Free Web Hosting Forum
Go Back   Free Web Hosting Forum > Website Building > Web Programming
Reload this Page I nead some help with php code part2
Reply
 
Thread Tools Display Modes
(#11)
Old
james11's Avatar
james11 james11 is offline
Senior Member
james11 is on a distinguished road
 
Posts: 174
Join Date: Nov 2010
Default 03-04-2011, 07:30 PM

it has been done
Reply With Quote
(#12)
Old
drums's Avatar
drums drums is offline
Senior Member
drums is on a distinguished road
 
Posts: 579
Join Date: Aug 2010
Location: Oz
Default 03-05-2011, 04:46 AM

Okay, first of all, try changing the sql statement to be:

PHP Code:
            $sql2 "SELECT * FROM `forum_topics` WHERE `cid`='".$row['id']."' ORDER BY sticky DESC, date DESC"
... small change don't use "AND" in the order by clause... In theory you don't need both "DESC"'s, however, start with the obvious first...

Secondly, just as a matter of semantics, the reply code is changing your original post date, so viewing the post shows "incorrect" information (so to speak). You should maybe use a last updated field or something similar instead of changing the date.

Hope that change works for you.

drums
Reply With Quote
(#13)
Old
james11's Avatar
james11 james11 is offline
Senior Member
james11 is on a distinguished road
 
Posts: 174
Join Date: Nov 2010
Default 03-05-2011, 06:19 AM

thanks for the help works like a charm one more thing though im trying to do an admin feature were admins can view all the users but other admins except for the one with main_admin = to 1 in the database but i just can't figure out how i will get it to work and also how do you do the thing were it counts views?

here is the page
PHP Code:
<?php
session_start
();
include 
"./global.php";
?>
<html>

    <head>
        <title>The-forum.net78.net | Admin Index</title>
        
        <link rel="stylesheet" type="text/css" href="./style.css">
        
        <script language="Javascript">
            function confirmLogout(){
                var agree = confirm("Are you sure you wish to logout?");
                
                if(agree){
                    return true ;
                }else {
                    return false ;
                }
            }
        </script>
    </head>
    
    <body>
    <center>
        <div id="holder">
            
            <div id="userInfo">
                <?php
            
echo "<div id=\"the-title\"><table><tr><td><font size=\"5\"><a href=\"index.php\">The-forum.net78.net</a></font></td></tr></table></div>";
            echo 
"<div id=\"contentinfo\">";
                    if(
$_SESSION['uid']){
                        
$sql "SELECT * FROM `f1` WHERE `id`='".$_SESSION['uid']."'";
                        
$res mysql_query($sql) or die(mysql_error());
                        
                        if(
mysql_num_rows($res) == 0){
                            
session_destroy();
                            echo 
"Please <a href=\"./login.php\">Login</a> to your account, or <a href=\"./register.php\">Register</a> a new account!\n";
                        }else {
                            
$row mysql_fetch_assoc($res);
                            
                            if(!
$_POST['logout']) {
                                echo 
"<form method=\"post\" action=\"./index.php\">
                                Welcome back, <a href=\"./index.php?act=profile&id="
.$row['id']."\">".$row['username']."</a>! |
                                <input type=\"submit\" name=\"logout\" value=\"Logout\" onClick=\"return confirmLogout()\">"
;
                                echo 
"<br>\n";
                                echo 
"<a href=\"./index.php\">Forum Index</a>\n";
                                if(
$row['admin'] == '1'){
                                    echo 
" | <a href=\"./admin.php\">Administrative Section</a>\n";
                                }
                                echo 
"</form>";
                            }else {
                                
session_destroy();
                                if (!
$_POST['submit']) {
                                    echo 
"<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">\n";
                                    echo 
"<form method=\"post\" action=\"./index.php\">\n";
                                    echo 
"<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>\n";
                                    echo 
"<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>\n";
                                    echo 
"<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"> | <a href=\"./register.php\">Register?</a></td></tr>\n";
                                    echo 
"</form></table>\n";
                                }else {
                                    
$user mss($_POST['username']);
                                    
$pass $_POST['password'];
        
                                    if(
$user && $pass){
                                        
$sql "SELECT id FROM `f1` WHERE `username`='".$user."'";
                                        
$res mysql_query($sql) or die(mysql_error());
                                        if(
mysql_num_rows($res) > 0){
                                            
$sql2 "SELECT id FROM `f1` WHERE `username`='".$user."' AND `password`='".md5($pass)."'";
                                            
$res2 mysql_query($sql2) or die(mysql_error());
                                            if(
mysql_num_rows($res2) > 0){
                                                
$row mysql_fetch_assoc($res2);
                                                
$_SESSION['uid'] = $row['id'];
                                        
                                                
$row mysql_fetch_assoc($res);
                            
                            if(!
$_POST['logout']) {
                                
$sql6 "SELECT * FROM `f1` WHERE `id`='".$_SESSION['uid']."'";
                                
$res6 mysql_query($sql6) or die(mysql_error());
                                
$row6 mysql_fetch_assoc($res6);
                                echo 
"<form method=\"post\" action=\"./index.php\">
                                Welcome back, <a href=\"./index.php?act=profile&id="
.$row6['id']."\">".$row6['username']."</a>! |
                                <input type=\"submit\" name=\"logout\" value=\"Logout\" onClick=\"return confirmLogout()\">"
;
                                echo 
"<br>\n";
                                echo 
"<a href=\"./index.php\">Forum Index</a>\n";
                                if(
$row6['admin'] == '1'){
                                    echo 
" | <a href=\"./admin.php\">Administrative Section</a>\n";
                                }
                                echo 
"</form>";
                            }else {
                                
session_destroy();
                                if (!
$_POST['submit']) {
                                    echo 
"<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">\n";
                                    echo 
"<form method=\"post\" action=\"./index.php\">\n";
                                    echo 
"<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>\n";
                                    echo 
"<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>\n";
                                    echo 
"<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"> | <a href=\"./register.php\">Register?</a></td></tr>\n";
                                    echo 
"</form></table>\n";
                                }else {
                                    
$user mss($_POST['username']);
                                    
$pass $_POST['password'];
        
                                    if(
$user && $pass){
                                        
$sql "SELECT id FROM `f1` WHERE `username`='".$user."'";
                                        
$res mysql_query($sql) or die(mysql_error());
                                        if(
mysql_num_rows($res) > 0){
                                            
$sql2 "SELECT id FROM `f1` WHERE `username`='".$user."' AND `password`='".md5($pass)."'";
                                            
$res2 mysql_query($sql2) or die(mysql_error());
                                            if(
mysql_num_rows($res2) > 0){
                                                
$row mysql_fetch_assoc($res2);
                                                
$_SESSION['uid'] = $row['id'];
                                        
                                                
$sql9 "SELECT * FROM `f1` WHERE `id`='".$_SESSION['uid']."'";
                                                
$res9 mysql_query($sql9) or die(mysql_error());
                                                
$row9 mysql_fetch_assoc($res9);
                                                echo 
"Welcome back, <a href=\"./index.php?act=profile&id=".$row9['id']."\">".$row9['username']."</a>! <a href=\"./logout.php\" onClick=\"return confirmLogout()\">Logout</a>\n";
                                                echo 
"<br>\n";
                                                echo 
"<a href=\"./index.php\">Forum Index</a>\n";
                                                if(
$row9['admin'] == '1'){
                                                    echo 
" | <a href=\"./admin.php\">Administrative Section</a>\n";
                                                }
                                            }else {
                                                echo 
"Username and password combination are incorrect!\n";
                                            }
                                        }else {
                                            echo 
"The username you supplied does not exist!\n";
                                        }
                                    }else {
                                        echo 
"You must supply both the username and password field!\n";
                                    }
                                }
                                echo 
"<br>\n";
                                echo 
"<a href=\"./index.php\">Forum Index</a>\n";
                            }
                                            }else {
                                                echo 
"Username and password combination are incorrect!\n";
                                            }
                                        }else {
                                            echo 
"The username you supplied does not exist!\n";
                                        }
                                    }else {
                                        echo 
"You must supply both the username and password field!\n";
                                    }
                                }
                                echo 
"<br>\n";
                                echo 
"<a href=\"./index.php\">Forum Index</a>\n";
                            }
                        }
                    }else {
                        if (!
$_POST['submit']) {
                            echo 
"<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">\n";
                            echo 
"<form method=\"post\" action=\"./index.php\">\n";
                            echo 
"<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>\n";
                            echo 
"<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>\n";
                            echo 
"<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"> | <a href=\"./register.php\">Register?</a></td></tr>\n";
                            echo 
"</form></table>\n";
                        }else {
                            
$user mss($_POST['username']);
                            
$pass $_POST['password'];

Last edited by james11; 03-05-2011 at 06:37 AM.
Reply With Quote
(#14)
Old
james11's Avatar
james11 james11 is offline
Senior Member
james11 is on a distinguished road
 
Posts: 174
Join Date: Nov 2010
Default 03-05-2011, 06:20 AM

part 2 becuase so long

PHP Code:
                            if($user && $pass){
                                
$sql "SELECT id FROM `f1` WHERE `username`='".$user."'";
                                
$res mysql_query($sql) or die(mysql_error());
                                if(
mysql_num_rows($res) > 0){
                                    
$sql2 "SELECT id FROM `f1` WHERE `username`='".$user."' AND `password`='".md5($pass)."'";
                                    
$res2 mysql_query($sql2) or die(mysql_error());
                                    if(
mysql_num_rows($res2) > 0){
                                        
$row mysql_fetch_assoc($res2);
                                        
$_SESSION['uid'] = $row['id'];
                                        
                                        
$row mysql_fetch_assoc($res);
                            
                            if(!
$_POST['logout']) {
                                
$sql8 "SELECT * FROM `f1` WHERE `id`='".$_SESSION['uid']."'";
                                
$res8 mysql_query($sql8) or die(mysql_error());
                                
$row8 mysql_fetch_assoc($res8);
                                echo 
"<form method=\"post\" action=\"./index.php\">
                                Welcome back, <a href=\"./index.php?act=profile&id="
.$row8['id']."\">".$row8['username']."</a>! |
                                <input type=\"submit\" name=\"logout\" value=\"Logout\" onClick=\"return confirmLogout()\">"
;
                                echo 
"<br>\n";
                                echo 
"<a href=\"./index.php\">Forum Index</a>\n";
                                if(
$row8['admin'] == '1'){
                                    echo 
" | <a href=\"./admin.php\">Administrative Section</a>\n";
                                }
                                echo 
"</form>";
                            }else {
                                
session_destroy();
                                if (!
$_POST['submit']) {
                                    echo 
"<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">\n";
                                    echo 
"<form method=\"post\" action=\"./index.php\">\n";
                                    echo 
"<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>\n";
                                    echo 
"<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>\n";
                                    echo 
"<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"></td></tr>\n";
                                    echo 
"</form></table>\n";
                                }else {
                                    
$user mss($_POST['username']);
                                    
$pass $_POST['password'];
        
                                    if(
$user && $pass){
                                        
$sql "SELECT id FROM `f1` WHERE `username`='".$user."'";
                                        
$res mysql_query($sql) or die(mysql_error());
                                        if(
mysql_num_rows($res) > 0){
                                            
$sql2 "SELECT id FROM `f1` WHERE `username`='".$user."' AND `password`='".md5($pass)."'";
                                            
$res2 mysql_query($sql2) or die(mysql_error());
                                            if(
mysql_num_rows($res2) > 0){
                                                
$row mysql_fetch_assoc($res2);
                                                
$_SESSION['uid'] = $row['id'];
                                        
                                                
$sql9 "SELECT * FROM `f1` WHERE `id`='".$_SESSION['uid']."'";
                                                
$res9 mysql_query($sql9) or die(mysql_error());
                                                
$row9 mysql_fetch_assoc($res9);
                                                echo 
"Welcome back, <a href=\"./index.php?act=profile&id=".$row9['id']."\">".$row9['username']."</a>! <a href=\"./logout.php\" onClick=\"return confirmLogout()\">Logout</a>\n";
                                                echo 
"<br>\n";
                                                echo 
"<a href=\"./index.php\">Forum Index</a>\n";
                                                if(
$row9['admin'] == '1'){
                                                    echo 
" | <a href=\"./admin.php\">Administrative Section</a>\n";
                                                }
                                            }else {
                                                echo 
"Username and password combination are incorrect!\n";
                                            }
                                        }else {
                                            echo 
"The username you supplied does not exist!\n";
                                        }
                                    }else {
                                        echo 
"You must supply both the username and password field!\n";
                                    }
                                }
                                echo 
"<br>\n";
                                echo 
"<a href=\"./index.php\">Forum Index</a>\n"
Reply With Quote
(#15)
Old
james11's Avatar
james11 james11 is offline
Senior Member
james11 is on a distinguished road
 
Posts: 174
Join Date: Nov 2010
Default 03-05-2011, 06:21 AM

and part 3
PHP Code:
                            }
                                    }else {
                                        echo "Username and password combination are incorrect!\n";
                                    }
                                }else {
                                    echo "The username you supplied does not exist!\n";
                                }
                            }else {
                                echo "You must supply both the username and password field!\n";
                            }
                        }
                    }
                    if(!$_SESSION['uid']){
                        echo "<br>\n";
                        echo "<a href=\"./index.php\">Forum Index</a>\n";
                    }
                    $admin_user_level = $row['admin'];
                
                ?>
        </div>
            </div>
            <div id="content">
                <?php
                    
if($_SESSION['uid']){
                        
$sql3 "SELECT admin FROM `f1` WHERE `id`='".$_SESSION['uid']."'";
                        
$res3 mysql_query($sql3) or die(mysql_error());
                        if(
mysql_num_rows($res) == 0){
                            echo 
"Please login to your account!\n";
                        }else {
                            
$row2 mysql_fetch_assoc($res3);
                            if(
$row2['admin'] != '1'){
                                echo 
"You are not allowed to be here!\n";
                            }else {
                                
$act $_GET['act'];
                                
$acts = array('create_cat','create_subcat','all_non_admins');
                                
$actions = array('create_cat' => 'Create Forum Category','create_subcat' => 'Create Forum Sub Category','all_non_admins' => 'All Users Except Admins');
                                
                                
$x=1;
                                
$c count($actions);
                                foreach(
$actions AS $url => $link){
                                    
$bull = ($x == $c) ? "" " &bull; ";
                                    
                                    echo 
"<a href=\"./admin.php?act=".$url."\">".$link."</a>" $bull "\n";
                                    
                                    
$x++;
                                }
                                
                                echo 
"<br><br>\n";
                                
                                if(!
$act || !in_array($act,$acts)){
                                    echo 
"Please choose an option from above to continue!\n";
                                }else {
                                    if(
$act == 'create_cat'){
                                        if(!
$_POST['submit']){
                                            echo 
"<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">\n";
                                            echo 
"<form method=\"post\" action=\"./admin.php?act=create_cat\">\n";
                                            echo 
"<tr><td>Category Name</td><td><input type=\"text\" name=\"name\"></td></tr>\n";
                                            echo 
"<tr><td>Admin Only?</td><td><input type=\"checkbox\" name=\"admin\" value=\"1\"></td></tr>\n";
                                            echo 
"<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Create Forum Category\"></td></tr>\n";
                                            echo 
"</form></table>\n";
                                        }else {
                                            
$name mss($_POST['name']);
                                            
$admin $_POST['admin'];
                                            
                                            if(
$name){
                                                if(
strlen($name) < || strlen($name) > 32){
                                                    echo 
"The category name must be between 3 and 32 characters!\n";
                                                }else {
                                                    
$sql4 "SELECT * FROM `forum_cats` WHERE `name`='".$name."'";
                                                    
$res4 mysql_query($sql4) or die(mysql_error());
                                                    if(
mysql_num_rows($res4) > 0){
                                                        echo 
"The category name already exists!\n";
                                                    }else {
                                                        
$admin_check = ($admin == '1') ? "1" "0";
                                                        
$sql5 "INSERT INTO `forum_cats` (`name`,`admin`) VALUES('".$name."','".$admin_check."')";
                                                        
$res5 mysql_query($sql5) or die(mysql_error());
                                                        echo 
"The forum category <b>" $name ."</b> has been successfully added!\n";
                                                    }
                                                }
                                            }else {
                                                echo 
"You must supply a category name!\n";
                                            }
                                        }
                                    }
                                    
                                    if(
$act == 'create_subcat'){
                                        if(!
$_POST['submit']){
                                            echo 
"<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">\n";
                                            echo 
"<form method=\"post\" action=\"./admin.php?act=create_subcat\">\n";
                                            echo 
"<tr><td>Forum Category</td><td><select name=\"cat\"><option value=\"0\">Please choose...</option>\n";
                                            
                                            
$sql6 "SELECT * FROM `forum_cats` ORDER BY id ASC";
                                            
$res6 mysql_query($sql6) or die(mysql_error());
                                            if(
mysql_num_rows($res6) == 0){
                                                echo 
"</select><br>No categories exist\n";
                                            }else {
                                                while(
$row3 mysql_fetch_assoc($res6)){
                                                    echo 
"<option value=\"".$row3['id']."\">".$row3['name']."</option>\n";
                                                }
                                            }
                                            echo 
"</select></td></tr>\n";
                                            echo 
"<tr><td>Sub Cat. Name</td><td><input type=\"text\" name=\"name\"></td></tr>\n";
                                            echo 
"<tr><td>Description</td><td><textarea name=\"desc\" style=\"width:300px;height:60px;\"></textarea></td></tr>\n";
                                            echo 
"<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Add Forum Sub Category\"></td></tr>\n";
                                            echo 
"</form></table>\n";
                                        }else {
                                            
$cat mss($_POST['cat']);
                                            
$name mss($_POST['name']);
                                            
$desc mss($_POST['desc']);
                                            
                                            if(
$cat && $name && $desc){
                                                
$sql7 "SELECT * FROM `forum_cats` WHERE `id`='".$cat."'";
                                                
$res7 mysql_query($sql7) or die(mysql_error());
                                                if(
mysql_num_rows($res7) == 0){
                                                    echo 
"The forum category you supplied does not exist!\n";
                                                }else {
                                                    
$sql8 "SELECT * FROM `forum_sub_cats` WHERE `name`='".$name."' AND `cid`='".$cat."'";
                                                    
$res8 mysql_query($sql8) or die(mysql_error());
                                                    if(
mysql_num_rows($res8) > 0){
                                                        echo 
"The forum sub category already exists within the main category!\n";
                                                    }else {
                                                        if(
strlen($name) > 100 || strlen($name) < 5){
                                                            echo 
"The sub-catagory name can only contain 5 to 100 characters!";
                                                        }else {
                                                            if(
strlen($desc) > 255 || strlen($desc) < 10){
                                                                echo 
"The description must be under 255 characters and more then 10 characters\n";
                                                            }else {
                                                                
$row4 mysql_fetch_assoc($res7);
                                                                
$sql9 "INSERT INTO `forum_sub_cats` (`cid`,`name`,`desc`,`admin`) VALUES('".$cat."','".$name."','".$desc."','".$row4['admin']."')";
                                                                
$res9 mysql_query($sql9) or die(mysql_error());
                                                                echo 
"The forum sub category, <b>".$name."</b> has been added under the main category of <b>".$row4['name']."</b>!\n";
                                                            }
                                                        }
                                                    }
                                                }
                                            }else{
                                                echo 
"You must supply all the fields!";
                                            }
                                        }
                                    }
                   
                    if(
$act == 'all_non_admins'){
            
                    }
                                }
                            }
                        }
                    }
                
?>
            </div>
        </div>
    </center>
    </body>

</html>
Reply With Quote
(#16)
Old
drums's Avatar
drums drums is offline
Senior Member
drums is on a distinguished road
 
Posts: 579
Join Date: Aug 2010
Location: Oz
Default 03-05-2011, 12:35 PM

For counting views, add a "views" field to the topics database and then just add an update sql statement into the topic view code.

You could start with something basic like "UPDATE topics SET views = views+1"

For your admins question, have you tried a simple SQL statement like "SELECT users FROM user_file WHERE main_admin!=1"


drums
Reply With Quote
(#17)
Old
james11's Avatar
james11 james11 is offline
Senior Member
james11 is on a distinguished road
 
Posts: 174
Join Date: Nov 2010
Default 03-06-2011, 12:40 AM

thx for all the help everything now works all i nead to do now is figure out how to make bbcode and adjust the looks and add some more admin features and make a profile page and then it will be done
Reply With Quote
(#18)
Old
drums's Avatar
drums drums is offline
Senior Member
drums is on a distinguished road
 
Posts: 579
Join Date: Aug 2010
Location: Oz
Default 03-06-2011, 01:51 AM

Profile page should be easy, but bbcode is going to be more of a challenge.

Also, for what it's worth, you need to toughen up your code against malicious SQL injection attacks, script kiddies, etc

Is this for a specific project, fun, or just to learn something new?

drums
Reply With Quote
(#19)
Old
james11's Avatar
james11 james11 is offline
Senior Member
james11 is on a distinguished road
 
Posts: 174
Join Date: Nov 2010
Default 03-06-2011, 02:11 AM

the last 2

and i will eventualy titen up security but how do i stop sql injections?
Reply With Quote
(#20)
Old
drums's Avatar
drums drums is offline
Senior Member
drums is on a distinguished road
 
Posts: 579
Join Date: Aug 2010
Location: Oz
Default 03-06-2011, 02:42 AM

Start a new thread, because I think you'll get some other valuable replies with a topic heading like "Any tips to strengthen my php code against SQL injections and other attacks?" and then just ask for some ideas...

First steps though are to make sure you filter all GET/POST variables to ensure that they are what you expect, that you remove html code and script code when it shouldn't be there, initialise any other variables to blank or default values (which avoids problems if you or future users have php "register_globals" on) and finally that you double check any variables you're using in sql statements to ensure they don't contain things like " ' UNION SELECT .....' ".

PHP has some built in functions for filtering strings, email addresses, etc which you can use like filter_input . I think you could add it (fairly easily) into your mss function (not sure what that does in your code, but looks like you're using it to do some checking already?).

Knowing a little bit about regex filtering will also be a big help here (with things like removing HTML from input).

I can re-post some of this in your new thread with a little more detail.

Well done with the forum stuff though. You should chat to Ndogg, he has written his own forum software too.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skin developed by: vBStyles.com