www.dev2.delv-in.com - UnknownSec 403

upload mass deface mass delete console info server
name : m_news.php
 <?php

class News {

	private $Database;
	private $db_table = 'news';

	function __construct(){
		global $Database;
		$this->Database = $Database;
	}

	public function get($newsID, $orderBy){

		$data = array();

		$Template = new Template;

		if ($newsID > 0){
			// get 1
			if ($stmt = $this->Database->prepare("SELECT * FROM " . $this->db_table . " WHERE newsID = ?")){
				$stmt->bind_param('i', $newsID);
				$stmt->execute();
				$stmt->store_result();
				$stmt->bind_result($newsID, $dispTitle, $message, $attach, $link, $dateTS);
				if ($stmt->num_rows() > 0){
					$stmt->fetch();
					$data = array('newsID'=>$newsID, 'dispTitle'=>$dispTitle, 'message'=>$message, 'attach'=>$attach, 'link'=>$link, 'dateTS'=>$dateTS);
					return $data;
					$stmt->close();
				}
			} else {
				$Template->set_alert("Query error: ".__line__." m_testimonies");
			}

		} else {
			// get all
			if ($orderBy == ''){
				$orderBy = 'dateTS DESC';
			}
			if ($stmt = $this->Database->prepare("SELECT * FROM " . $this->db_table . " ORDER BY ".$orderBy)){
				$stmt->execute();
				$stmt->store_result();
				$stmt->bind_result($newsID, $dispTitle, $message, $attach, $link, $dateTS);
				while ($stmt->fetch()){
					$data[] = array('newsID'=>$newsID, 'dispTitle'=>$dispTitle, 'message'=>$message, 'attach'=>$attach, 'link'=>$link, 'dateTS'=>$dateTS);
				}

				return $data;
				$stmt->close();

			} else {
				$Template->set_alert("Query error: ".__line__." m_testimonies");
			}
		}
	} // end get method



	public function add_mod($newsID, $dispTitle, $message, $xAttach, $link){

		$Template = new Template;

		$attach = $xAttach;

		$upload_result = 'false';
		$uploadfile = '';

		if ($_FILES['attach']['name'] != ''){
			// upload the temp file
			$uploadfile = "views/images/news/".$_FILES['attach']['name'];
			if (move_uploaded_file($_FILES['attach']['tmp_name'], $uploadfile)) {

				$attach = $_FILES['attach']['name'];

				$upload_result = $uploadfile;
			}
		} else if (isset($_POST['delAttach'])){
			$attach = '';
		}
		
		date_default_timezone_set('Canada/Pacific');
		$dateTS = mktime(0,0,0,$_POST['month'], $_POST['date'], $_POST['year']);

		if ($newsID > 0){
			// update record

			if ($stmt = $this->Database->prepare("UPDATE ". $this->db_table . " SET dispTitle=?, message=?, attach=?, link=?, dateTS=? WHERE newsID = ?")){
				$stmt->bind_param('ssssii', $dispTitle, $message, $attach, $link, $dateTS, $newsID);
				if ($stmt->execute()){
					
					$alert_message = 'News item updated';
					
					if ($upload_result != 'false' && $_FILES['attach']['name'] != ''){
						$alert_message .= " & attachment upload successful.";

					} else if ($upload_result == 'false' && $_FILES['attach']['name'] != ''){
						$alert_message .= " BUT attachment did not upload (".$uploadfile.").";
					}
					$Template->set_alert($alert_message, 'success');
				} else {
					$Template->set_alert('ERROR: News item did not update', 'error');
				}

			}
		} else {
			// insert record
			if ($stmt = $this->Database->prepare("INSERT INTO ". $this->db_table . " (dispTitle, message, attach, link, dateTS) VALUES (?,?,?,?,?)")){
				$stmt->bind_param('ssssi', $dispTitle, $message, $attach, $link, $dateTS);
				if ($stmt->execute()){
					$Template->set_alert('News item added', 'success');
				} else {
					$Template->set_alert('ERROR: News item was not added', 'error');
				}

			}
		}
	} // end add_mod method



	public function delete($newsID){

		$Template = new Template;

		if ($stmt = $this->Database->prepare("DELETE FROM " . $this->db_table . " WHERE newsID=?")){
			$stmt->bind_param('i', $newsID);
			if ($stmt->execute()){
				$Template->set_alert('News deleted', 'success');
			} else {
				$Template->set_alert('ERROR: News was not deleted', 'error');
			}
		}

	} // end delete method

}

?>
UnknownSec Shell
