php + MySQL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
DeathsMessenger
Forum Newbie
Posts: 20
Joined: Wed Jan 17, 2007 4:08 am
Location: England

php + MySQL

Post by DeathsMessenger »

Ok here is the problem (again).

a Comment system for a update list, I got it up and running, it records the text input and the article that was commented on, but not the ID and display name.
The PHP script is as follows

Code: Select all

<b><center>Comments on this article</center></b>
<?php
$result = mysql_query("SELECT player, display_name, article, comment FROM comments WHERE article=$number");

while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) 
{
    printf(" Comment made by <a href=profile.php?id=%s><b>%s</b></a></br>%s<hr>", $row["player"], $row["display_name"], $row["comment"]);
}

mysql_free_result($result); 

if(isset($_POST['save']))
{


	$content = $_POST['content'];
	
	if(!get_magic_quotes_gpc())
	{
		
		$content = addslashes($content);
	}
	
	$query = "INSERT INTO `comments` (`player`, `display_name`, `article`, `comment`) VALUES ('$users->id', '$users->display_name', '$number', '$content');";
	mysql_query($query) or die('Error ,query failed');
	
	echo "Comment added";
	}
?>
<form method="post">
  <table border="0" cellpadding="2" cellspacing="1" class="box" align="center">
    <tr> 
      <td>Content</td>
      <td><textarea name="content" cols="50" rows="10" class="box" id="content"></textarea></td>
    </tr>
    <tr> 
      <td> </td>
      <td> </td>
    </tr>
    <tr> 
      <td colspan="2" align="center"><input name="save" type="submit" class="box" id="save" value="Post comment"></td>
    </tr>
  </table>
</form>
and the HTML output is

Code: Select all

<b><center>Comments on this article</center></b>
Comment made by <a href=profile.php?id=0><b></b></a></br>Why no worky?<hr>
What it should be is

Code: Select all

<b><center>Comments on this article</center></b>
Comment made by <a href=profile.php?id=1><b>Me</b></a></br>That is better<hr>

What am i doing wrong? do i have to include the ID and name is the form or is the code that gets the id wrong?

EDIT: This is included on anohter page
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

yes you have to include the ID and name in the form, so it can be posted, then added into the database.

Also you will find that the link you are creating to go to the user profile (I expect) won't work, as you need to add quotes around 'profile.php..' in your printf.
User avatar
DeathsMessenger
Forum Newbie
Posts: 20
Joined: Wed Jan 17, 2007 4:08 am
Location: England

Post by DeathsMessenger »

Really? i would have thought that would make epic vulnerabilitys with people editing it.

And no, thats works alright as i entered the data in the DB manually and it worked fine, leading me to it being the code not the DB.
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

DeathsMessenger wrote:Really? i would have thought that would make epic vulnerabilitys with people editing it.
Use a hidden form element:

Code: Select all

<input type="hidden" value="<?php echo $id; ?>">
also, you may want to look into mysql_real_escape_string() for a bit of security when entering data into the database. http://au.php.net/mysql_real_escape_string
User avatar
DeathsMessenger
Forum Newbie
Posts: 20
Joined: Wed Jan 17, 2007 4:08 am
Location: England

Post by DeathsMessenger »

Ok thanks :oops:
User avatar
DeathsMessenger
Forum Newbie
Posts: 20
Joined: Wed Jan 17, 2007 4:08 am
Location: England

Post by DeathsMessenger »

didn't work. did i do it right?

Code: Select all

<b><center>Comments on this article</center></b>
<?php
$result = mysql_query("SELECT player, display_name, article, comment FROM comments WHERE article=$number");

while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) 
{
    printf(" Comment made by <a href=profile.php?id=%s><b>%s</b></a></br>%s<hr>", $row["player"], $row["display_name"], $row["comment"]);
}

mysql_free_result($result); 

if(isset($_POST['save']))
{
            $name = $_POST['name'];
            $player = $_POST['id'];
	$content = $_POST['content'];
	
	if(!get_magic_quotes_gpc())
	{
		
		$content = addslashes($content);
	}
	
	$query = "INSERT INTO `comments` (`player`, `display_name`, `article`, `comment`) VALUES ('$player', '$name', '$number', '$content');";
	mysql_query($query) or die('Error ,query failed');
	
	echo "Comment added";
	}
?>
<form method="post">
  <table border="0" cellpadding="2" cellspacing="1" class="box" align="center">
    <tr> 
      <td>Content</td>
      <td><textarea name="content" cols="50" rows="10" class="box" id="content"></textarea></td>
    </tr>
    <tr> 
      <td> </td>
      <td> </td>
    </tr>
    <tr> 
      <td colspan="2" align="center"><input name="save" type="submit" class="box" id="save" value="Post comment"></td>
    </tr>
  </table>
  <input type="hidden" name="id" value="<?php echo('$user->id'); ?>">
  <input type="hidden" name="name" value="<?php echo('$user->display_name'); ?>">
</form>
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

It looks like your not getting the information from the database first...
User avatar
DeathsMessenger
Forum Newbie
Posts: 20
Joined: Wed Jan 17, 2007 4:08 am
Location: England

Post by DeathsMessenger »

Oh crap, that was it. Working now. thats IKN
Post Reply