Grumpy Posted September 28, 2014 Posted September 28, 2014 I am trying to convert an mccodes mode over to grgp (simple rating system). I have made 2 columns inside grpgusers called rate and canrate Created one file called giverate.php as below. I know the show rating is wrong also... had not got that far as its already falling over. Don't hate on me please as my level of experience is looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooow. <?php mysql_query("UPDATE grpgusers SET rate=rate+1 WHERE user_class->id={$_GET['u']}", $c); mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE userid={$user_class->userid}", $c); $b = mysql_query("SELECT username,rate FROM grpgusers WHERE user_class->id={$_GET['u']}", $c); $a = mysql_fetch_array($b); print "You have given 1 rating to {$user_class->username}! Their rating is now {$a['rate']}!"; die($h->endpage()); }else if ($_GET['action'] == "take") { mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE user_class->id={$_GET['u']}", $c); mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE userid={$user_class->userid}", $c); $b = mysql_query("SELECT username,rate FROM grpgusers WHERE user_class->id={$_GET['u']}", $c); $a = mysql_fetch_array($b); print "You have taken 1 rating from {$user_class->username}! Their rating is now {$a['rate']}!"; die($h->endpage()); }else{ print "Unknown action!"; die($h->endpage()); } $h->endpage(); ?> Here is the profile code. <?php if ($user_class->rate == 0) { $rate = "<font color='blue'>{$user_class->id['rate']}</font>"; }else if ($r['rate'] > 0) { $rate = "<font color='green'>{$user_class->id['rate']}</font>"; }else if ($r['rate'] < 0) { $rate = "<font color='red'>{$user_class->id['rate']}</font>"; } print "Rating: [<a href='giverate.php?u={$user_class->id}&action=take'>-</a>] {$rate} [<a href='giverate.php?u={$user_class->id}&action=give'>+</a>]"; ?> </td></tr> <? if ($user_class->id != $profile_class->id){ ?> If someone could point me in the correct direction that would be great thanks. Grumpy. Quote
NonStopCoding Posted September 28, 2014 Posted September 28, 2014 The top code is seriously messed up if you post me the mccodes mod ill convert it for you on line 9 there is a closing bracket } and before line 9 there are no if statements to continue the else if statement that was used on line 9 Quote
AdamHull Posted September 28, 2014 Posted September 28, 2014 this is the first file <?php include "header.php"; mysql_query("UPDATE grpgusers SET rate=rate+1 WHERE username = '".$_GET['name']."'"); mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'"); $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$_GET['name']."'"); $a = mysql_fetch_array($b); echo "You have given 1 rating to ".$_GET['name']."! Their rating is now ".$a['rate']."!"; die(); if ($_GET['action'] == "take") { mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE username ='".$_GET['name']."'"); mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'"); $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$_GET['u']."'"); $a = mysql_fetch_array($b); echo "You have taken 1 rating from '".$_GET['name']."'! Their rating is now '".$a['rate']."'!"; die(); }else{ echo "Unknown action!"; die(); } ; ?> here is the second code <?php $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$profile_class->username."'"); $a = mysql_fetch_array($b); if ($a['rate'] == 0) { echo "<font color='blue'>$a['rate']</font>"; }else if ($a['rate'] > 0) { echo "<font color='green'>$a['rate']</font>"; }else if ($a['rate'] < 0) { echo "<font color='red'>$a['rate']</font>"; } print "Rating: [<a href=giverate.php?name=$profile_class->username&action=take>-</a>] rate [<a href=giverate.php?name=$profile_class->username&action=give>+</a>]"; ?> </td></tr> <? if ($user_class->id != $profile_class->id){ die(); } ?> You will need to protect this as it is not very secure and users can vote over again but if you do need help pm me and i will give you my contact details Quote
sniko Posted September 28, 2014 Posted September 28, 2014 mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE username ='".$_GET['name']."'"); Wow. Please can I have your game link, [MENTION=67703]adamhull[/MENTION]? ;) Quote
Grumpy Posted September 28, 2014 Author Posted September 28, 2014 Thankyou for your help adamhull. I see where a lot of my errors were now. I did warn everyone my skills are poor. However I feel there is but one way to learn. Dive in the deep end. I was unable to get your actual code to work however I just changed it and now it works ok like below. <?php $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$profile_class->username."'"); $a = mysql_fetch_array($b); $rating = $a['rate']; print "Rating: [<a href=giverate.php?name=$profile_class->username&action=take>-</a>] $rating [<a href=giverate.php?name=$profile_class->username&action=give>+</a>]"; ?> As for securing it, one step at a time tiger :) Just getting it to work is proving difficult enough. In all seriousness however i am looking into how to protect the $_GET which i assume is the problem? Again thanks for the replies. Quote
CodingKid Posted September 28, 2014 Posted September 28, 2014 The $_GET is the problem, add this: $name = mysql_real_escape_string($_GET['name']); And then change $_GET['name'] to $name everywhere it is used in the file. Quote
Grumpy Posted September 29, 2014 Author Posted September 29, 2014 I figured it was something like that thankyou CodingKid. Here is where I am now at with it. There is no voting limits and you can vote yourself which is pretty silly however that's my next mission. <?php include "header.php"; $name = mysql_real_escape_string($_GET['name']); mysql_query("UPDATE grpgusers SET rate=rate+1 WHERE username = '$name'"); mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'"); $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='$name'"); $a = mysql_fetch_array($b); echo "You have given 1 rating to $name! Their rating is now ".$a['rate']."!"; include "footer.php"; die(); if ($_GET['action'] == "take") { mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE username ='$name'"); mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'"); $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$_GET['u']."'"); $a = mysql_fetch_array($b); echo "You have taken 1 rating from $name! Their rating is now '".$a['rate']."'!"; die(); }else{ echo "Unknown action!"; include "footer.php"; die(); } ; ?> Quote
sniko Posted September 29, 2014 Posted September 29, 2014 I figured it was something like that thankyou CodingKid. Here is where I am now at with it. There is no voting limits and you can vote yourself which is pretty silly however that's my next mission. <?php include "header.php"; $name = mysql_real_escape_string($_GET['name']); mysql_query("UPDATE grpgusers SET rate=rate+1 WHERE username = '$name'"); mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'"); $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='$name'"); $a = mysql_fetch_array($b); echo "You have given 1 rating to $name! Their rating is now ".$a['rate']."!"; include "footer.php"; die(); if ($_GET['action'] == "take") { mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE username ='$name'"); mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='".$user_class->id."'"); $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='".$_GET['u']."'"); $a = mysql_fetch_array($b); echo "You have taken 1 rating from $name! Their rating is now '".$a['rate']."'!"; die(); }else{ echo "Unknown action!"; include "footer.php"; die(); } ; ?> Get used to formatting your code for easier readability Why do you have a semi-colon after a closing brace? <?php include "header.php"; $name = mysql_real_escape_string($_GET['name']); mysql_query("UPDATE grpgusers SET rate=rate+1 WHERE username = '$name'"); mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='" . $user_class->id . "'"); $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='$name'"); $a = mysql_fetch_array($b); echo "You have given 1 rating to $name! Their rating is now " . $a['rate'] . "!"; include "footer.php"; die(); if ($_GET['action'] == "take") { mysql_query("UPDATE grpgusers SET rate=rate-1 WHERE username ='$name'"); mysql_query("UPDATE grpgusers SET canrate=canrate-1 WHERE id=`id`='" . $user_class->id . "'"); $b = mysql_query("SELECT username,rate FROM grpgusers WHERE username='" . $_GET['u'] . "'"); $a = mysql_fetch_array($b); echo "You have taken 1 rating from $name! Their rating is now '" . $a['rate'] . "'!"; die(); } else { echo "Unknown action!"; include "footer.php"; die(); } ?> Quote
Grumpy Posted September 29, 2014 Author Posted September 29, 2014 Thankyou for the advice Sniko. There is a good reason for a semi-colon after a closing brace. Because I have no idea what I am doing and the most simple things to you are extremely complicated to myself. However as each day passes I learn a little more. (semi-colon now removed :)) Quote
sniko Posted September 29, 2014 Posted September 29, 2014 (edited) The $_GET is the problem, add this: $name = mysql_real_escape_string($_GET['name']); And then change $_GET['name'] to $name everywhere it is used in the file. I would go a step further, and validate the contents. if( preg_match("/^[a-z0-9-_\ ]+$/i", $_GET['name']) == 0 ) { //Invalid name. die; } //Carry on. For example; https://eval.in/199780 <?php $arrNames = array(); $arrNames[] = "sniko"; $arrNames[] = "Robert'); DROP TABLE Students;-"; //Bobby tables :) $arrNames[] = "&"; $arrNames[] = "MakeWebGames"; $arrNames[] = "Admin"; foreach($arrNames as $strName) { if( preg_match("/^[a-z0-9-_\ ]+$/i", $strName) == 0 ) { //Invalid name. echo $strName ." is invalid.". PHP_EOL; } else { echo $strName ." is valid!". PHP_EOL; } } Also, don't forget to urlencode() and urldecode() $_GET['name']. But then again, the user id is probably indexed, and we should query on that instead. Edited September 29, 2014 by sniko Quote
NonStopCoding Posted September 29, 2014 Posted September 29, 2014 i was wondering why it was using a get name using the id would be much easier and the way i would do it Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.