Page 1 of 1

php + MySQL

Posted: Tue Aug 07, 2007 9:07 am
by DeathsMessenger
Ok here is the problem (again).

a Comment system for a update list, I got it up and running, it records the text input and the article that was commented on, but not the ID and display name.
The PHP script is as follows

Code: Select all

<b><center>Comments on this article</center></b>
<?php
$result = mysql_query("SELECT player, display_name, article, comment FROM comments WHERE article=$number");

while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) 
{
    printf(" Comment made by <a href=profile.php?id=%s><b>%s</b></a></br>%s<hr>", $row["player"], $row["display_name"], $row["comment"]);
}

mysql_free_result($result); 

if(isset($_POST['save']))
{


	$content = $_POST['content'];
	
	if(!get_magic_quotes_gpc())
	{
		
		$content = addslashes($content);
	}
	
	$query = "INSERT INTO `comments` (`player`, `display_name`, `article`, `comment`) VALUES ('$users->id', '$users->display_name', '$number', '$content');";
	mysql_query($query) or die('Error ,query failed');
	
	echo "Comment added";
	}
?>
<form method="post">
  <table border="0" cellpadding="2" cellspacing="1" class="box" align="center">
    <tr> 
      <td>Content</td>
      <td><textarea name="content" cols="50" rows="10" class="box" id="content"></textarea></td>
    </tr>
    <tr> 
      <td> </td>
      <td> </td>
    </tr>
    <tr> 
      <td colspan="2" align="center"><input name="save" type="submit" class="box" id="save" value="Post comment"></td>
    </tr>
  </table>
</form>
and the HTML output is

Code: Select all

<b><center>Comments on this article</center></b>
Comment made by <a href=profile.php?id=0><b></b></a></br>Why no worky?<hr>
What it should be is

Code: Select all

<b><center>Comments on this article</center></b>
Comment made by <a href=profile.php?id=1><b>Me</b></a></br>That is better<hr>

What am i doing wrong? do i have to include the ID and name is the form or is the code that gets the id wrong?

EDIT: This is included on anohter page

Posted: Tue Aug 07, 2007 9:13 am
by iknownothing
yes you have to include the ID and name in the form, so it can be posted, then added into the database.

Also you will find that the link you are creating to go to the user profile (I expect) won't work, as you need to add quotes around 'profile.php..' in your printf.

Posted: Tue Aug 07, 2007 9:18 am
by DeathsMessenger
Really? i would have thought that would make epic vulnerabilitys with people editing it.

And no, thats works alright as i entered the data in the DB manually and it worked fine, leading me to it being the code not the DB.

Posted: Tue Aug 07, 2007 9:21 am
by iknownothing
DeathsMessenger wrote:Really? i would have thought that would make epic vulnerabilitys with people editing it.
Use a hidden form element:

Code: Select all

<input type="hidden" value="<?php echo $id; ?>">
also, you may want to look into mysql_real_escape_string() for a bit of security when entering data into the database. http://au.php.net/mysql_real_escape_string

Posted: Tue Aug 07, 2007 9:32 am
by DeathsMessenger
Ok thanks :oops:

Posted: Tue Aug 07, 2007 10:21 am
by DeathsMessenger
didn't work. did i do it right?

Code: Select all

<b><center>Comments on this article</center></b>
<?php
$result = mysql_query("SELECT player, display_name, article, comment FROM comments WHERE article=$number");

while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) 
{
    printf(" Comment made by <a href=profile.php?id=%s><b>%s</b></a></br>%s<hr>", $row["player"], $row["display_name"], $row["comment"]);
}

mysql_free_result($result); 

if(isset($_POST['save']))
{
            $name = $_POST['name'];
            $player = $_POST['id'];
	$content = $_POST['content'];
	
	if(!get_magic_quotes_gpc())
	{
		
		$content = addslashes($content);
	}
	
	$query = "INSERT INTO `comments` (`player`, `display_name`, `article`, `comment`) VALUES ('$player', '$name', '$number', '$content');";
	mysql_query($query) or die('Error ,query failed');
	
	echo "Comment added";
	}
?>
<form method="post">
  <table border="0" cellpadding="2" cellspacing="1" class="box" align="center">
    <tr> 
      <td>Content</td>
      <td><textarea name="content" cols="50" rows="10" class="box" id="content"></textarea></td>
    </tr>
    <tr> 
      <td> </td>
      <td> </td>
    </tr>
    <tr> 
      <td colspan="2" align="center"><input name="save" type="submit" class="box" id="save" value="Post comment"></td>
    </tr>
  </table>
  <input type="hidden" name="id" value="<?php echo('$user->id'); ?>">
  <input type="hidden" name="name" value="<?php echo('$user->display_name'); ?>">
</form>

Posted: Tue Aug 07, 2007 10:25 am
by iknownothing
It looks like your not getting the information from the database first...

Posted: Tue Aug 07, 2007 10:27 am
by DeathsMessenger
Oh crap, that was it. Working now. thats IKN