Page 1 of 1

hmm

Posted: Sat Aug 19, 2006 2:51 pm
by eektech909
I have an admin site to add shows to a mysql database and the shows page on the website automatically generates a table from the database.

When I add a show, it seems to add it twice, but not right away. after maybe 2 minutes it will add the show again.

login_success.php

Code: Select all

<?php 
session_start();
if(!session_is_registered('myusername')){
header("location:shows.php");
}
if (isset($_POST['submit'])) {
$statefield=$_POST['statefield'];

if ($_POST['infofield'] == !NULL) {
$infofield=$_POST['infofield'];
}else{
$error = ("<table width='100%' border='0' cellspacing='0' cellpadding='0'><tr><td><div align='center'><font face='verdana' size='1' color='red'><b>Please enter some show information</b><br><br></font></div></td></tr></table>");
}
if ($_POST['playing'] == !NULL) {
$playing=$_POST['playing'];
}else{
$error = ("<table width='100%' border='0' cellspacing='0' cellpadding='0'><tr><td><div align='center'><font face='verdana' size='1' color='red'><b>Please enter the other bands you are playing with</b><br><br></font></div></td></tr></table>");
}
if ($_POST['cityfield'] == !NULL) {
$cityfield=$_POST['cityfield'];
}else{
$error = ("<table width='100%' border='0' cellspacing='0' cellpadding='0'><tr><td><div align='center'><font face='verdana' size='1' color='red'><b>Please enter a city</b><br><br></font></div></td></tr></table>");
}
if ($_POST['venuefield'] == !NULL) {
$venuefield=$_POST['venuefield'];
}else{
$error = ("<table width='100%' border='0' cellspacing='0' cellpadding='0'><tr><td><div align='center'><font face='verdana' size='1' color='red'><b>Please enter a venue</b><br><br></font></div></td></tr></table>");
}
if ($_POST['datefield'] == !NULL) {
$datefield=$_POST['datefield'];
$dates = explode("/", $datefield);
$dayfield = ($dates[1]);
$monthfield = ($dates[0]);
$yearfield = ($dates[2]);
}else{
$error = ("<table width='100%' border='0' cellspacing='0' cellpadding='0'><tr><td><div align='center'><font face='verdana' size='1' color='red'><b>Please enter a date</b><br><br></font></div></td></tr></table>");
}

if (isset($error) == NULL) {
$datef=''.$yearfield.'-'.$monthfield.'-'.$dayfield.'';
$venuef=''.$venuefield.'';
$cityf=''.$cityfield.', '.$statefield.'';
$playf=''.$playing.'';
$infof=''.$infofield.'';
header ("location:addshow.php?daf=".$datef."&vef=".$venuef."&cif=".$cityf."&plf=".$playf."&inf=".$infof."");
}else{
echo $error;
}
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Shot Baker Admin</title>
<script language="JavaScript" src="pupdate.js"></script>
</head>

<body>
<?php
$datefield=NULL;
$venuefield=NULL;
$infofield=NULL;
$playing=NULL;
$cityfield=NULL;
?>
<form id="form1" name="form1" method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">
  <table width="964" border="0" align="center" cellpadding="0" cellspacing="0" bordercolor="#FFFFFF">
    <tr>
      <td><div align="center"><font face="verdana" size="2"><b>Add Show</b></font></div></td>
    </tr>
    <tr>
      <td><table width="100%" border="1" cellspacing="0" cellpadding="4" bordercolor="#dddddd" bgcolor="#eeeeee">
          <tr>
            <td><div align="center">Date</div></td>
            <td><div align="center">Venue</div></td>
            <td><div align="center">Location</div></td>
            <td><div align="center">Playing With </div></td>
            <td><div align="center">Info</div></td>
          </tr>
          <tr>
            <td><div align="center">
                <input type="text" name="datefield" size="16" maxlength="32" <?php
                if (!empty($_POST['datefield'])){
                  echo 'value="' . htmlentities($_POST['datefield'], ENT_QUOTES).'"';
                }
                ?>>
<img src="cal.gif" width="16" height="16" vspace="0" hspace="2" border="0" onMouseUp="getCalendarFor(document.form1.datefield)">
            </div></td>
            <td><div align="center">
              <input name="venuefield" type="text" size="20" maxlength="56" <?php
                if (!empty($_POST['venuefield'])){
                  echo 'value="' . htmlentities($_POST['venuefield'], ENT_QUOTES).'"';
                }
                ?>/>
            </div></td>
            <td><div align="center">
              <input name="cityfield" type="text" size="20" maxlength="56" <?php
                if (!empty($_POST['cityfield'])){
                  echo 'value="' . htmlentities($_POST['cityfield'], ENT_QUOTES).'"';
                }
                ?>/>
            , 
            <select name="statefield">
              <option value="IL">IL</option>
                        </select>
            </div></td>
            <td><div align="center">
              <input name="playing" type="text" size="20" <?php
                if (!empty($_POST['playing'])){
                  echo 'value="' . htmlentities($_POST['playing'], ENT_QUOTES).'"';
                }
                ?>
                >
            </div></td>
            <td><div align="center">
              <input name="infofield" type="text" size="20" maxlength="56" <?php
                if (!empty($_POST['infofield'])){
                  echo 'value="' . htmlentities($_POST['infofield'], ENT_QUOTES).'"';
                }
                ?>/>
            </div></td>
          </tr>
      </table></td>
    </tr>
    <tr>
      <td><div align="center"><br>
        <input type="submit" name="submit" value="submit" />
      </div></td>
    </tr>
  </table>
</form>
<br /><br />
<?php
ob_start();
$host="***";
$username="***"; 
$password="***"; 
$db_name="sbaker"; 
$tbl_name="shows"; 

mysql_connect("$host", "$username", "$password")or die("cannot connect to server"); 
mysql_select_db("$db_name")or die("cannot connect to shows database");

$display = mysql_query("SELECT * FROM shows ORDER BY Date");
//$datedisplay = mysql_query("SELECT date_format(date, '%m/%d/%Y') as formated_date from sbaker"); 

if (!$display) {
echo("error <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>");
exit();
}
$numrow = mysql_num_rows($display);
if ($numrow == "0") {
echo("<table width='100%' border='0' cellspacing='0' cellpadding='0'><tr><td><div align='center'><font face='verdana' size='1' color='red'><b>There are no shows scheduled right now</b><br><br></font></div></td></tr></table>");
} ELSE {
echo("
<table width='680' border='1' align='center' cellpadding='3' cellspacing='0' bordercolor='#000000' bgcolor='#ffffff'>
<tr bgcolor='#dddddd' class='style55'>
<td width='15' align='center' valign='middle' scope='col'> </td>
<td width='50' align='center' valign='middle' scope='col'>Date</td>
<td width='150' align='center' valign='middle' scope='col'>Venue</td>
<td width='150' align='center' valign='middle' scope='col'>City</td>
<td width='150' align='center' valign='middle' scope='col'>Playing with</td>
<td width='150' align='center' valign='middle' scope='col'>Info</td>
</tr>");
while ($row=mysql_fetch_array($display) ){
echo("<tr><td align='center'><img border='0' src='ex.jpg' onClick='codel(this)' id1=".($row["DATE"])."  id2=".($row["ID"])."></td><td align='center'>" . date("n.j.Y", strtotime($row["DATE"])) . "</td><td align='center'>" . $row["VENUE"] . "</td><td align='center'>" . $row["CITY"] . "</td><td align='center'>" . $row["PLAYINGWITH"] . "</td><td align='center'>" . $row["INFO"] . "</td></tr>");
}
 

echo("</table>");
}
?>
<script language="JavaScript">
function codel(delobj) {
	var message = "Are you sure you want to delete this show?";
	var return_value = confirm(message);
	if (return_value == true) {
  window.location= "<?php echo ('del.php?thedate="+(delobj.id1)+"&theid="+(delobj.id2)+"'); 
  ?>";
 		exit;
	} else {
		}
}
</script>
<!-- PopUp Calendar BEGIN -->
<script language="JavaScript">
if (document.all) {
 document.writeln("<div id=\"PopUpCalendar\" style=\"position:absolute; left:0px; top:0px; z-index:7; width:200px; height:77px; overflow: visible; visibility: hidden; background-color: #ffffff; border: 0px none #000000\" onMouseOver=\"if(ppcTI){clearTimeout(ppcTI);ppcTI=false;}\" onMouseOut=\"ppcTI=setTimeout(\'hideCalendar()\',500)\">");
 document.writeln("<div id=\"monthSelector\" style=\"position:absolute; left:0px; top:0px; z-index:9; width:181px; height:27px; overflow: visible; visibility:inherit\">");}
else if (document.layers) {
 document.writeln("<layer id=\"PopUpCalendar\" pagex=\"0\" pagey=\"0\" width=\"200\" height=\"200\" z-index=\"100\" visibility=\"hide\" bgcolor=\"#FFFFFF\" onMouseOver=\"if(ppcTI){clearTimeout(ppcTI);ppcTI=false;}\" onMouseOut=\"ppcTI=setTimeout('hideCalendar()',500)\">");
 document.writeln("<layer id=\"monthSelector\" left=\"0\" top=\"0\" width=\"181\" height=\"27\" z-index=\"9\" visibility=\"inherit\">");}
else {
 document.writeln("<p><font color=\"#FF0000\"><b>Error ! The current browser is either too old or too modern (usind DOM document structure).</b></font></p>");}
</script>
<noscript><p><font color="#FF0000"><b>JavaScript is not activated !</b></font></p></noscript>
<table border="1" cellspacing="0" cellpadding="2" width="200" bordercolor="#cccccc" vspace="0" hspace="0">
  <form name="ppcMonthList"><tr><td align="center" bgcolor="#dddddd"><a href="javascript:moveMonth('Back')" onMouseOver="window.status=' ';return true;"><font face="Verdana" size="1" color="#000000"><b><&nbsp;</b></font></a><font face="MS Sans Serif, sans-serif" size="1"> 
<select name="sItem" onMouseOut="if(ppcIE){window.event.cancelBubble = true;}" onChange="switchMonth(this.options[this.selectedIndex].value)" style="font-family: 'MS Sans Serif', sans-serif; font-size: 9pt"><option value="0" selected>2000 &#149; January</option><option value="1">2000 &#149; February</option><option value="2">2000 &#149; March</option><option value="3">2000 &#149; April</option><option value="4">2000 &#149; May</option><option value="5">2000 &#149; June</option><option value="6">2000 &#149; July</option><option value="7">2000 &#149; August</option><option value="8">2000 &#149; September</option><option value="9">2000 &#149; October</option><option value="10">2000 &#149; November</option><option value="11">2000 &#149; December</option><option value="0">2001 &#149; January</option></select></font><a href="javascript:moveMonth('Forward')" onMouseOver="window.status=' ';return true;"><font face="Arial, Helvetica, sans-serif" size="2" color="#000000"><b>&nbsp;></b></font></a></td></tr></form></table>

<table border="1" cellspacing="0" cellpadding="2" bordercolor="#cccccc" width="200" vspace="0" hspace="0"><tr align="center" bgcolor="#dddddd"><td width="20" bgcolor="#dddddd"><b><font face="Verdana" size="1">S</font></b></td><td width="20"><b><font face="Verdana" size="1">M</font></b></td><td width="20"><b><font face="Verdana" size="1">T</font></b></td><td width="20"><b><font face="Verdana" size="1">W</font></b></td><td width="20"><b><font face="Verdana" size="1">T</font></b></td><td width="20"><b><font face="Verdana" size="1">F</font></b></td><td width="20" bgcolor="#dddddd"><b><font face="Verdana" size="1">S</font></b></td></tr></table>
<script language="JavaScript">
if (document.all) {
 document.writeln("</div>");
 document.writeln("<div id=\"monthDays\" style=\"position:absolute; left:0px; top:52px; z-index:8; width:200px; height:17px; overflow: visible; visibility:inherit; background-color: #FFFFFF; border: 0px none #000000\">&nbsp;</div></div>");}
else if (document.layers) {
 document.writeln("</layer>");
 document.writeln("<layer id=\"monthDays\" left=\"0\" top=\"52\" width=\"200\" height=\"17\" z-index=\"8\" bgcolor=\"#FFFFFF\" visibility=\"inherit\">&nbsp;</layer></layer>");}
else {/*NOP*/}
</script>
<!-- PopUp Calendar END -->
</body>
</html>
addshow.php

Code: Select all

<?php
session_start();
if(!session_is_registered('myusername')){
header("location:shows.php");
}
$datefield=NULL;
$venuefield=NULL;
$infofield=NULL;
$playing=NULL;
$cityfield=NULL;
$host="***";
$username="***"; 
$password="***"; 
$db_name="sbaker"; 
$datefield=$_GET['daf'];
$venuefield=$_GET['vef'];
$infofield=htmlentities($_GET['inf'], ENT_QUOTES);
$playing=$_GET['plf'];
$cityfield=$_GET['cif'];

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

$sql = "INSERT INTO shows SET " .
	"DATE='$datefield', " .
	"VENUE='$venuefield', " .
	"CITY='$cityfield', " .
	"PLAYINGWITH='$playing', " .
	"INFO='$infofield'";
if (mysql_query($sql)) {
	echo("<table width='100%' border='0' cellspacing='0' cellpadding='0'><tr><td><div align='center'><font face='verdana' size='1' color='blue'><b>Your new show has been added!</b><br><br></font></div></td></tr></table>");

$datefield=NULL;
$venuefield=NULL;
$infofield=NULL;
$playing=NULL;
$cityfield=NULL;
  
} else {
  echo("<table width='100%' border='0' cellspacing='0' cellpadding='0'><tr><td><div align='center'><font face='verdana' size='1' color='red'><b>ERROR ADDING NEW SHOW INFORMATION</b><br><br></font></div></td></tr></table>");
  echo mysql_error();
}

?>
<html>
<head>
<META HTTP-EQUIV="Refresh"
      CONTENT="2; URL=login_success.php">
<title>Shot Baker Admin</title>
</head>
<body>
</form>
</body>
</html>

Posted: Sat Aug 19, 2006 2:58 pm
by nincha
aye! 8O

Posted: Sat Aug 19, 2006 3:22 pm
by feyd
"hmm" is one of the least descriptive titles to a thread in quite some time. I'd suggest thinking up a new one and editing your original post.


Where to begin.. Image
  • session_is_registered() is deprecated, i.e. do not use it.
  • Always, always use full URLs with header redirection:

    Code: Select all

    header("location:shows.php");
  • Do not look for the submit button in submissions. Not all browsers send the button when no button was used to submit the data. Instead, check for fields that always submit, or better yet $_SERVER['REQUEST_METHOD']

    Code: Select all

    if (isset($_POST['submit'])) {
  • Code: Select all

    $_POST['infofield'] == !NULL
    Isn't the best of ideas. If anything, it should be

    Code: Select all

    $_POST['infofield'] != NULL
    or

    Code: Select all

    !empty($_POST['infofield'])
  • I assume $_POST['datefield'] is supposed to be a date. But with out verifying the format, the explode() call afterward could not break the string as you expect making the following fail.

    Code: Select all

    $dayfield = ($dates[1]);
    $monthfield = ($dates[0]);
    $yearfield = ($dates[2]);
  • There's a bit of redundancy in the following

    Code: Select all

    $datef=''.$yearfield.'-'.$monthfield.'-'.$dayfield.'';
    Concatenating empty strings generally does nothing.

    Code: Select all

    $datef=$yearfield.'-'.$monthfield.'-'.$dayfield;
  • I'll ignore your HTML. :)
  • Using $_SERVER['PHP_SELF'] is a security hole. Be careful. Since you are submitting to yourself, consider using an action of "?" or "#"
  • Your code seems to lack indentation, while this doesn't bother PHP, it may bother other developers trying to read your code.
  • There's no "exit" keyword in Javascript.

    Code: Select all

            var return_value = confirm(message);
            if (return_value == true) {
      window.location= "<?php echo ('del.php?thedate="+(delobj.id1)+"&theid="+(delobj.id2)+"');
      ?>";
                   exit;
Now, lets go through your addshow script:
  • $_GET['daf'] et al is not guaranteed to be in the url when accessing the script. You should check for its existance before using it.
  • The submission data is added to your query string without any validation, verification or escapement.
    Image
  • The page runs the INSERT query every time the page is loaded. Is addshow.php included in another other files?

Posted: Sat Aug 19, 2006 3:27 pm
by Benjamin
My favorite part of this whole thread..
feyd wrote: I'll ignore your HTML. Smile