Page 1 of 1

Trouble with the viewcat.php and updateentry.php

PostPosted: Fri Oct 17, 2008 4:40 pm
by Zelth
Another little thing I've been working on is a blog site. Everything works fine except that when I click on a category, nothing happens. Also when I click "edit" to edit an entry, nothing happens.

config.php:
Code: Select all
<?php

$dbhost = "localhost";
$dbuser = "root";
$dbpassword = "";
$dbdatabase = "blogtastic";

$config_blogname = "Funny old world";

$config_author = "Jono Bacon";

$config_basedir = "http://localhost/blogtastic/";

?>


header.php:
Code: Select all
<?php

session_start();
require("config.php");
$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title><?php echo $config_blogname; ?></title>
<link rel="stylesheet" href="stylesheet.css" type="text/css" />
</head>
<body>
<div id="header">
<h1><?php echo $config_blogname; ?></h1>
[<a href="index.php">home</a>]
[<a href="viewcat.php">categories</a>]

<?php

if(isset($_SESSION['USERNAME']) == TRUE) {
  echo "[<a href='logout.php'>logout</a>]";
}
else {
  echo "[<a href='login.php'>login</a>]";
  }

if(isset($_SESSION['USERNAME']) == TRUE) {
  echo " - ";
  echo "[<a href='addentry.php'>add entry</a>]";
  echo "[<a href='addcat.php'>add category</a>]";
}
?>

</div>

<div id="main">


footer.php:
Code: Select all
</div>

<div id="footer">
&copy; <?php echo $config_author; ?>
</div>
</body>
</html>


index.php:
Code: Select all
<?php

require("header.php");

$sql = "SELECT entries.*, categories.cat FROM entries, categories
  WHERE entries.cat_id = categories.id
  ORDER BY dateposted DESC
  LIMIT 1;";
$result = mysql_query($sql);
$row = mysql_fetch_assoc($result);
echo "<h2><a href='viewentry.php?id=" . $row['id']
. "'>" . $row['subject'] .
    "</a></h2><br />";
echo "<i>In <a href='viewcat.php?id=" . $row['cat_id']
."'>" . $row['cat'] .
    "</a> - Posted on " . date("D jS F Y g.iA",
strtotime($row['dateposted'])) .
    "</i>";
   
if(isset($_SESSION['USERNAME']) == TRUE) {
  echo " [<a href='updateentry.php?id=" . $row['id'] . "'>edit</a>]";
}

echo "<p>";
echo nl2br($row['body']);
echo "</p>";

echo "<p>";

$commsql = "SELECT name FROM comments WHERE blog_id = " . $row['id'] .
           " ORDER BY dateposted;";
$commresult = mysql_query($commsql);
$numrows_comm = mysql_num_rows($commresult);
if($numrows_comm == 0) {
  echo "<p>No comments.</p>";
}
else {
  echo "(<strong>" . $numrows_comm . "</strong>) comments : ";
  $i = 1;
  while($commrow = mysql_fetch_assoc($commresult)) {
    echo "<a href='viewentry.php?id=" . $row['id'] ."#comment" . $i .
             "'>" . $commrow['name'] . "</a> ";
   $i++;
  }
}
echo "</p>";
$prevsql = "SELECT entries.*, categories.cat FROM entries, categories
  WHERE entries.cat_id = categories.id
  ORDER BY dateposted DESC
  LIMIT 1, 5;";
$prevresult = mysql_query($prevsql);
$numrows_prev = mysql_num_rows($prevresult);

if($numrows_prev == 0) {
  echo "<p>No previous entries.</p>";
}
else {
  echo "<ul>";
 
  while($prevrow = mysql_fetch_assoc($prevresult)) {
    echo "<li><a href='viewentry.php?id="
  . $prevrow['id'] . "'>" . $prevrow ['subject']
  . "</a></li>";
  }
}

echo "</ul>";

require("footer.php");

?>


login.php:

Code: Select all
<?php

session_start();

require("config.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if($_POST['submit']) {

$sql = "SELECT * FROM logins WHERE username = '" . $_POST['username'] .
       "' AND password = '" . $_POST['password'] . "';";
      
$result = mysql_query($sql);
$numrows = mysql_num_rows($result);

if($numrows == 1) {
  $row = mysql_fetch_assoc($result);
  session_register("USERNAME");
  session_register("USERID");
 
  $_SESSION['USERNAME'] = $row['username'];
  $_SESSION['USERID'] = $row['id'];
 
  header("Location: " . $config_basedir);
}
else {
  header("Location: " . $config_basedir . "login.php?error=1");
}
}
else {

  require("header.php");
 
  if($_GET['error']) {
    echo "Incorrect login, please try again!";
  }
}
?>

<form action="<?php echo $SCRIPT_NAME ?>" method="post">

<table>
<tr>
  <td>Username</td>
  <td><input type="text" name="username"></td>
</tr>
<tr>
  <td>Password</td>
  <td><input type="password" name="password"></td>
</tr>
<tr>
  <td></td>
  <td><input type="submit" name="submit" value="Login!"></td>
</tr>
</table>
</form>

<?php
require("footer.php");
?>


logout.php:

Code: Select all
<?php

session_start();
session_destroy();

require("config.php");

header("Location: " . $config_basedir);

?>


addentry.php:

Code: Select all
<?php

session_start();

require("config.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_SESSION['USERNAME']) == FALSE) {
  header("Location: " . $config_basedir);
}

if($_POST['submit']) {
  $sql = "INSERT INTO entries(cat_id, dateposted, subject, body)
VALUES(" .
         $_POST['cat'] . ", NOW(), '" . $_POST['subject'] . "', '" .
       $_POST['body'] . "');";
  mysql_query($sql);
  header("Location: " . $config_basedir);
}
else {
  require("header.php");
?>

<h1>Add new entry</h1>
<form action="<?php echo $SCRIPT_NAME ?>" method="post">

<table>
<tr>
  <td>Category</td>
  <td>
  <select name="cat">
  <?php
    $catsql = "SELECT * FROM categories;";
   $catres = mysql_query($catsql);
   while($catrow= mysql_fetch_assoc($catres)) {
     echo "<option value='" . $catrow['id']
. "'>" . $catrow['cat'] . "</option>";
    }
  ?>
  </select>
  </td>
</tr>

<tr>
  <td>Subject</td>
  <td><input type="text" name="subject"></td>
</tr>
<tr>
  <td>Body</td>
  <td><textarea name="body" rows="10" cols="50"></textarea></td>
</tr>
<tr>
  <td></td>
  <td><input type="submit" name="submit" value="Add Entry!"></td>
</tr>
</table>
</form>

<?php
}
require("footer.php");
?>


addcat.php:

Code: Select all
<?php

session_start();

require("config.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_SESSION['USERNAME']) == FALSE) {
  header("Location: " . $config_basedir);
}

if($_POST['submit']) {
  $sql = "INSERT INTO categories(cat) VALUES('" . $_POST['cat'] . "');";
  mysql_query($sql);
  header("Location: " . $config_basedir . "viewcat.php");
}
else {
  require("header.php");
  }
?>

<form action="<?php echo $SCRIPT_NAME ?>" method="post">

<table>
<tr>
  <td>Category</td>
  <td><input type="text" name="cat"></td>
</tr>
<tr>
  <td></td>
  <td><input type="submit" name="submit" value="Add Entry!"></td>
</tr>
</table>
</form>

<?php
require("footer.php");
?>


updateentry.php:

Code: Select all
<?php

session_start();

require("config.php");

if(isset($_SESSION['USERNAME']) == FALSE) {
  header("Location: " . $config_basedir);
}

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_GET['id']) == TRUE) {
  if(is_numeric($id) == FALSE) {
    $error = 1;
  }
 
  if($error == 1) {
    header("Location: " . $config_basedir);
  }
  else {
    $validentry = $_GET['id'];
  }
}
else {
  $validentry = 0;
}

if($_POST['submit']) {
  $sql = "UPDATE entries SET cat_id = "
. $_POST['cat'] . ", subject = '" .
         $_POST['subject'] ."', body = '"
. $_POST['body'] . "' WHERE id = " .
         $validentry . ";";
  mysql_query($sql);
 
  header("Location: " . $config_basedir . "viewentry.php?id=" .
$validentry);
}
else {

  require("header.php");
 
  $fillsql = "SELECT * FROM entries WHERE id = " . $validentry . ";";
  $fillres = mysql_query($fillsql);
  $fillrow = mysql_fetch_assoc($fillres);
 
?>

<h1>Update entry</h1>

<form action="<?php echo $SCRIPT_NAME . "?id="
. $validentry; ?>" method="post">

<table>

<tr>
  <td>Category</td>
  <td>
  <select name="cat">
  <?php
    $catsql = "SELECT * FROM categories;";
   $catres = mysql_query($catsql);
   while($catrow= mysql_fetch_assoc($catres)) {
     echo "<option value='" . $catrow['id'] . "'";
    
     if($catrow['id'] == $fillrow['cat_id']) {
       echo " selected";
     }
    
     echo ">" . $catrow['cat'] . "</option>";
   }
  ?>
  </select>
  </td>
</tr>

<tr>
  <td>Subject</td>
  <td><input type="text" name="subject"
value="<?php echo $fillrow['subject']; ?>">
</td>
</tr>
<tr>
  <td>Body</td>
  <td><textarea name="body" rows="10" cols="50">
    <?php echo $fillrow['body']; ?></textarea></td>
</tr>
<tr>
  <td></td>
  <td><input type="submit" name="submit" value="Update Entry!"></td>
</tr>
</table>
</form>

<?php
}
require("footer.php");
?>


viewcat.php:

Code: Select all
<?php

require("config.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_GET['id']) == TRUE) {
  if(is_numeric($id) == FALSE) {
    $error = 1;
  }
 
  if($error == 1) {
    header("Location: " . $config_basedir . "viewcat.php");
  }
  else {
    $validcat = $_GET['id'];
  }
}
else {
  $validcat = 0;
}

$sql = "SELECT * FROM categories";
$result = mysql_query($sql);

require("header.php");

while($row = mysql_fetch_assoc($result)) {
  if($validcat == $row['id']) {
    echo "<strong>" . $row['cat'] . "</strong><br />";
   
   $entriessql = "SELECT * FROM entries WHERE cat_id = " . $validcat .
                 " ORDER BY dateposted DESC;";
   $entriesres = mysql_query($entriessql);
   $numrows_entries = mysql_num_rows($entriesres);
   
   echo "<ul>";
   if($numrows_entries == 0) {
     echo "<li>No entries!</li>";
   }
   else {
     while($entriesrow = mysql_fetch_assoc($entriesres)) {
       echo "<li>" . date("D jS F Y g.iA", strtotime($entriesrow
['dateposted'])) .
          " - <a href='viewentry.php?id=" . $entriesrow['id'] . "'>" .
        $entriesrow['subject'] ."</a></li>";
     }
   }
   echo "</ul>";
  }
  else {
    echo "<a href='viewcat.php?id=" . $row['id'] . "'>" . $row['cat'] .
"</a><br />";
  }
}

require("footer.php")

?>


viewentry.php:
Code: Select all
<?php

require("config.php");

if(isset($_GET['id']) == TRUE) {
  if(is_numeric($_GET['id']) == FALSE) {
    $error = 1;
  }
 
  if($error == 1) {
    header("Location: " . $config_basedir);
  }
  else {
    $validentry = $_GET['id'];
  }
}
else {
  $validentry = 0;
}

if($_POST['submit']) {
  $db = mysql_connect($dbhost, $dbuser, $dbpassword);
  mysql_select_db($dbdatabase, $db);
 
  $sql = "INSERT INTO comments(blog_id, dateposted,
name, comment) VALUES(" .
    $validentry . ", NOW(), '" . $_POST['name']
. "', '" . $_POST['comment'] . "');";
  mysql_query($sql);
  header("Location: http://" . $HTTP_HOST
. $SCRIPT_NAME . "?id=" . $validentry);
}
else {
  // code will go here
}

require("header.php");
if($validentry == 0) {
  $sql = "SELECT entries.*, categories.cat FROM entries, categories " .
         " WHERE entries.cat_id = categories.id " .
       "ORDER BY dateposted DESC " .
       " LIMIT 1;";
}
else {
  $sql = "SELECT entries.*, categories.cat FROM entries, categories " .
         "WHERE entries.cat_id = categories.id
AND entries.id = " . $validentry .
         " ORDER BY dateposted DESC LIMIT 1;";
}
$result = mysql_query($sql);

$row = mysql_fetch_assoc($result);
echo "<h2>" . $row['subject'] . "</h2><br />";
echo "<i>In <a href='viewcat.php?id=" . $row['cat_id'] ."'>" .
     $row ['cat'] ."</a> - Posted on " .
    date("D jS F Y g.iA", strtotime($row['dateposted'])) ."</i>";
echo "<p>";
echo nl2br($row['body']);
echo "</p>";

$commsql = "SELECT * FROM comments WHERE blog_id = " . $validentry .
           " ORDER BY dateposted DESC;";
$commresult = mysql_query($commsql);
$numrows_comm = mysql_num_rows($commresult);

if($numrows_comm == 0) {
  echo "<p>No comments.</p>";
}
else {
  $i = 1;
 
  while($commrow = mysql_fetch_assoc($commresult)) {
    echo "<a name='comment" . $i . "'>";
   echo "<h3>Comment by " . $commrow['name'] . " on " .
        date("D jS F Y g.iA",
strtotime($commrow['dateposted'])) . "</h3>";
    echo $commrow['comment'];
   $i++;
  }
}

?>

<h3>Leave a comment</h3>

<form action="<?php echo $SCRIPT_NAME
. "?id=" . $validentry; ?>" method="post">
<table>
<tr>
  <td>Your name</td>
  <td><input type="text" name="name"></td>
</tr>
<tr>
  <td>Comments</td>
  <td><textarea name="comment" rows="10" cols="50"></textarea></td>
</tr>
<tr>
  <td></td>
  <td><input type="submit" name="submit" value="Add comment"></td>
</tr>
</table>
</form>

<?php>
require("footer.php");
?>


And finally stylesheet.css:
Code: Select all
body {
  font-family: "trebuchet ms", verdana, sans-serif;
  font-size: 12px;
  line-height: 1.5em;
  color: #333;
  background: #ffffff;
  margin: 0;
  padding: 0;
  text-align: left;
  width: 100%;
}

p {
  margin-top: 10px;
}

a:link {
  text-decoration: none;
  color: #000;
}

a:visited {
  text-decoration: none;
  border-bottom: 1px dotted #369;
  color: #000;
}

a:hover, a:active {
  text-decoration: none;
  border-bottom: 1px solid #036;
  color: #000;
}

img {
  border: 0;
}

#container {
  position: absolute;
  top: 85px;
  left: 0px;
  background: #ffffff;
  margin: 0 auto 0 auto;
  text-align: left;
  width: 100%;
  height: 100%;
}

#menu {
  font-family: "trebuchet ms", verdana, sans-serif;
  font-size: 14px;
  font-weight: bold;
  position: absolute;
  height: 27px;
  top: 60px;
  left: 0px;
  width: 100%;
  padding: 0px;
  color: #000000;
  background-color: #eee
}

#header {
  position: absolute;
  top: 0px;
  left: 0px;
  height: 60px;
  width: 100%;
  background: #333;
  padding-top: 8px;
  text-align: center;
}

#header h1 {
  font-size: 30px;
  text-transform: uppercase;
  letter-spacing: 0.3em;
  color: #fff;
}

#main {
  margin: 75px 15px 15px 0px;
  padding: 15px 15px 15px 15px;
  background: #FFFFFF;
}

#bar {
  float: left;
  width: 200px;
  background: #eee;
  z-index: 1;
  padding: 10px;
  margin-right: 30px;
  height: 100%;
}

#bar h1 {
  font-size: 12px;
  text-transform: uppercase;
  letter-spacing: 0.3em;
}


Please any help would be nice :D

Re: Trouble with the viewcat.php and updateentry.php

PostPosted: Wed Jan 28, 2009 11:48 am
by kiyoura
I saw a few problems with your code, some are my opinions but might help out in the end.

1) session_register() has been deprecated as of PHP 5.3.0, discontinue using it as it will be removed in 6.0

2) I saw a lot of "== true" or "== false", == means "if equals", however, === means "equal and same type as". Boolean and strings are not the same type .

3) You don't need to connect to the database in every single page. Try connecting once in the config.php file and including that page where ever its needed.

4) Regardless of rather you get your code to work, I saw NO sanitizing of your $_GET and $_POST variables. Your code is vulnerable to SQL injection and XSS (among other things). Try looking up htmlentities() and mysql_real_escape_string() for starters.

5) You might want to try (just try) to put session_start() in the config file and get rid of it everywhere else.

The things I said may or may not help your problem, but, should still help you out.