gillespiea
January 20th, 2010, 07:34 PM
Hi folks. i've posted up a few times about a few problems i've had with my php and mysql coding and received alot of help (especially some that showed how vulnerable my site was to XSS).
I thought i would ask on here again about a problem i'm having. My coding has came on quite a bit in the last few months but now i am looking to make parts of my forums dynamic and i'm not too sure how to do it.
The parts i want to make dynamic are user's avatars and signatures, so that they change when the user changes them in the CP. Currently the users signatures are stored in their session cookie and avatars are not currently used (although i dont think it will take me too long to apply it). The details from the sessions are then used to post the data into the mysql database and then the forum reads it from there thus making it "static" (as on i can't change it without going into the users post and changing it from there.
So my question is. How can i adapt the following script to make the signature dynamic, reading from the "users" table rather than the "forum_posts" table. cheers.
<?php session_start(); ?>
<?php
include("../includes/config.php");
doDB();
//check for required info from the query string
if (!isset($_GET["topic_id"])) {
header("Location: topiclist.php");
exit;
}
//verify the topic exists
$verify_topic_sql = "SELECT topic_title FROM forum_topics WHERE topic_id = '".$_GET["topic_id"]."'";
$verify_topic_res = mysqli_query($mysqli, $verify_topic_sql) or die(mysqli_error($mysqli));
if (mysqli_num_rows($verify_topic_res) < 1) {
//this topic does not exist
$display_block = "<p><em>You have selected an invalid topic.<br/>
Please <a href=\"topiclist.php\">try again</a>.</em></p>";
} else {
//get the topic title
while ($topic_info = mysqli_fetch_array($verify_topic_res)) {
$topic_title = stripslashes($topic_info['topic_title']);
}
$topic_id=$_GET["topic_id"];
$page=$_GET['page'];
$resultsPerPage=5;
$startResult=($page-1) * $resultsPerPage;
$mysqli_query = "COUNT * FROM forum_posts WHERE topic_id = '".$_GET["topic_id"]."'" ;
$result = mysqli_query($mysqli, "COUNT * FROM forum_posts WHERE topic_id = '".$_GET["topic_id"]."'");
//gather the posts
$get_posts_sql = "SELECT signature, post_id, post_text,
DATE_FORMAT(post_create_time, '%b %e %Y at %r')
AS fmt_post_create_time, post_owner
FROM forum_posts
WHERE topic_id = '".$_GET['topic_id']."'
ORDER BY post_create_time ASC LIMIT $startResult,$resultsPerPage";
$get_posts_res = mysqli_query($mysqli, $get_posts_sql) or die(mysqli_error($mysqli));
//create the display string
$display_block = "
<h2>Showing posts for the ".$topic_title." topic:</h2>
<table width=\"90%\" cellpadding=\"3\" cellspacing=\"0\" border=\"0\">
<tr>
<th>AUTHOR</th>
<th>POST</th>
</tr>";
while ($posts_info = mysqli_fetch_array($get_posts_res)) {
$post_id = $posts_info['post_id'];
$post_text = nl2br(strip_tags($posts_info['post_text']));
$post_create_time = $posts_info['fmt_post_create_time'];
$post_owner = stripslashes(strip_tags($posts_info['post_owner']));
$signature = stripslashes(strip_tags($posts_info['signature']));
//add to display
$display_block .= "
<tr>
<td width=\"35%\" valign=\"top\"><h1>".$post_owner."</h1><strong>Posted on:</strong><br>".$post_create_time."</td>
<td width=\"65%\" valign=\"top\">".$post_text."<hr><h3>".$signature."</h3>
</td>
</tr>";
}
//free results
mysqli_free_result($get_posts_res);
mysqli_free_result($verify_topic_res);
//close up the table
$display_block .= "</table>";
}
?>
<html>
<header>
<title>The Yarp</title>
<link rel="stylesheet" type="text/css" href="../styles/style.css">
</header>
<body>
<table width="90%" height="320" border="0" align="center" cellpadding="5" cellspacing="0">
<tr>
<td height="141" colspan="3" align="center"><img src="../images/title.gif"></font></div> <div align="center"></div></td>
</tr>
<tr>
<td width="15%" height="160" valign="top">
<?$root = $_SERVER['DOCUMENT_ROOT'];include $root . '/includes/login.php';?>
<?$root = $_SERVER['DOCUMENT_ROOT'];include $root . '/includes/nav.php';?>
<?$root = $_SERVER['DOCUMENT_ROOT'];include $root . '/includes/adminmenu.php';?>
<?$root = $_SERVER['DOCUMENT_ROOT'];include $root . '/includes/adminadd.php';?>
</td>
<td width="843" height="160"> <table width="90%" border="0" align="center">
<tr>
<td><?php echo $display_block; ?>
<?php if ($_SESSION["adminauth"] == "1" or $_SESSION["adminauth"] == "0") echo "<a href=\"replytopost.php?post_id=".$post_id."\"><img src=\"reply.gif\" border=\"0\"></a>"; ?><br>
<?php $previous=$page-1;
if($previous > 0){
echo "<a href=\"showtopic.php?topic_id=".$topic_id."&page=$previous\">Previous </a>";
}
//Current page - no link
echo "Page $page";
$next=$page+1;
echo "<a href=\"showtopic.php?topic_id=".$topic_id."&page=$next\"> Next </a>";
if ( ($result/$resultsPerPage) > $page) {
$next=$page+1;
;
//close connection to MySQL
mysqli_close($mysqli);
}
else
?>
</td>
</tr>
</table></td>
<td width="24"></td>
</tr>
<tr>
<td height="19"></td>
<td></td>
<td></td>
</tr>
</table>
<footer><div align="center">Copyright © Alastair Gillespie 2009<div></footer>
</body>
</html>
PS you might also notice that i have a problem with my next page buttons. any help with that would be appreciated too.
Thanks for looking and taking the time to read through my lengthy post.
Alastair.
I thought i would ask on here again about a problem i'm having. My coding has came on quite a bit in the last few months but now i am looking to make parts of my forums dynamic and i'm not too sure how to do it.
The parts i want to make dynamic are user's avatars and signatures, so that they change when the user changes them in the CP. Currently the users signatures are stored in their session cookie and avatars are not currently used (although i dont think it will take me too long to apply it). The details from the sessions are then used to post the data into the mysql database and then the forum reads it from there thus making it "static" (as on i can't change it without going into the users post and changing it from there.
So my question is. How can i adapt the following script to make the signature dynamic, reading from the "users" table rather than the "forum_posts" table. cheers.
<?php session_start(); ?>
<?php
include("../includes/config.php");
doDB();
//check for required info from the query string
if (!isset($_GET["topic_id"])) {
header("Location: topiclist.php");
exit;
}
//verify the topic exists
$verify_topic_sql = "SELECT topic_title FROM forum_topics WHERE topic_id = '".$_GET["topic_id"]."'";
$verify_topic_res = mysqli_query($mysqli, $verify_topic_sql) or die(mysqli_error($mysqli));
if (mysqli_num_rows($verify_topic_res) < 1) {
//this topic does not exist
$display_block = "<p><em>You have selected an invalid topic.<br/>
Please <a href=\"topiclist.php\">try again</a>.</em></p>";
} else {
//get the topic title
while ($topic_info = mysqli_fetch_array($verify_topic_res)) {
$topic_title = stripslashes($topic_info['topic_title']);
}
$topic_id=$_GET["topic_id"];
$page=$_GET['page'];
$resultsPerPage=5;
$startResult=($page-1) * $resultsPerPage;
$mysqli_query = "COUNT * FROM forum_posts WHERE topic_id = '".$_GET["topic_id"]."'" ;
$result = mysqli_query($mysqli, "COUNT * FROM forum_posts WHERE topic_id = '".$_GET["topic_id"]."'");
//gather the posts
$get_posts_sql = "SELECT signature, post_id, post_text,
DATE_FORMAT(post_create_time, '%b %e %Y at %r')
AS fmt_post_create_time, post_owner
FROM forum_posts
WHERE topic_id = '".$_GET['topic_id']."'
ORDER BY post_create_time ASC LIMIT $startResult,$resultsPerPage";
$get_posts_res = mysqli_query($mysqli, $get_posts_sql) or die(mysqli_error($mysqli));
//create the display string
$display_block = "
<h2>Showing posts for the ".$topic_title." topic:</h2>
<table width=\"90%\" cellpadding=\"3\" cellspacing=\"0\" border=\"0\">
<tr>
<th>AUTHOR</th>
<th>POST</th>
</tr>";
while ($posts_info = mysqli_fetch_array($get_posts_res)) {
$post_id = $posts_info['post_id'];
$post_text = nl2br(strip_tags($posts_info['post_text']));
$post_create_time = $posts_info['fmt_post_create_time'];
$post_owner = stripslashes(strip_tags($posts_info['post_owner']));
$signature = stripslashes(strip_tags($posts_info['signature']));
//add to display
$display_block .= "
<tr>
<td width=\"35%\" valign=\"top\"><h1>".$post_owner."</h1><strong>Posted on:</strong><br>".$post_create_time."</td>
<td width=\"65%\" valign=\"top\">".$post_text."<hr><h3>".$signature."</h3>
</td>
</tr>";
}
//free results
mysqli_free_result($get_posts_res);
mysqli_free_result($verify_topic_res);
//close up the table
$display_block .= "</table>";
}
?>
<html>
<header>
<title>The Yarp</title>
<link rel="stylesheet" type="text/css" href="../styles/style.css">
</header>
<body>
<table width="90%" height="320" border="0" align="center" cellpadding="5" cellspacing="0">
<tr>
<td height="141" colspan="3" align="center"><img src="../images/title.gif"></font></div> <div align="center"></div></td>
</tr>
<tr>
<td width="15%" height="160" valign="top">
<?$root = $_SERVER['DOCUMENT_ROOT'];include $root . '/includes/login.php';?>
<?$root = $_SERVER['DOCUMENT_ROOT'];include $root . '/includes/nav.php';?>
<?$root = $_SERVER['DOCUMENT_ROOT'];include $root . '/includes/adminmenu.php';?>
<?$root = $_SERVER['DOCUMENT_ROOT'];include $root . '/includes/adminadd.php';?>
</td>
<td width="843" height="160"> <table width="90%" border="0" align="center">
<tr>
<td><?php echo $display_block; ?>
<?php if ($_SESSION["adminauth"] == "1" or $_SESSION["adminauth"] == "0") echo "<a href=\"replytopost.php?post_id=".$post_id."\"><img src=\"reply.gif\" border=\"0\"></a>"; ?><br>
<?php $previous=$page-1;
if($previous > 0){
echo "<a href=\"showtopic.php?topic_id=".$topic_id."&page=$previous\">Previous </a>";
}
//Current page - no link
echo "Page $page";
$next=$page+1;
echo "<a href=\"showtopic.php?topic_id=".$topic_id."&page=$next\"> Next </a>";
if ( ($result/$resultsPerPage) > $page) {
$next=$page+1;
;
//close connection to MySQL
mysqli_close($mysqli);
}
else
?>
</td>
</tr>
</table></td>
<td width="24"></td>
</tr>
<tr>
<td height="19"></td>
<td></td>
<td></td>
</tr>
</table>
<footer><div align="center">Copyright © Alastair Gillespie 2009<div></footer>
</body>
</html>
PS you might also notice that i have a problem with my next page buttons. any help with that would be appreciated too.
Thanks for looking and taking the time to read through my lengthy post.
Alastair.