Jump to content
MakeWebGames

Help with voting mod


Grumpy

Recommended Posts

I am trying to convert an mccodes mode over to grgp (simple rating system).

I have made 2 columns inside grpgusers called rate and canrate

Created one file called giverate.php as below. I know the show rating is wrong also... had not got that far as its already falling over.

Don't hate on me please as my level of experience is looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooow.

 

<?php
mysql_query("UPDATE grpgusers SET rate=rate+1 WHERE user_class->id={$_GET['u']}", $c);
mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE userid={$user_class->userid}", $c);
$b = mysql_query("SELECT username,rate FROM grpgusers WHERE user_class->id={$_GET['u']}", $c);
$a = mysql_fetch_array($b);
print "You have given 1 rating to {$user_class->username}!
Their rating is now {$a['rate']}!";
die($h->endpage());
}else if ($_GET['action'] == "take")
{
mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE user_class->id={$_GET['u']}", $c);
mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE userid={$user_class->userid}", $c);
$b = mysql_query("SELECT username,rate FROM grpgusers WHERE user_class->id={$_GET['u']}", $c);
$a = mysql_fetch_array($b);
print "You have taken 1 rating from {$user_class->username}!
Their rating is now {$a['rate']}!";
die($h->endpage());
}else{
print "Unknown action!";
die($h->endpage());
}
$h->endpage();
?>

 

Here is the profile code.

 

       <?php        
       if ($user_class->rate == 0)
{
$rate = "<font color='blue'>{$user_class->id['rate']}</font>";
}else if ($r['rate'] > 0)
{
$rate = "<font color='green'>{$user_class->id['rate']}</font>";
}else if ($r['rate'] < 0)
{
$rate = "<font color='red'>{$user_class->id['rate']}</font>";
}
print "Rating: [<a href='giverate.php?u={$user_class->id}&action=take'>-</a>] {$rate} [<a href='giverate.php?u={$user_class->id}&action=give'>+</a>]";      
 ?>  
</td></tr>
<?
if ($user_class->id != $profile_class->id){
?>

 

If someone could point me in the correct direction that would be great thanks.

Grumpy.

Link to comment
Share on other sites

this is the first file

<?php
include "header.php";
mysql_query("UPDATE grpgusers SET rate=rate+1 WHERE username = '".$_GET['name']."'");
mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'");
$b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$_GET['name']."'");
$a = mysql_fetch_array($b);
echo "You have given 1 rating to ".$_GET['name']."!
Their rating is now ".$a['rate']."!";
die();
if ($_GET['action'] == "take")
{
mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE username ='".$_GET['name']."'");
mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'");
$b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$_GET['u']."'");
$a = mysql_fetch_array($b);
echo "You have taken 1 rating from '".$_GET['name']."'!
Their rating is now '".$a['rate']."'!";
die();
}else{
echo "Unknown action!";

die();

}
;
?>

 

here is the second code

                <?php        $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$profile_class->username."'");
$a = mysql_fetch_array($b);
       if ($a['rate'] == 0)
{
echo "<font color='blue'>$a['rate']</font>";
}else if ($a['rate'] > 0)
{
echo "<font color='green'>$a['rate']</font>";
}else if ($a['rate'] < 0)
{
echo  "<font color='red'>$a['rate']</font>";
}
print "Rating: [<a href=giverate.php?name=$profile_class->username&action=take>-</a>] rate [<a href=giverate.php?name=$profile_class->username&action=give>+</a>]";      
 ?>  

   </td></tr>
<?
if ($user_class->id != $profile_class->id){
die();
}
?>

You will need to protect this as it is not very secure and users can vote over again but if you do need help pm me and i will give you my contact details

Link to comment
Share on other sites

Thankyou for your help adamhull.

I see where a lot of my errors were now. I did warn everyone my skills are poor. However I feel there is but one way to learn. Dive in the deep end.

I was unable to get your actual code to work however I just changed it and now it works ok like below.

 

<?php        
$b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$profile_class->username."'");
$a = mysql_fetch_array($b);
$rating = $a['rate'];
print "Rating: [<a href=giverate.php?name=$profile_class->username&action=take>-</a>] $rating [<a href=giverate.php?name=$profile_class->username&action=give>+</a>]";  
?> 

 

As for securing it, one step at a time tiger :)

Just getting it to work is proving difficult enough.

In all seriousness however i am looking into how to protect the $_GET which i assume is the problem?

Again thanks for the replies.

Link to comment
Share on other sites

I figured it was something like that thankyou CodingKid.

Here is where I am now at with it.

There is no voting limits and you can vote yourself which is pretty silly however that's my next mission.

 

<?php
include "header.php";
$name = mysql_real_escape_string($_GET['name']);
mysql_query("UPDATE grpgusers SET rate=rate+1 WHERE username = '$name'");
mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'");
$b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='$name'");
$a = mysql_fetch_array($b);
echo "You have given 1 rating to $name!
Their rating is now ".$a['rate']."!";
include "footer.php";
die();
if ($_GET['action'] == "take")
{
mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE username ='$name'");
mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'");
$b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$_GET['u']."'");
$a = mysql_fetch_array($b);
echo "You have taken 1 rating from $name!
Their rating is now '".$a['rate']."'!";
die();
}else{
echo "Unknown action!";
include "footer.php";
die();
}
;
?>
Link to comment
Share on other sites

I figured it was something like that thankyou CodingKid.

Here is where I am now at with it.

There is no voting limits and you can vote yourself which is pretty silly however that's my next mission.

 

<?php
include "header.php";
$name = mysql_real_escape_string($_GET['name']);
mysql_query("UPDATE grpgusers SET rate=rate+1 WHERE username = '$name'");
mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'");
$b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='$name'");
$a = mysql_fetch_array($b);
echo "You have given 1 rating to $name!
Their rating is now ".$a['rate']."!";
include "footer.php";
die();
if ($_GET['action'] == "take")
{
mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE username ='$name'");
mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'");
$b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$_GET['u']."'");
$a = mysql_fetch_array($b);
echo "You have taken 1 rating from $name!
Their rating is now '".$a['rate']."'!";
die();
}else{
echo "Unknown action!";
include "footer.php";
die();
}
;
?>

 

  • Get used to formatting your code for easier readability
  • Why do you have a semi-colon after a closing brace?

 

<?php

include "header.php";
$name = mysql_real_escape_string($_GET['name']);
mysql_query("UPDATE grpgusers SET rate=rate+1 WHERE username = '$name'");
mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='" . $user_class->id . "'");
$b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='$name'");
$a = mysql_fetch_array($b);
echo "You have given 1 rating to $name!
Their rating is now " . $a['rate'] . "!";
include "footer.php";
die();
if ($_GET['action'] == "take") {
   mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE username ='$name'");
   mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='" . $user_class->id . "'");
   $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='" . $_GET['u'] . "'");
   $a = mysql_fetch_array($b);
   echo "You have taken 1 rating from $name!
Their rating is now '" . $a['rate'] . "'!";
   die();
} else {
   echo "Unknown action!";
   include "footer.php";
   die();
}

?>
Link to comment
Share on other sites

Thankyou for the advice Sniko.

There is a good reason for a semi-colon after a closing brace.

Because I have no idea what I am doing and the most simple things to you are extremely complicated to myself.

However as each day passes I learn a little more.

(semi-colon now removed :))

Link to comment
Share on other sites

The $_GET is the problem, add this:

 

$name = mysql_real_escape_string($_GET['name']);

 

And then change $_GET['name'] to $name everywhere it is used in the file.

I would go a step further, and validate the contents.

 

if( preg_match("/^[a-z0-9-_\ ]+$/i", $_GET['name']) == 0 ) {
   //Invalid name.
   die;
}

//Carry on.

 

For example; https://eval.in/199780

<?php

$arrNames = array();
$arrNames[] = "sniko";
$arrNames[] = "Robert'); DROP TABLE Students;-"; //Bobby tables :)
$arrNames[] = "&";
$arrNames[] = "MakeWebGames";
$arrNames[] = "Admin";


foreach($arrNames as $strName) {
  if( preg_match("/^[a-z0-9-_\ ]+$/i", $strName) == 0 ) {
      //Invalid name.
      echo $strName ." is invalid.". PHP_EOL;
  } else {
      echo $strName ." is valid!". PHP_EOL;
  }
}

 

Also, don't forget to urlencode() and urldecode() $_GET['name'].

 

But then again, the user id is probably indexed, and we should query on that instead.

Edited by sniko
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...