php/forms/posting/I NEED HELP!!!!!!!!!

I want to put a comment/quotes page on my teams site, and let people submit their own, but I don’t know anything about php or any other database. Can some one help me?

There are a few options. One is to use a free shoutbox type program. Another is to use php and log all of the comments to a text file. The last option is to use php and save it all to a database. The last will be the hardest to code but could allow for more features to be added. If i have any free tome today i will write you some sample code.

CHeck out these links. http://www.project-angel.com/index.php?pa=tutorials&cat=PHP&id=13 and http://www.project-angel.com/index.php?pa=tutorials&cat=PHP&id=14 . Hopefully that will get you started. If you need any help just ask.

I actually think that writing it to use a database (MySQL for example) would be easier than using the text file. That’s just what I’d do, though. Either that or use XML…

With a text file there would be no need for a MySQL database (not sure if he has one). Plus, he wouldnt need to know SQL or and knowledge of XML. WIth XML you have to parse all of it. With a text file he could just log everything as a line of text.

Could some one give me the code for the text file option.

Just to confirm what you want, you want a box that holds the posts of the shoutbox, under that you want a spot for people to input a nickname and message. Will that work for you? Also, do you know what version of php your webserver is running?

Here is the server info:

http://www.khsfirst.com/serverinfo.gif

And I would want it to look like this
http://www.khsfirst.com/insert.html for the submiting page, and http://www.khsfirst.com/Quotes.html for the pageit would show up on.

ya know, it would be a ton easier to just use a database.
if you have PHPmyAdmin, then use it.

mysqlServer = mysql_pconnect("server","username","password") //server is typically "127.0.0.1"
mysql_select_db("siteData", mysqlServer);

$getNews = mysql_query("SELECT * FROM `news` ORDER BY `id` DESC");
$rowGetNews = mysql_fetch_assoc($getNews);
$numRowsGetNews = mysql_num_rows($getNews);

do {
echo $rowGetNews'body'];
} while($rowGetNews = mysql_fetch_assoc($getNews));

im assuming that you have a database, schema name “siteData”, with a table called “news”.
columns should be AT LEAST:
id INTEGER AUTO_INCREMENT, title VARCHAR(35), body TEXT

adding news to the DB is a different story.

Ya what is PHPmyAdmin? And how do I Use it?

phpMyAdmin is a php based MySQL admin tool. If you have CPanel then it is included, else you have to set it up.

The databases can be created without phpMyAdmin. I can write up some code for inputing data and createing the tables if you want me to. Also, can you find out if your webserver supports PHP and if so what version. If you cant find it, please post a link to the people who provide your hosting.

EDIT: I wrote this up quickly so its not that great but it will work.


Database Layout

Database --> "siteData"
Table --> "news"
columns --> id INTEGER AUTO_INCREMENT, title VARCHAR(35), body TEXT


=================================

// Code for printing out all of the news

// Connecting, selecting database
$link = mysql_connect ("server","username","password") or die ('I cannot connect to the database because: ' . mysql_error());//Open up the specific database
mysql_select_db ("siteData");


$query = ""SELECT * FROM `news` ORDER BY `id` DESC"";
$result = mysql_query($query) or die('Query failed: ' . mysql_error());


echo "<table>
";
echo "	<tr>
";
echo "		<td>Name</td>
";
echo "		<td>Post</td>
";
echo "	</tr>
";


while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) 
{
   echo "	<tr>
";
   foreach ($line as $col_value) 
   {
       echo "		<td>$col_value</td>
";
   }
   echo "	</tr>
";
}
echo "</table>
";


=================================

// Code for adding news to the db

Add Post

<FORM ACTION="<?=$PHP_SELF?>" METHOD="POST" NAME="newsentry" type="text">

Name:

<BR>

<INPUT TYPE="text" SIZE="50" NAME="name" type="text">

<BR>

Post:

<BR>

<INPUT TYPE="text" SIZE="50" NAME="post" type="text">

<BR>


<INPUT TYPE="submit" NAME="submit" VALUE="Submit">
<BR>


</FORM>

<?

if($HTTP_POST_VARS'submit'])
{

        if(!$HTTP_POST_VARS'name'])
        {
            echo "You must enter a name";
            exit;
        }
        if(!$HTTP_POST_VARS'post'])
        {
            echo "You must enter a post";
            exit;
        }


	$query = "INSERT INTO news VALUES ('', '$HTTP_POST_VARS'name']', '$HTTP_POST_VARS'post']')";
 	$result = mysql_query($query);
}

?>

Ah, so you are going to go with the MySQL option. Honestly, to me that seems much more easier than using a text file…

Oh by the way (correct me if I am wrong), I see a SQL injection vulnerability in your code. It’s not as if it’ll probably ever cause any real problems, it’s just that it exists.

$query = "INSERT INTO news VALUES ('', '$HTTP_POST_VARS'name']', '$HTTP_POST_VARS'post']')";

Plain text posted is being inserted into the query. So, in theory, someone could submit something that could potentially alter the query. My advice would be to look into using the mysql_escape_string() or the mysql_real_escape_string() function.

Or, he could just make sure that no one but an administrator can get to that page. Dont execute the query if you arent logged in!

if ($_SESSION'UserClass'] == 'Admin') { }

or something like that. but if you do that, you would need to setup a login system.
I used to have a bunch of tutorials that i made about how to do this stuff.

Well, sure… but that still doesn’t solve the SQL injection vulnerability. I think he wants just anyone to be able to submit, anyway.

oh yeah, i didnt think of that.

$postName = get_magic_quotes_gpc() ? addslashes($_POST'name']) : $_POST'name'];
$postPost = get_magic_quotes_gpc() ? addslashes($_POST'post']) : $_POST'post'];
sprintf("INSERT INTO `news` VALUES ('', '%s', '%s')");

Yea, definatly fix that. I didnt really thing about security as i dont even know if he has PHP or if he is even going to use the code. If he is then with all SQL statements YOU MUST CHECK FOR INJECTION VULNERABILITIES. Its not cool. There are lots of features and fixes the code could use, i mean i wrote it quickly during class.

Yes, that is very important. There’s always going to be that one person who wastes their time trying to find an exploit like that, and then use it to do real damage.

By the way… you’re not the only one who likes to write things quickly during class. In history class I once wrote a simple math game (I was bored, don’t ask)… although it didn’t turn out all that great.

http://www.khsfirst.com/cpanel.gif

I looked at your webhost and they have PHP. Make a file called “junk.php” and in it write


<?
phpinfo();
?>

and then see what version of PHP you are running. Also, if you post the code to the pages you want this added to we can added the code to the page for you.