Trouble with the viewcat.php and updateentry.php

For the discussion of Perl, Python, Ruby, and PHP and other interpreted languages.

Trouble with the viewcat.php and updateentry.php

Post by Zelth on Fri Oct 17, 2008 4:40 pm
([msg=13867]see Trouble with the viewcat.php and updateentry.php[/msg])

Another little thing I've been working on is a blog site. Everything works fine except that when I click on a category, nothing happens. Also when I click "edit" to edit an entry, nothing happens.

config.php:
Code: Select all
<?php

$dbhost = "localhost";
$dbuser = "root";
$dbpassword = "";
$dbdatabase = "blogtastic";

$config_blogname = "Funny old world";

$config_author = "Jono Bacon";

$config_basedir = "http://localhost/blogtastic/";

?>


header.php:
Code: Select all
<?php

session_start();
require("config.php");
$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title><?php echo $config_blogname; ?></title>
<link rel="stylesheet" href="stylesheet.css" type="text/css" />
</head>
<body>
<div id="header">
<h1><?php echo $config_blogname; ?></h1>
[<a href="index.php">home</a>]
[<a href="viewcat.php">categories</a>]

<?php

if(isset($_SESSION['USERNAME']) == TRUE) {
  echo "[<a href='logout.php'>logout</a>]";
}
else {
  echo "[<a href='login.php'>login</a>]";
  }

if(isset($_SESSION['USERNAME']) == TRUE) {
  echo " - ";
  echo "[<a href='addentry.php'>add entry</a>]";
  echo "[<a href='addcat.php'>add category</a>]";
}
?>

</div>

<div id="main">


footer.php:
Code: Select all
</div>

<div id="footer">
&copy; <?php echo $config_author; ?>
</div>
</body>
</html>


index.php:
Code: Select all
<?php

require("header.php");

$sql = "SELECT entries.*, categories.cat FROM entries, categories
  WHERE entries.cat_id = categories.id
  ORDER BY dateposted DESC
  LIMIT 1;";
$result = mysql_query($sql);
$row = mysql_fetch_assoc($result);
echo "<h2><a href='viewentry.php?id=" . $row['id']
. "'>" . $row['subject'] .
    "</a></h2><br />";
echo "<i>In <a href='viewcat.php?id=" . $row['cat_id']
."'>" . $row['cat'] .
    "</a> - Posted on " . date("D jS F Y g.iA",
strtotime($row['dateposted'])) .
    "</i>";
   
if(isset($_SESSION['USERNAME']) == TRUE) {
  echo " [<a href='updateentry.php?id=" . $row['id'] . "'>edit</a>]";
}

echo "<p>";
echo nl2br($row['body']);
echo "</p>";

echo "<p>";

$commsql = "SELECT name FROM comments WHERE blog_id = " . $row['id'] .
           " ORDER BY dateposted;";
$commresult = mysql_query($commsql);
$numrows_comm = mysql_num_rows($commresult);
if($numrows_comm == 0) {
  echo "<p>No comments.</p>";
}
else {
  echo "(<strong>" . $numrows_comm . "</strong>) comments : ";
  $i = 1;
  while($commrow = mysql_fetch_assoc($commresult)) {
    echo "<a href='viewentry.php?id=" . $row['id'] ."#comment" . $i .
             "'>" . $commrow['name'] . "</a> ";
   $i++;
  }
}
echo "</p>";
$prevsql = "SELECT entries.*, categories.cat FROM entries, categories
  WHERE entries.cat_id = categories.id
  ORDER BY dateposted DESC
  LIMIT 1, 5;";
$prevresult = mysql_query($prevsql);
$numrows_prev = mysql_num_rows($prevresult);

if($numrows_prev == 0) {
  echo "<p>No previous entries.</p>";
}
else {
  echo "<ul>";
 
  while($prevrow = mysql_fetch_assoc($prevresult)) {
    echo "<li><a href='viewentry.php?id="
  . $prevrow['id'] . "'>" . $prevrow ['subject']
  . "</a></li>";
  }
}

echo "</ul>";

require("footer.php");

?>


login.php:

Code: Select all
<?php

session_start();

require("config.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if($_POST['submit']) {

$sql = "SELECT * FROM logins WHERE username = '" . $_POST['username'] .
       "' AND password = '" . $_POST['password'] . "';";
      
$result = mysql_query($sql);
$numrows = mysql_num_rows($result);

if($numrows == 1) {
  $row = mysql_fetch_assoc($result);
  session_register("USERNAME");
  session_register("USERID");
 
  $_SESSION['USERNAME'] = $row['username'];
  $_SESSION['USERID'] = $row['id'];
 
  header("Location: " . $config_basedir);
}
else {
  header("Location: " . $config_basedir . "login.php?error=1");
}
}
else {

  require("header.php");
 
  if($_GET['error']) {
    echo "Incorrect login, please try again!";
  }
}
?>

<form action="<?php echo $SCRIPT_NAME ?>" method="post">

<table>
<tr>
  <td>Username</td>
  <td><input type="text" name="username"></td>
</tr>
<tr>
  <td>Password</td>
  <td><input type="password" name="password"></td>
</tr>
<tr>
  <td></td>
  <td><input type="submit" name="submit" value="Login!"></td>
</tr>
</table>
</form>

<?php
require("footer.php");
?>


logout.php:

Code: Select all
<?php

session_start();
session_destroy();

require("config.php");

header("Location: " . $config_basedir);

?>


addentry.php:

Code: Select all
<?php

session_start();

require("config.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_SESSION['USERNAME']) == FALSE) {
  header("Location: " . $config_basedir);
}

if($_POST['submit']) {
  $sql = "INSERT INTO entries(cat_id, dateposted, subject, body)
VALUES(" .
         $_POST['cat'] . ", NOW(), '" . $_POST['subject'] . "', '" .
       $_POST['body'] . "');";
  mysql_query($sql);
  header("Location: " . $config_basedir);
}
else {
  require("header.php");
?>

<h1>Add new entry</h1>
<form action="<?php echo $SCRIPT_NAME ?>" method="post">

<table>
<tr>
  <td>Category</td>
  <td>
  <select name="cat">
  <?php
    $catsql = "SELECT * FROM categories;";
   $catres = mysql_query($catsql);
   while($catrow= mysql_fetch_assoc($catres)) {
     echo "<option value='" . $catrow['id']
. "'>" . $catrow['cat'] . "</option>";
    }
  ?>
  </select>
  </td>
</tr>

<tr>
  <td>Subject</td>
  <td><input type="text" name="subject"></td>
</tr>
<tr>
  <td>Body</td>
  <td><textarea name="body" rows="10" cols="50"></textarea></td>
</tr>
<tr>
  <td></td>
  <td><input type="submit" name="submit" value="Add Entry!"></td>
</tr>
</table>
</form>

<?php
}
require("footer.php");
?>


addcat.php:

Code: Select all
<?php

session_start();

require("config.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_SESSION['USERNAME']) == FALSE) {
  header("Location: " . $config_basedir);
}

if($_POST['submit']) {
  $sql = "INSERT INTO categories(cat) VALUES('" . $_POST['cat'] . "');";
  mysql_query($sql);
  header("Location: " . $config_basedir . "viewcat.php");
}
else {
  require("header.php");
  }
?>

<form action="<?php echo $SCRIPT_NAME ?>" method="post">

<table>
<tr>
  <td>Category</td>
  <td><input type="text" name="cat"></td>
</tr>
<tr>
  <td></td>
  <td><input type="submit" name="submit" value="Add Entry!"></td>
</tr>
</table>
</form>

<?php
require("footer.php");
?>


updateentry.php:

Code: Select all
<?php

session_start();

require("config.php");

if(isset($_SESSION['USERNAME']) == FALSE) {
  header("Location: " . $config_basedir);
}

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_GET['id']) == TRUE) {
  if(is_numeric($id) == FALSE) {
    $error = 1;
  }
 
  if($error == 1) {
    header("Location: " . $config_basedir);
  }
  else {
    $validentry = $_GET['id'];
  }
}
else {
  $validentry = 0;
}

if($_POST['submit']) {
  $sql = "UPDATE entries SET cat_id = "
. $_POST['cat'] . ", subject = '" .
         $_POST['subject'] ."', body = '"
. $_POST['body'] . "' WHERE id = " .
         $validentry . ";";
  mysql_query($sql);
 
  header("Location: " . $config_basedir . "viewentry.php?id=" .
$validentry);
}
else {

  require("header.php");
 
  $fillsql = "SELECT * FROM entries WHERE id = " . $validentry . ";";
  $fillres = mysql_query($fillsql);
  $fillrow = mysql_fetch_assoc($fillres);
 
?>

<h1>Update entry</h1>

<form action="<?php echo $SCRIPT_NAME . "?id="
. $validentry; ?>" method="post">

<table>

<tr>
  <td>Category</td>
  <td>
  <select name="cat">
  <?php
    $catsql = "SELECT * FROM categories;";
   $catres = mysql_query($catsql);
   while($catrow= mysql_fetch_assoc($catres)) {
     echo "<option value='" . $catrow['id'] . "'";
    
     if($catrow['id'] == $fillrow['cat_id']) {
       echo " selected";
     }
    
     echo ">" . $catrow['cat'] . "</option>";
   }
  ?>
  </select>
  </td>
</tr>

<tr>
  <td>Subject</td>
  <td><input type="text" name="subject"
value="<?php echo $fillrow['subject']; ?>">
</td>
</tr>
<tr>
  <td>Body</td>
  <td><textarea name="body" rows="10" cols="50">
    <?php echo $fillrow['body']; ?></textarea></td>
</tr>
<tr>
  <td></td>
  <td><input type="submit" name="submit" value="Update Entry!"></td>
</tr>
</table>
</form>

<?php
}
require("footer.php");
?>


viewcat.php:

Code: Select all
<?php

require("config.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_GET['id']) == TRUE) {
  if(is_numeric($id) == FALSE) {
    $error = 1;
  }
 
  if($error == 1) {
    header("Location: " . $config_basedir . "viewcat.php");
  }
  else {
    $validcat = $_GET['id'];
  }
}
else {
  $validcat = 0;
}

$sql = "SELECT * FROM categories";
$result = mysql_query($sql);

require("header.php");

while($row = mysql_fetch_assoc($result)) {
  if($validcat == $row['id']) {
    echo "<strong>" . $row['cat'] . "</strong><br />";
   
   $entriessql = "SELECT * FROM entries WHERE cat_id = " . $validcat .
                 " ORDER BY dateposted DESC;";
   $entriesres = mysql_query($entriessql);
   $numrows_entries = mysql_num_rows($entriesres);
   
   echo "<ul>";
   if($numrows_entries == 0) {
     echo "<li>No entries!</li>";
   }
   else {
     while($entriesrow = mysql_fetch_assoc($entriesres)) {
       echo "<li>" . date("D jS F Y g.iA", strtotime($entriesrow
['dateposted'])) .
          " - <a href='viewentry.php?id=" . $entriesrow['id'] . "'>" .
        $entriesrow['subject'] ."</a></li>";
     }
   }
   echo "</ul>";
  }
  else {
    echo "<a href='viewcat.php?id=" . $row['id'] . "'>" . $row['cat'] .
"</a><br />";
  }
}

require("footer.php")

?>


viewentry.php:
Code: Select all
<?php

require("config.php");

if(isset($_GET['id']) == TRUE) {
  if(is_numeric($_GET['id']) == FALSE) {
    $error = 1;
  }
 
  if($error == 1) {
    header("Location: " . $config_basedir);
  }
  else {
    $validentry = $_GET['id'];
  }
}
else {
  $validentry = 0;
}

if($_POST['submit']) {
  $db = mysql_connect($dbhost, $dbuser, $dbpassword);
  mysql_select_db($dbdatabase, $db);
 
  $sql = "INSERT INTO comments(blog_id, dateposted,
name, comment) VALUES(" .
    $validentry . ", NOW(), '" . $_POST['name']
. "', '" . $_POST['comment'] . "');";
  mysql_query($sql);
  header("Location: http://" . $HTTP_HOST
. $SCRIPT_NAME . "?id=" . $validentry);
}
else {
  // code will go here
}

require("header.php");
if($validentry == 0) {
  $sql = "SELECT entries.*, categories.cat FROM entries, categories " .
         " WHERE entries.cat_id = categories.id " .
       "ORDER BY dateposted DESC " .
       " LIMIT 1;";
}
else {
  $sql = "SELECT entries.*, categories.cat FROM entries, categories " .
         "WHERE entries.cat_id = categories.id
AND entries.id = " . $validentry .
         " ORDER BY dateposted DESC LIMIT 1;";
}
$result = mysql_query($sql);

$row = mysql_fetch_assoc($result);
echo "<h2>" . $row['subject'] . "</h2><br />";
echo "<i>In <a href='viewcat.php?id=" . $row['cat_id'] ."'>" .
     $row ['cat'] ."</a> - Posted on " .
    date("D jS F Y g.iA", strtotime($row['dateposted'])) ."</i>";
echo "<p>";
echo nl2br($row['body']);
echo "</p>";

$commsql = "SELECT * FROM comments WHERE blog_id = " . $validentry .
           " ORDER BY dateposted DESC;";
$commresult = mysql_query($commsql);
$numrows_comm = mysql_num_rows($commresult);

if($numrows_comm == 0) {
  echo "<p>No comments.</p>";
}
else {
  $i = 1;
 
  while($commrow = mysql_fetch_assoc($commresult)) {
    echo "<a name='comment" . $i . "'>";
   echo "<h3>Comment by " . $commrow['name'] . " on " .
        date("D jS F Y g.iA",
strtotime($commrow['dateposted'])) . "</h3>";
    echo $commrow['comment'];
   $i++;
  }
}

?>

<h3>Leave a comment</h3>

<form action="<?php echo $SCRIPT_NAME
. "?id=" . $validentry; ?>" method="post">
<table>
<tr>
  <td>Your name</td>
  <td><input type="text" name="name"></td>
</tr>
<tr>
  <td>Comments</td>
  <td><textarea name="comment" rows="10" cols="50"></textarea></td>
</tr>
<tr>
  <td></td>
  <td><input type="submit" name="submit" value="Add comment"></td>
</tr>
</table>
</form>

<?php>
require("footer.php");
?>


And finally stylesheet.css:
Code: Select all
body {
  font-family: "trebuchet ms", verdana, sans-serif;
  font-size: 12px;
  line-height: 1.5em;
  color: #333;
  background: #ffffff;
  margin: 0;
  padding: 0;
  text-align: left;
  width: 100%;
}

p {
  margin-top: 10px;
}

a:link {
  text-decoration: none;
  color: #000;
}

a:visited {
  text-decoration: none;
  border-bottom: 1px dotted #369;
  color: #000;
}

a:hover, a:active {
  text-decoration: none;
  border-bottom: 1px solid #036;
  color: #000;
}

img {
  border: 0;
}

#container {
  position: absolute;
  top: 85px;
  left: 0px;
  background: #ffffff;
  margin: 0 auto 0 auto;
  text-align: left;
  width: 100%;
  height: 100%;
}

#menu {
  font-family: "trebuchet ms", verdana, sans-serif;
  font-size: 14px;
  font-weight: bold;
  position: absolute;
  height: 27px;
  top: 60px;
  left: 0px;
  width: 100%;
  padding: 0px;
  color: #000000;
  background-color: #eee
}

#header {
  position: absolute;
  top: 0px;
  left: 0px;
  height: 60px;
  width: 100%;
  background: #333;
  padding-top: 8px;
  text-align: center;
}

#header h1 {
  font-size: 30px;
  text-transform: uppercase;
  letter-spacing: 0.3em;
  color: #fff;
}

#main {
  margin: 75px 15px 15px 0px;
  padding: 15px 15px 15px 15px;
  background: #FFFFFF;
}

#bar {
  float: left;
  width: 200px;
  background: #eee;
  z-index: 1;
  padding: 10px;
  margin-right: 30px;
  height: 100%;
}

#bar h1 {
  font-size: 12px;
  text-transform: uppercase;
  letter-spacing: 0.3em;
}


Please any help would be nice :D
Z~Epsilon
Newbie Programmer
Learned: HTML, XHTML, CSS
Learning: PHP, C++
Zelth
Poster
Poster
 
Posts: 149
Joined: Mon Sep 08, 2008 7:45 pm
Blog: View Blog (0)


Re: Trouble with the viewcat.php and updateentry.php

Post by kiyoura on Wed Jan 28, 2009 11:48 am
([msg=16998]see Re: Trouble with the viewcat.php and updateentry.php[/msg])

I saw a few problems with your code, some are my opinions but might help out in the end.

1) session_register() has been deprecated as of PHP 5.3.0, discontinue using it as it will be removed in 6.0

2) I saw a lot of "== true" or "== false", == means "if equals", however, === means "equal and same type as". Boolean and strings are not the same type .

3) You don't need to connect to the database in every single page. Try connecting once in the config.php file and including that page where ever its needed.

4) Regardless of rather you get your code to work, I saw NO sanitizing of your $_GET and $_POST variables. Your code is vulnerable to SQL injection and XSS (among other things). Try looking up htmlentities() and mysql_real_escape_string() for starters.

5) You might want to try (just try) to put session_start() in the config file and get rid of it everywhere else.

The things I said may or may not help your problem, but, should still help you out.
-
Image
-
kiyoura
New User
New User
 
Posts: 24
Joined: Sun May 04, 2008 7:56 pm
Blog: View Blog (0)



Return to Interpreted Languages

Who is online

Users browsing this forum: No registered users and 0 guests