|
|
{
|
||
|
|
// Store result
|
||
|
|
mysqli_stmt_store_result($stmt);
|
||
|
|
|
||
|
|
// Check if entry exists, if yes then display
|
||
|
|
if(mysqli_stmt_num_rows($stmt) == 1)
|
||
|
|
{
|
||
|
|
// Bind result variables
|
||
|
|
mysqli_stmt_bind_result($stmt, $sqlPrefillName, $sqlPrefillContent);
|
||
|
|
|
||
|
|
if(mysqli_stmt_fetch($stmt))
|
||
|
|
{
|
||
|
|
$prefillName = $sqlPrefillName;
|
||
|
|
$prefillContent = $sqlPrefillContent;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
else
|
||
|
|
{
|
||
|
|
// Article doesn't exist, display 404
|
||
|
|
http_response_code(404);
|
||
|
|
header("location: /404.php");
|
||
|
|
die();
|
||
|
|
}
|
||
|
|
}
|
||
|
|
else
|
||
|
|
{
|
||
|
|
printf("Error: %s.\n", mysqli_stmt_error($stmt));
|
||
|
|
}
|
||
|
|
|
||
|
|
// Close statement
|
||
|
|
mysqli_stmt_close($stmt);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
// Processing form data when form is submitted
|
||
|
|
if($_SERVER["REQUEST_METHOD"] == "POST")
|
||
|
|
{
|
||
|
|
// Prepare an insert statement
|
||
|
|
if(! $_POST["viewingId"] == NULL)
|
||
|
|
{
|
||
|
|
$sql = "UPDATE news SET poster_id=?, name=?, content=? WHERE id = ".$_POST["viewingId"];
|
||
|
|
}
|
||
|
|
else
|
||
|
|
{
|
||
|
|
$sql = "INSERT INTO news (poster_id, name, content) VALUES (?, ?, ?)";
|
||
|
|
}
|
||
|
|
|
||
|
|
if($stmt = mysqli_prepare($link, $sql))
|
||
|
|
{
|
||
|
|
// Bind variables to the prepared statement as parameters
|
||
|
|
mysqli_stmt_bind_param($stmt, "sss", $param_poster, $param_name, $param_content);
|
||
|
|
|
||
|
|
// Set parameters
|
||
|
|
$param_poster = uuid_to_bin($_SESSION["userid"]);
|
||
|
|
$param_name = $_POST["name"];
|
||
|
|
$param_content = $_POST["content"];
|
||
|
|
|
||
|
|
// Attempt to execute the prepared statement
|
||
|
|
if(mysqli_stmt_execute($stmt))
|
||
|
|
{
|
||
|
|
// Redirect to login page
|
||
|
|
header("location: /index.php");
|
||
|
|
}
|
||
|
|
else
|
||
|
|
{
|
||
|
|
// Close statement
|
||
|
|
mysqli_stmt_close($stmt);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
?>
|
||
|
|
|
||
|
|
<article>
|
||
|
|
<h1>
|
||
|
|
NAPSAT ČLÁNEK
|
||
|
|
</h1>
|
||
|
|
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
|
||
|
|
<div class="centeredContainer">
|
||
|
|
<input type="text" name="name" style="font-weight: bold; width: 150%" placeholder="Název" value="<?php echo $prefillName; ?>"/>
|
||
|
|
</div>
|
||
|
|
<div class="centeredContainer">
|
||
|
|
<textarea name="content" style="height: 400px; width:100%; resize: none;" placeholder="Obsah"><?php echo $prefillContent; ?></textarea>
|
||
|
|
</div>
|
||
|
|
<input type="hidden" name="viewingId" value="<?php echo $viewingId; ?>"/>
|
||
|
|
<input type="submit" class="btn btn-primary" value="Odeslat"/>
|
||
|
|
</form>
|
||
|
|
</article>
|
||
|
|
|
||
|
|
<?php include("footer.php"); ?>
|