ok im starting a new topic because the last one get realy long but one of the last things im have trouble with is how the topics are ordered a topic that has sticky of 1 in the database i made go to the top no matter what but if there is 2 topics that dont 1 on top of the other and i reply to the one on the bottom normly it would go above the one on otp of it but ever since i added the code that made the ones with sticky go to the top it hasn’t been working and i dont know why it just stays in its place you can view it here:
the test 1 topic is supposed to go on top of the test 2 topic but it isn’t it is realy strange
here is the code for the forum.php page that shows the topics:
<?php
$id = mss($_GET['id']);
if($id){
$sql = "SELECT * FROM `forum_sub_cats` WHERE `id`='".$id."'";
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res) == 0){
echo "The forum category you supplied does not exist!
";
}else {
$row = mysql_fetch_assoc($res);
if($row['admin'] == 1 && $admin_user_level == 0){
echo "You must be an administrator to view this forum!
";
}else {
$sql2 = "SELECT * FROM `forum_topics` WHERE `cid`='".$row['id']."' ORDER BY time AND sticky DESC";
$res2 = mysql_query($sql2) or die(mysql_error());
if(mysql_num_rows($res2) == 0){
echo "There are no topics in this forum, <a href=\"./index.php?act=create&id=".$row['id']."\">click here</a> to create a topic!
";
}else {
echo "<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\" width=\"100%\">
";
echo "<tr><td colspan=\"4\" align=\"right\">";if($_SESSION['uid']){echo "<a href=\"./index.php?act=create&id=".$row['id']."\">create a topic</a></td></tr>
";}
echo "<tr align=\"center\"><td class=\"forum_header\">Sticky threads</td><td class=\"forum_header\">Title</td><td class=\"forum_header\">User</td><td class=\"forum_header\">Date Created</td><td class=\"forum_header\">Replies</td></tr>
";
while($row2 = mysql_fetch_assoc($res2)){
$sql3 = "SELECT count(*) AS num_replies FROM `forum_replies` WHERE `tid`='".$row2['id']."'";
$res3 = mysql_query($sql3) or die(mysql_error());
$row3 = mysql_fetch_assoc($res3);
if(!$row2['sticky'] == 1){
$admintt = isa($_SESSION['uid']);
if($admintt == 1){
echo "<tr align=\"center\"><td><form action=\"./index.php?act=mod&act2=sticky&id=".$row2['id']."&cid=".$row['id']."\" method=\"post\"><input type=\"checkbox\" name=\"sticky\" value=\"1\"> <input type=\"submit\" name=\"submit\" value=\"Sticky this thread\"></form></td><td><a href=\"./index.php?act=topic&id=".$row2['id']."\">".s($row2['title'])."</a></td><td>".uid($row2['uid'])."</td><td>".$row2['date']."</td><td>".$row3['num_replies']."</td></tr>
";
}else {
echo "<tr align=\"center\"><td>";if($row2['sticky'] == 1)echo "<font size=\"1\">Sticky thread: </font>"; echo "</td><td><a href=\"./index.php?act=topic&id=".$row2['id']."\">".s($row2['title'])."</a></td><td>".uid($row2['uid'])."</td><td>".$row2['date']."</td><td>".$row3['num_replies']."</td></tr>
";
}
}else{
$admint = isa($_SESSION['uid']);
$main_admin = isa_main($_SESSION['uid']);
if($row2['sticky'] == 2){
if($admint == 1){
echo "<td>Only the main admin can unsticky this topic!</td>";
if($main_admin == 1){
echo "<tr><td align=\"center\"><form action=\"./index.php?act=mod&act2=unsticky&id=".$row2['id']."&cid=".$row['id']."\" method=\"post\"><input type=\"checkbox\" name=\"unsticky\" value=\"1\"> <input type=\"submit\" name=\"submit\" value=\"Unsticky this thread\">"; if($row2['sticky'] == 1)echo "<font size=\"1\"> Sticky thread: </font></form>";echo "</td><td align=\"center\"><a href=\"./index.php?act=topic&id=".$row2['id']."\">".s($row2['title'])."</a></td><td align=\"center\">".uid($row2['uid'])."</td><td align=\"center\">".$row2['date']."</td><td align=\"center\">".$row3['num_replies']."</td></tr>
";
}
}else {
echo "<tr align=\"center\"><td>";if($row2['sticky'] == 1)echo "<font size=\"1\">Sticky thread: </font>"; echo "</td><td><a href=\"./index.php?act=topic&id=".$row2['id']."\">".s($row2['title'])."</a></td><td>".uid($row2['uid'])."</td><td>".$row2['date']."</td><td>".$row3['num_replies']."</td></tr>
";
}
}else {
if($admint == 1){
echo "<tr><td align=\"center\"><form action=\"./index.php?act=mod&act2=unsticky&id=".$row2['id']."&cid=".$row['id']."\" method=\"post\"><input type=\"checkbox\" name=\"unsticky\" value=\"1\"> <input type=\"submit\" name=\"submit\" value=\"Unsticky this thread\">"; if($row2['sticky'] == 1)echo "<font size=\"1\"> Sticky thread: </font></form>";echo "</td><td align=\"center\"><a href=\"./index.php?act=topic&id=".$row2['id']."\">".s($row2['title'])."</a></td><td align=\"center\">".uid($row2['uid'])."</td><td align=\"center\">".$row2['date']."</td><td align=\"center\">".$row3['num_replies']."</td></tr>
";
}else {
echo "<tr align=\"center\"><td>";if($row2['sticky'] == 1)echo "<font size=\"1\">Sticky thread: </font>"; echo "</td><td><a href=\"./index.php?act=topic&id=".$row2['id']."\">".s($row2['title'])."</a></td><td>".uid($row2['uid'])."</td><td>".$row2['date']."</td><td>".$row3['num_replies']."</td></tr>
";
}
}
}
}
echo "</table>
";
}
}
}
}else {
echo "Please supply a category ID!
";
}
?>
sorry for the late reply for some reason i could’nt connect to www.000webhost.com but know i can and also it gives me a mysql error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND sticky DESC' at line 1
I had the same problem; www.000webhost.com might be on a DDos attack at that time.
What about making 2 queries, one for sticky and another for non-sticky.
When sorting sticky …order by time desc, and sorting non-sticky …order by time asc.
Just had a quick look and here’s my initial thoughts.
You’re using the “date” field to sort, but this is the “Date Created” for the topic, and that doesn’t change when you add a reply, which means it isn’t going to change the sort order on the topic list for the forum
Two quick ways you could address this:
You could add a field to the topics table which provides the most recent reply date (which gets updated in the reply post code)
You could do a join on the replies table to do your sort, although this would generate unnecessary load on the SQL server if you have a large number of posts
Okay, first of all, try changing the sql statement to be:
$sql2 = "SELECT * FROM `forum_topics` WHERE `cid`='".$row['id']."' ORDER BY sticky DESC, date DESC";
… small change don’t use “AND” in the order by clause… In theory you don’t need both “DESC”'s, however, start with the obvious first…
Secondly, just as a matter of semantics, the reply code is changing your original post date, so viewing the post shows “incorrect” information (so to speak). You should maybe use a last updated field or something similar instead of changing the date.
thanks for the help works like a charm one more thing though im trying to do an admin feature were admins can view all the users but other admins except for the one with main_admin = to 1 in the database but i just can’t figure out how i will get it to work and also how do you do the thing were it counts views?
here is the page
<?php
session_start();
include "./global.php";
?>
<html>
<head>
<title>The-forum.net78.net | Admin Index</title>
<link rel="stylesheet" type="text/css" href="./style.css">
<script language="Javascript">
function confirmLogout(){
var agree = confirm("Are you sure you wish to logout?");
if(agree){
return true ;
}else {
return false ;
}
}
</script>
</head>
<body>
<center>
<div id="holder">
<div id="userInfo">
<?php
echo "<div id=\"the-title\"><table><tr><td><font size=\"5\"><a href=\"index.php\">The-forum.net78.net</a></font></td></tr></table></div>";
echo "<div id=\"contentinfo\">";
if($_SESSION['uid']){
$sql = "SELECT * FROM `f1` WHERE `id`='".$_SESSION['uid']."'";
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res) == 0){
session_destroy();
echo "Please <a href=\"./login.php\">Login</a> to your account, or <a href=\"./register.php\">Register</a> a new account!
";
}else {
$row = mysql_fetch_assoc($res);
if(!$_POST['logout']) {
echo "<form method=\"post\" action=\"./index.php\">
Welcome back, <a href=\"./index.php?act=profile&id=".$row['id']."\">".$row['username']."</a>! |
<input type=\"submit\" name=\"logout\" value=\"Logout\" onClick=\"return confirmLogout()\">";
echo "<br>
";
echo "<a href=\"./index.php\">Forum Index</a>
";
if($row['admin'] == '1'){
echo " | <a href=\"./admin.php\">Administrative Section</a>
";
}
echo "</form>";
}else {
session_destroy();
if (!$_POST['submit']) {
echo "<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">
";
echo "<form method=\"post\" action=\"./index.php\">
";
echo "<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>
";
echo "<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>
";
echo "<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"> | <a href=\"./register.php\">Register?</a></td></tr>
";
echo "</form></table>
";
}else {
$user = mss($_POST['username']);
$pass = $_POST['password'];
if($user && $pass){
$sql = "SELECT id FROM `f1` WHERE `username`='".$user."'";
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res) > 0){
$sql2 = "SELECT id FROM `f1` WHERE `username`='".$user."' AND `password`='".md5($pass)."'";
$res2 = mysql_query($sql2) or die(mysql_error());
if(mysql_num_rows($res2) > 0){
$row = mysql_fetch_assoc($res2);
$_SESSION['uid'] = $row['id'];
$row = mysql_fetch_assoc($res);
if(!$_POST['logout']) {
$sql6 = "SELECT * FROM `f1` WHERE `id`='".$_SESSION['uid']."'";
$res6 = mysql_query($sql6) or die(mysql_error());
$row6 = mysql_fetch_assoc($res6);
echo "<form method=\"post\" action=\"./index.php\">
Welcome back, <a href=\"./index.php?act=profile&id=".$row6['id']."\">".$row6['username']."</a>! |
<input type=\"submit\" name=\"logout\" value=\"Logout\" onClick=\"return confirmLogout()\">";
echo "<br>
";
echo "<a href=\"./index.php\">Forum Index</a>
";
if($row6['admin'] == '1'){
echo " | <a href=\"./admin.php\">Administrative Section</a>
";
}
echo "</form>";
}else {
session_destroy();
if (!$_POST['submit']) {
echo "<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">
";
echo "<form method=\"post\" action=\"./index.php\">
";
echo "<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>
";
echo "<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>
";
echo "<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"> | <a href=\"./register.php\">Register?</a></td></tr>
";
echo "</form></table>
";
}else {
$user = mss($_POST['username']);
$pass = $_POST['password'];
if($user && $pass){
$sql = "SELECT id FROM `f1` WHERE `username`='".$user."'";
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res) > 0){
$sql2 = "SELECT id FROM `f1` WHERE `username`='".$user."' AND `password`='".md5($pass)."'";
$res2 = mysql_query($sql2) or die(mysql_error());
if(mysql_num_rows($res2) > 0){
$row = mysql_fetch_assoc($res2);
$_SESSION['uid'] = $row['id'];
$sql9 = "SELECT * FROM `f1` WHERE `id`='".$_SESSION['uid']."'";
$res9 = mysql_query($sql9) or die(mysql_error());
$row9 = mysql_fetch_assoc($res9);
echo "Welcome back, <a href=\"./index.php?act=profile&id=".$row9['id']."\">".$row9['username']."</a>! <a href=\"./logout.php\" onClick=\"return confirmLogout()\">Logout</a>
";
echo "<br>
";
echo "<a href=\"./index.php\">Forum Index</a>
";
if($row9['admin'] == '1'){
echo " | <a href=\"./admin.php\">Administrative Section</a>
";
}
}else {
echo "Username and password combination are incorrect!
";
}
}else {
echo "The username you supplied does not exist!
";
}
}else {
echo "You must supply both the username and password field!
";
}
}
echo "<br>
";
echo "<a href=\"./index.php\">Forum Index</a>
";
}
}else {
echo "Username and password combination are incorrect!
";
}
}else {
echo "The username you supplied does not exist!
";
}
}else {
echo "You must supply both the username and password field!
";
}
}
echo "<br>
";
echo "<a href=\"./index.php\">Forum Index</a>
";
}
}
}else {
if (!$_POST['submit']) {
echo "<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">
";
echo "<form method=\"post\" action=\"./index.php\">
";
echo "<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>
";
echo "<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>
";
echo "<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"> | <a href=\"./register.php\">Register?</a></td></tr>
";
echo "</form></table>
";
}else {
$user = mss($_POST['username']);
$pass = $_POST['password'];
thx for all the help everything now works all i nead to do now is figure out how to make bbcode and adjust the looks and add some more admin features and make a profile page and then it will be done
Start a new thread, because I think you’ll get some other valuable replies with a topic heading like “Any tips to strengthen my php code against SQL injections and other attacks?” and then just ask for some ideas…
First steps though are to make sure you filter all GET/POST variables to ensure that they are what you expect, that you remove html code and script code when it shouldn’t be there, initialise any other variables to blank or default values (which avoids problems if you or future users have php “register_globals” on) and finally that you double check any variables you’re using in sql statements to ensure they don’t contain things like " ’ UNION SELECT …’ ".
PHP has some built in functions for filtering strings, email addresses, etc which you can use like filter_input . I think you could add it (fairly easily) into your mss function (not sure what that does in your code, but looks like you’re using it to do some checking already?).
Knowing a little bit about regex filtering will also be a big help here (with things like removing HTML from input).
I can re-post some of this in your new thread with a little more detail.
Well done with the forum stuff though. You should chat to Ndogg, he has written his own forum software too.