How does this look (simple forum)
Posted: Tue Aug 21, 2007 1:01 pm
This is a very simple forum for a small website. Does it look secure enough?
Code: Select all
<?php
ob_start();
/*
Connect
*/
require 'library/connect.php';
/*
Handle Form
*/
if(isset($_POST['submit'])){
$errors=array();
//Check for empty fields
if(!isset($_POST['name']) || empty($_POST['name'])){
$errors[]='Name';
}
if (!eregi('^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[_a-z0-9-]+(\.[_a-z0-9-]+)*(\.[a-z]{2,4})$',trim($_POST['email']))){
$errors[]='Email';
}
if(!isset($_POST['comment']) || empty($_POST['comment'])){
$errors[]='Comment';
}
//If all went ok
if(empty($errors)){
$name=mysql_real_escape_string(trim($_POST['name']));
$email=mysql_real_escape_string(trim($_POST['email']));
$comment=mysql_real_escape_string(trim(nl2br($_POST['comment'])));
$query="INSERT INTO forum (name,email,comment,date) VALUES ('$name','$email','$comment',current_date)";
mysql_query($query) or die (mysql_error());
header('location:forum.php');
} else {
$error="<p>There is either missing or innacurate data in the following field(s):</p>\n";
$error.="<ul>\n";
foreach($errors as $value){
$error.= "<li>$value</li>\n";
}
$error.="</ul>\n";
$error.="<p>Please re-enter your comment.</p>\n";
}
}
/*
Start Content
*/
$pageTitle="Union County Comprehensive Plan - Forum";
$banner='';
$left='
<p><strong>Comment</strong></p>
<form method="post">
Name<br />
<input type="text" name="name" size="32" /><br />
Email<br />
<input type="text" name="email" size="32" /><br />
Comment<br />
<textarea name="comment" rows="5" cols="23"></textarea>
<input type="submit" name="submit" value="Add Comment" />
</form>
';
$content="<h3>Forum</h3>\n";
/*
Display Comments
*/
//pagination
$rowsPerPage=5;
$pageNum=1;
if(isset($_GET['page'])){
$pageNum=$_GET['page'];
}
$offset=($pageNum-1)*$rowsPerPage;
$query="SELECT id FROM forum";
$result=(mysql_query($query));
$numrows=mysql_numrows($result);
$maxPage = ceil($numrows/$rowsPerPage);
$query="SELECT name, comment,email, date FROM forum ORDER BY id DESC LIMIT $offset, $rowsPerPage";
$result=mysql_query($query) or die (mysql_error());
if ($numrows < 1){
$content.="<p>There are no comments.</p>\n";
} else {
while($row=mysql_fetch_assoc($result)){
$date = date('F d, Y', strtotime($row['date']));
$content.='<div class="comment">'."\n";
$content.='<strong><a href="mailto:'.$row['email'].'">'.$row['name']."</a></strong><br />\n";
$content.=$row['comment']."<br />\n";
$content.='<span class="date">'.$date."</span>\n";
$content.="</div>\n";
}
}
if ($pageNum > 1){
$page=$pageNum - 1;
$prev='<a href="forum.php?page='.$page.'">Previous</a>';
} else {
$prev="Previous";
}
if ($pageNum < $maxPage){
$page=$pageNum + 1;
$next='<a href="forum.php?page='.$page.'">Next</a>';
} else { $next="Next";}
$content.="<p>$prev | $next<br />\n";
$content.="Page $pageNum of $maxPage.</p>\n";
require 'library/template.php';
?>