DidNotCompute Posted April 14, 2014 Share Posted April 14, 2014 (edited) UPDATED I decided to check out the Panther script and created a quick basic forum. SQL CREATE TABLE IF NOT EXISTS `forum_posts` ( `id` int(11) NOT NULL AUTO_INCREMENT, `tid` int(11) NOT NULL, `char_name` varchar(40) NOT NULL, `content` longtext NOT NULL, `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ; CREATE TABLE IF NOT EXISTS `forum_threads` ( `id` int(11) NOT NULL AUTO_INCREMENT, `char_name` varchar(40) NOT NULL, `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, `last_post` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00', `title` varchar(50) NOT NULL, `content` longtext NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=3 ; Create a "forum" directory within the "mods" directory and add the file main.php <?php include_once('mods/globals.php'); if (array_key_exists('id', $_GET)) { $id = abs(intval($_GET['id'])); $get_thread_query = $db->query("SELECT * FROM `forum_threads` WHERE `id` = $id"); while ($get_thread = mysqli_fetch_assoc($get_thread_query)) { echo '<h4>'.(htmlentities($get_thread['title'])).'</h4> <table class="table"> <tr><td>'.(htmlentities($get_thread['content'])).'</tr></tr> <tr><td>Created on '.($get_thread['date']).' by '.($get_thread['char_name']).'</td></tr> </table>'; } $get_posts_query = $db->query("SELECT `char_name`, `content`, `date` FROM `forum_posts` WHERE `tid` = $id ORDER BY `id` DESC"); while ($get_posts = mysqli_fetch_assoc($get_posts_query)) { echo'<table class="table"> <tr><td>'.(htmlentities($get_posts['content'])).'</tr></tr> <tr><td>Posted on '.($get_posts['date']).' by '.($get_posts['char_name']).'</td></tr> </table>'; } if (array_key_exists('post', $_POST)) { $post = trim($_POST['post']); $date = date("Y-m-d H:i:s"); if(!($post)){ echo '<div class="alert alert-error">You must enter a post!</div>'; }else{ $char_name = $user->getStat('char_name'); $query = $db->prepare("INSERT INTO `forum_posts` (`tid`, `char_name`, `content`, `date`) VALUES (?,?,?,?)"); $query->bind_param("isss", $id, $char_name, $post, $date); $query->execute(); $query = $db->prepare("UPDATE `forum_threads` SET `last_post` = '$date' WHERE `id` = '$id'"); $query->execute(); echo '<div class="alert alert-success">Posted!</div>'; } } ?> <div class="row-fluid marketing" align="center"> <h4>Post to the thread</h4> <form action="" method="POST"> <label>Content</label><textarea name="post"></textarea><br /> <button type="submit" class="btn btn-primary">Post</button> </form> </div> <?php } else { ?> <h4>Forum</h4> <table class="table"> <tr><th><b>Thread Title</b></th> <th><b>Last Post</h2></b></th></tr> <?php $get_threads_query = $db->query("SELECT `id`, `last_post`, `title` FROM `forum_threads` ORDER by `id` DESC"); while ($get_threads = mysqli_fetch_assoc($get_threads_query)) { echo '<tr> <td><a href="?id='.($get_threads['id']).'" >'.(htmlentities($get_threads['title'])).'</a></td> <td>'.($get_threads['last_post']).'</td> </tr>'; } ?> </table> <?php if (array_key_exists('title', $_POST)) { $title = trim($_POST['title']); $content = trim($_POST['content']); $date = date("Y-m-d H:i:s"); if(!($title) || !($content)){ echo '<div class="alert alert-error">You must enter a title and content!</div>'; }else{ $char_name = $user->getStat('char_name'); $query = $db->prepare("INSERT INTO `forum_threads` (`char_name`, `date`, `last_post`, `title`, `content`) VALUES (?,?,?,?,?)"); $query->bind_param("sssss", $char_name, $date, $date, $title, $content); $query->execute(); echo '<div class="alert alert-success">Thread created!</div>'; } } ?> <div class="row-fluid marketing" align="center"> <h4>Create Thread</h4> <form action="" method="POST"> <label>Title</label><input type="text" name="title" /> <br /> <label>Content</label><textarea name="content"></textarea><br /> <button type="submit" class="btn btn-primary">Create Thread</button> </form> </div> <?php } ?> You can see a demo at http://panther.x10.mx Email: demo Password: demo Feedback welcome. Edited April 15, 2014 by DidNotCompute Quote Link to comment Share on other sites More sharing options...
sniko Posted April 14, 2014 Share Posted April 14, 2014 Great addition! A few slight exploits in there - I've just run a document.write "command" on forum topic 3. This should be easy to patch up - however, great addition! Thanks Quote Link to comment Share on other sites More sharing options...
john. Posted April 14, 2014 Share Posted April 14, 2014 It looks good, however I think that you should address the separation between PHP and HTML, it is messy, and would be hard for a front end developer to easily modify the HTML and CSS only. At the very least I would say that PHP business logic would be put in the top. and then outputting data, mixed in in the HTML. Quote Link to comment Share on other sites More sharing options...
Script47 Posted April 14, 2014 Share Posted April 14, 2014 If you're using V0.6 then to make things easier you use the functions successMessage(); or errorMessage(); instead of making writing the div out all the time. :) Quote Link to comment Share on other sites More sharing options...
DidNotCompute Posted April 14, 2014 Author Share Posted April 14, 2014 Fixed. :) -- Quote Link to comment Share on other sites More sharing options...
Script47 Posted April 14, 2014 Share Posted April 14, 2014 You have quote a few errors in your code, I tried fixing some but there are quite a few, so your SQLs are incorrect too. Quote Link to comment Share on other sites More sharing options...
DidNotCompute Posted April 14, 2014 Author Share Posted April 14, 2014 You have quote a few errors in your code, I tried fixing some but there are quite a few, so your SQLs are incorrect too. Which errors? It's all working fine for me (on the demo)? What's wrong with the SQL? Quote Link to comment Share on other sites More sharing options...
Script47 Posted April 14, 2014 Share Posted April 14, 2014 My mistakes, the SQLs work. Don't use short tags. Missing curly brace. Insecure. Quote Link to comment Share on other sites More sharing options...
DidNotCompute Posted April 14, 2014 Author Share Posted April 14, 2014 My mistakes, the SQLs work. Don't use short tags. Missing curly brace. Insecure. 1. Fair enough. 2. Don't think so, no errors are being thrown up for me. 3. Which part is insecure? It would be helpful if you could cite specific parts of the code; I'm still learning. :) Quote Link to comment Share on other sites More sharing options...
Script47 Posted April 15, 2014 Share Posted April 15, 2014 (edited) 1. Fair enough. 2. Don't think so, no errors are being thrown up for me. 3. Which part is insecure? It would be helpful if you could cite specific parts of the code; I'm still learning. :) You were missing the curly brace because you were using short tags, I got syntax error end of file. I removed the short tags and put the brace proper and it worked. Why do you have this? I'm not flaming but I just want to see your thinking behind why you would close the tags then reopen them again. <?php include_once('mods/globals.php'); ?> <?php if (array_key_exists('id', $_GET)) { To easily get the users ID you can use $_SESSION['uid']; instead of grabbing it like that. When you run this prepared query why use "?" where `id` is and then bind the variables? bind_param(); $id = abs(intval($_GET['id'])); $sql = "SELECT `char_name`, `date`, `title`, `content` FROM `forum_threads` WHERE `id` = $id"; $get_thread = $db->prepare($sql); $get_thread->execute(); $get_thread->store_result(); $get_thread->bind_result($char_name, $date, $title, $content); You htmlentities(); $title and $content but not $char_name? while ($get_thread->fetch()) { echo '<h4>'.(htmlentities($title)).'</h4> <table class="table"> <tr><td>'.(htmlentities($content)).'</tr></tr> <tr><td>Created on '.($date).' by '.($char_name).'</td></tr> </table>'; } No security from post? htmlspecialchars(); Sanitize Filters $post = $_POST['post']; Also make it easier for other developers to use and edit, so indent and space so it's easier to read not a big jumble. If you find you can't do that yourself then look in to online PHP formatter. PHP Formatter htmlentities() vs htmlspecialchars(); Edited April 15, 2014 by Script47 Quote Link to comment Share on other sites More sharing options...
DidNotCompute Posted April 15, 2014 Author Share Posted April 15, 2014 You were missing the curly brace because you were using short tags, I got syntax error end of file. I removed the short tags and put the brace proper and it worked. Why do you have this? I'm not flaming but I just want to see your thinking behind why you would close the tags then reopen them again. <?php include_once('mods/globals.php'); ?> <?php if (array_key_exists('id', $_GET)) { To easily get the users ID you can use $_SESSION['uid']; instead of grabbing it like that. When you run this prepared query why use "?" where `id` is and then bind the variables? bind_param(); $id = abs(intval($_GET['id'])); $sql = "SELECT `char_name`, `date`, `title`, `content` FROM `forum_threads` WHERE `id` = $id"; $get_thread = $db->prepare($sql); $get_thread->execute(); $get_thread->store_result(); $get_thread->bind_result($char_name, $date, $title, $content); You htmlentities(); $title and $content but not $char_name? while ($get_thread->fetch()) { echo '<h4>'.(htmlentities($title)).'</h4> <table class="table"> <tr><td>'.(htmlentities($content)).'</tr></tr> <tr><td>Created on '.($date).' by '.($char_name).'</td></tr> </table>'; } No security from post? htmlspecialchars(); Sanitize Filters $post = $_POST['post']; Also make it easier for other developers to use and edit, so indent and space so it's easier to read not a big jumble. If you find you can't do that yourself then look in to online PHP formatter. PHP Formatter htmlentities() vs htmlspecialchars(); Many thanks for the comments. It's not getting the user id in the first part, instead it's checking to see if a thread is selected so it can be displayed. Also, I thought it was bad practice to use htmlspecialchars(); on inputs? I'm not sanitizing the character name output because when the character was created it would have been checked. I have updated the code. :) Quote Link to comment Share on other sites More sharing options...
Script47 Posted April 15, 2014 Share Posted April 15, 2014 (edited) When you output the date, make it more user friendly using this: date('d/m/Y g:i:s A', strtotime($youDateFieldblahblah)); I wasn't sure if you mean't it but you can make thread without content in them? Good job. :) Edited April 15, 2014 by Script47 Quote Link to comment Share on other sites More sharing options...
DidNotCompute Posted April 15, 2014 Author Share Posted April 15, 2014 I wasn't sure if you mean't it but you can make thread without content in them? Good job. :) Oops. Fixed. :) Quote Link to comment Share on other sites More sharing options...
Dave Posted April 15, 2014 Share Posted April 15, 2014 When you output the date, make it more user friendly using this: date('d/m/Y g:i:s A', strtotime($youDateFieldblahblah)); I wasn't sure if you mean't it but you can make thread without content in them? Good job. :) Would be cool to add a date class to the engine so all dates can be standardised. Zend have a great implementation http://framework.zend.com/manual/1.10/en/zend.date.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.