I can't, for the life of me figure out what went wrong...
Posted: Wed Jun 03, 2009 9:32 pm
I don't even remember changing anything... but for some reason, this page wont show anything past the first if statement. It doesn't seem to be a problem with the header, since if I add an echo statement after the include, and before the if, it shows up.
here's the page, please ignore the messy, unsecure code and lack of descriptive comments, I'm pretty inexperienced.
here's the page, please ignore the messy, unsecure code and lack of descriptive comments, I'm pretty inexperienced.
Code: Select all
<?php
include('includes/header.php');
if($isLogin != 1) {
NULL;
} else {
if(isset($_POST['submit'])) {
//validate the forum
$doesExist = doesExist($_POST['thread'], "threads", "id");
if($doesExist == 0) {
//invalid forum error
echo "You either don't have permission to post in this thread, or it doesn't exist!";
} else {
$doesExist = doesExist($_POST['reply'], "replies", "id");
if($_POST['reply'] == "thread") {
$doesExist = 1;
}
if($doesExist == 0) {
//invalid forum error
echo "You either don't have permission to reply to this post, or it doesn't exist!";
} else {
//sanitize subject and message
$subject = sanitize($_POST['subject']);
$message = sanitize($_POST['message']);
$subject = strip_tags($subject);
$message = strip_tags_attributes($message,'<blockquote><hr><br><strong><em><a><font><span><img>','href,style,color,src,alt,size');
//get the date
$date = date("j-n-Y g:i a");
//send the message
$query = "INSERT INTO replies VALUES(NULL, '" . $_POST['thread'] . "', '" . $_POST['reply'] . "', '" . $_COOKIE['greenuser'] . "', '" . $date . "', '" . $subject . "', '" . $message . "')";
mysql_query($query) or die(mysql_error());
$query2 = "UPDATE threads SET lastposter = '" . $_COOKIE['greenuser'] . "', lastpostdate = '" . $date . "', replies = replies +1 WHERE id = '" . $_POST['thread'] . "'";
mysql_query($query2) or die(mysql_error());
$query3 = "UPDATE profile SET posts = posts +1 WHERE id = '" . $_COOKIE['greenuser'] . "'";
mysql_query($query3) or die(mysql_error());
echo "<META http-equiv=\"refresh\" content=\"0;URL=thread.php?id=" . $_POST['thread'] . "#" . $_POST['reply'] . "\">";
}
}
}
//get the message details
$query4 = "SELECT * FROM threads WHERE id = '" . $_REQUEST['threadId'] . "'";
$thread = mysql_fetch_array(mysql_query($query4)) or die(mysql_error());
//get the reply to details
$query5 = "SELECT * FROM replies WHERE id = '" . $_REQUEST['replyToId'] . "'";
$reply = mysql_fetch_array(mysql_query($query5)) or die(mysql_error());
$getUser = getUser($reply['author']);
?>
<script type="text/javascript">
function quoteMessage(){
var quote = document.getElementById('quote').value;
document.getElementById('message').innerHTML = quote;
}
</script>
<br />
<input type="hidden" name="quote" id="quote" value="<?php echo "<blockquote><hr>" . $getUser['username'] . " wrote:<br />" . $reply['message'] . "<hr></blockquote>"; ?>" />
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" >
<input type="hidden" name="thread" value="<?php echo $_REQUEST['threadId']; ?>" />
<input type="hidden" name="reply" value="<?php echo $_REQUEST['replyToId']; ?>" />
<strong>Subj: </strong><input type="text" name="subject" value="<?php echo $thread['subject']; ?>" /><br />
<strong>Message: </strong> <input type="button" onclick="quoteMessage()" value="Quote Message" /><br />
<textarea name="message" id="message" rows="20" cols="50"></textarea><br />
<input type="submit" name="submit" value="Post Thread" />
</form>
<?php
//end
}
?>