Chief Delphi

Chief Delphi (http://www.chiefdelphi.com/forums/index.php)
-   Programming (http://www.chiefdelphi.com/forums/forumdisplay.php?f=51)
-   -   php/forms/posting/I NEED HELP!!!!!!!!! (http://www.chiefdelphi.com/forums/showthread.php?t=45184)

Uberbots 15-03-2006 16:38

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
Quote:

Originally Posted by MattD
Well, sure.. but that still doesn't solve the SQL injection vulnerability. I think he wants just anyone to be able to submit, anyway.

oh yeah, i didnt think of that.


PHP Code:

$postName get_magic_quotes_gpc() ? addslashes($_POST['name']) : $_POST['name'];
$postPost get_magic_quotes_gpc() ? addslashes($_POST['post']) : $_POST['post'];
sprintf("INSERT INTO `news` VALUES ('', '%s', '%s')"); 


chris31 15-03-2006 20:28

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
Yea, definatly fix that. I didnt really thing about security as i dont even know if he has PHP or if he is even going to use the code. If he is then with all SQL statements YOU MUST CHECK FOR INJECTION VULNERABILITIES. Its not cool. There are lots of features and fixes the code could use, i mean i wrote it quickly during class.

MattD 15-03-2006 20:43

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
Quote:

Originally Posted by chris31
Yea, definatly fix that. I didnt really thing about security as i dont even know if he has PHP or if he is even going to use the code. If he is then with all SQL statements YOU MUST CHECK FOR INJECTION VULNERABILITIES. Its not cool. There are lots of features and fixes the code could use, i mean i wrote it quickly during class.

Yes, that is very important. There's always going to be that one person who wastes their time trying to find an exploit like that, and then use it to do real damage.

By the way.. you're not the only one who likes to write things quickly during class. In history class I once wrote a simple math game (I was bored, don't ask).. although it didn't turn out all that great.

general 15-03-2006 23:48

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 

chris31 16-03-2006 07:08

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
I looked at your webhost and they have PHP. Make a file called "junk.php" and in it write
PHP Code:

<?
phpinfo
();
?>

and then see what version of PHP you are running. Also, if you post the code to the pages you want this added to we can added the code to the page for you.

general 16-03-2006 14:17

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
its version 4.3.4 heres the link

chris31 16-03-2006 14:27

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
Ok, thank you. If you have any questions setting it up just ask.

MattD 16-03-2006 14:42

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
Quote:

Databases: 0/0
Well, it looks like the MySQL option is out then, so it's back to using some sort of text file (could be plain text, XML, INI, whatever).

I'll see if maybe I can write some code up for this later today.

chris31 16-03-2006 14:59

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
On the WebRyders website is shows that all hosting plans come with a database. I wonder why you dont have any.

general 16-03-2006 15:01

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
Maybe because its old and we probably got it for free.

chris31 16-03-2006 17:54

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
Ok, if i were you i would see if you could get databases becuase they can be used for so much. If not, then use a text file.

general 16-03-2006 19:18

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
When it comes to this (text file) I have no clue what to do.

chris31 16-03-2006 20:36

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
Basicly i would say this. Write each post to a line in the file. Use a "|" between the users name, email, post, post number, etc (whatever info you need saved). Then just read in each line, expode the string by "|". And then echo is out. Ill post some code shortly.

MattD 17-03-2006 16:06

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
Well here's a simplistic example (I have tested it for about 45 seconds, it seems to work). It takes the quote submitted and writes HTML to a text file, and then on the quote view page all it does is read that text file and output all of the HTML in it.

I would also like to add that I haven't really put in any error handling yet for the most part (I've only been working on this for about 10 minutes).

Anyway, here it is.

insert.php - This allows the user to enter their quote.
PHP Code:

<?php
//*************************************************
// insert.php - Allows a user to insert a quote.
//*************************************************

@$name $_POST["name"];            // Get Name posted
@$team $_POST["team"];            // Get Team Number posted
@$quote $_POST["quote"];            // Get quote posted
@$submit $_POST["submit"];        // Used to check if form is being submitted
/* NOTE: 
    The @ characters are here to supress undefined error messages,
    just in case the server has those turned on, like my dev/testing
    server does..
*/

if ($submit == "Submit")        // If the form is being submitted..
{
    if (empty(
$name) || empty($team) || empty($quote))        // Make sure all fields are filled in
    
{
        echo 
"<span style=\"color: red\">Error: Please fill in all of the fields.</span><br />";
        
showForm();
    }
    else
    {
        
$hfile fopen("quotes.dat""r+") or die("Could not open file");    // Open data file
        
        // Compile text to be written
        
$write "<p>Quote- \"" $quote "<br />" 
                   
"</p><div align=\"right\">" $name "<br />" 
                 
$team "</div></p><hr />";                    
                 
        
fwrite($hfile$write);            // Write the text
        
fclose($hfile);                    // Close the file    
        
        // Notify the user that thier quote has been submitted
        
echo "Thanks, your quote has been submitted.";            
    
    }
}
else
    
showForm();
    
/***************************
Shows the input form
****************************/
function showForm()
{
?>
<blockquote>
    <form name="form1" method="post" action="insert.php">
          <p align="left">
            Name/Screen Name:<br />
            <input name="name" type="text" />    
            <br />
            Team Number: <br />
            <input name="team" type="text" />
            <br />
            <br />
            Quote:<br />
            <textarea name="quote" rows="4" cols="75"></textarea>
            <br />
            <br />
            <input type="submit" name="submit" value="Submit">
        </p>
    </form>
</blockquote>
<?php
}
?>

quotes.php - This displays all of the quotes that are saved.
PHP Code:

<?php
//*************************************************
// quotes.php - Displays user submitted quotes.
//*************************************************

$hfile fopen("quotes.dat""r") or die("Could not open file");    // Open the data file for reading
$contents fread($hfilefilesize("quotes.dat"));    // Read the entire contents of the file
fclose($hfile);            // Close the file

echo $contents;            // Output file contents;
?>

Save this in files called insert.php and quotes.php. Then outside everything within the <?php and ?> tags, enter in all of the HTML for your site's header and footer. You must then create a file called quotes.dat in the same directory as insert.php and quotes.php. Make sure to CHMOD it to allow writing to it.

If you need any more help with this, don't hesitate to ask.

chris31 17-03-2006 17:43

Re: php/forms/posting/I NEED HELP!!!!!!!!!
 
This code isnt very portable. Say they do a site resign all the posts would have to be manually redone becuase you saved all html and not just the pure data. I think that my way is more portable. Ill scrap together some code soon.


All times are GMT -5. The time now is 22:59.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © Chief Delphi