This is it, I've completed my forum script and I'm sharing it with you!!!!!!!
:O
Hope you like it, if you find any bugs, please post it here
Oh yea, and the first registered person will be the admin
This is it, I've completed my forum script and I'm sharing it with you!!!!!!!
:O
Hope you like it, if you find any bugs, please post it here
Oh yea, and the first registered person will be the admin
<?php
//save this as style.css
?>
body {
background-color: #666666;
border: 10px solid #000000;
color: #300000;
text-align: center;
padding: 5px;
}
#page {
border: 1px solid #000000;
color: #300000;
background-color: #C0C0C0;
text-align: center;
padding: 5px;
}
#login {
position: absolute;
border: 1px solid black;
color: #300000;
background-color: #C0C0C0;
text-align: center;
padding: 5px;
left: 50px;
margin-top:5px;
}
#register {
position: absolute;
border: 1px solid black;
color: #300000;
background-color: #C0C0C0;
text-align: center;
padding: 5px;
right: 50px;
margin-top:5px;
}
#user_info {
border: 1px solid black;
margin: 5px;
padding: 2px;
text-align: right;
}
#page2 {
border: 1px solid black;
margin: 5px;
padding: 2px;
}
#post {
border: 1px solid black;
}
a {
color: #000;
text-decoration: underline;
}
a:hover {
text-decoration: none;
color: #000;
}
<?php
//Save This Page as index.php
?>
<?php
session_start();
include("global.php");
echo "<link href='style.css' rel='stylesheet' type='text/css' />";
?>
<title>Main Forums Page</title>
<div id="page">
<?php
if($_SESSION['username']){
echo "<div id='user_info'>";
echo "<h6>Welcome ".$_SESSION['username']."!";
$result = mysql_query("SELECT `admin` FROM `users` WHERE `username` = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result)){
if($row['admin'] == 1){
echo "<br><a href='new_cat.php'>New Catagory</a>";
}
}
echo "<br>\n<a href='userchange.php'>Edit User Info</a>\n";
echo "<br>\n<a href='logout.php'>Logout</a></h6>";
echo "</div>";
echo "<div id='page2'>\n";
echo "<h2>Categories</h2>\n";
echo "<hr size='1' width='75%'>\n";
$result0 = mysql_query("SELECT * FROM forum_cats ORDER BY date");
while($row = mysql_fetch_array($result0)){
echo "<a href='forums.php?id=".$row['id']."'>".$row['cat_name']."</a><br>Date Added: ".$row['date']."<hr size='1' width='50%'><br>\n";
}
echo "<br>\n";
echo "</div>";
}else{
echo "Welcome Guest! Please login or register to start viewing the categories, topics, and to start posting!";
?>
<div id="login">
<table border=0>
<form action='./index.php' method='post'>
<tr><td colspan="2" align="center" bgcolor="#333333"><font color="#ffffff">Login Form</font></td></tr>
<tr><td>Username:</td><td><input type=text name=user maxsize=20></td></tr>
<tr><td>Password:</td><td><input type=password name=pass maxsize=20></td></tr>
<tr><td colspan="2"><input type="submit" value="Login" name="submit2"/></td></tr>
</form>
</table>
<?php
$sub = $_POST['submit2'];
$u = $_POST['user'];
$p = $_POST['pass'];
if($sub){
$sql = mysql_query("SELECT count(id) FROM users WHERE username='$u' AND password='$p'");
$result = mysql_result($sql, 0);
if($result!=1){
print "<br>Invalid Login Information";
}else{
$result1 = mysql_query("SELECT * FROM users");
while($row = mysql_fetch_array($result1)){
mysql_query("UPDATE users SET admin = '1' WHERE id = '1'") or die(mysql_error());
}
$_SESSION['username'] = $u;
echo "<br>You are now logged in ".$_SESSION['username']."!";
}
}
?>
</div>
<div id="register">
<table border="0" cellspacing="3" cellpadding="3">
<form method="post" action="index.php">
<tr><td colspan="2" align="center" bgcolor="#333333"><font color="#ffffff">Registration Form</font></td></tr>
<tr><td>Username</td><td><input type="text" name="username"></td></tr>
<tr><td>Password</td><td><input type="password" name="password"></td></tr>
<tr><td>Confirm</td><td><input type="password" name="passconf"></td></tr>
<tr><td>E-Mail</td><td><input type="text" name="email"></td></tr>
<tr><td colspan="2" align="center"><input type="submit" name="submit" value="Register"></td></tr>
</form>
</table>
</div>
<?php
if($_POST['submit']){
function protect($string){
$string = mysql_real_escape_string($string);
$string = strip_tags($string);
$string = addslashes($string);
return $string;
}
$username = protect($_POST['username']);
$password = protect($_POST['password']);
$confirm = protect($_POST['passconf']);
$email = protect($_POST['email']);
$errors = array();
if(!$username){
$errors[] = "<br>Username is not defined!";
}
if(!$password){
$errors[] = "<br>Password is not defined!";
}
if($password){
if(!$confirm){
$errors[] = "<br>Confirmation password is not defined!";
}
}
if(!$email){
$errors[] = "<br>E-mail is not defined!";
}
if($username){
if(!ctype_alnum($username)){
$errors[] = "<br>Username can only contain numbers and letters!";
}
$range = range(1,32);
if(!in_array(strlen($username),$range)){
$errors[] = "<br>Username must be between 1 and 32 characters!";
}
}
if($password && $confirm){
if($password != $confirm){
$errors[] = "<br>Passwords do not match!";
}
}
if($email){
$checkemail = "/^[a-z0-9]+([_\\.-][a-z0-9]+)*@([a-z0-9]+([\.-][a-z0-9]+)*)+\\.[a-z]{2,}$/i";
if(!preg_match($checkemail, $email)){
$errors[] = "<br>E-mail is not valid, must be name@server.tld!";
}
}
if($username){
$sql = "SELECT * FROM `users` WHERE `username`='".$username."'";
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res) > 0){
$errors[] = "<br>The username you supplied is already in use!";
}
}
if($email){
$sql2 = "SELECT * FROM `users` WHERE `email`='".$email."'";
$res2 = mysql_query($sql2) or die(mysql_error());
if(mysql_num_rows($res2) > 0){
$errors[] = "<br>The e-mail address you supplied is already in use of another user!";
}
}
if(count($errors) > 0){
foreach($errors AS $error){
echo $error . "<br>\n";
}
}else {
$ip = $_SERVER['REMOTE_ADDR'];
$sql4 = "INSERT INTO `users`
(`username`,`password`,`email`, `admin`, `ip`, `displaypic`, `ban`)
VALUES ('".$username."','".$password."','".$email."','0', '$ip', 'None!', 'no')";
$res4 = mysql_query($sql4) or die(mysql_error());
echo "<font align=\"center\"><br><br>You have successfully<br>\n registered with the username <br>\n<b>".$username."</b> and the <br>\npassword <b>".$password."</b>!</font>";
echo "</div>";
}
}
}
?>
</div>
<?php
//Save This As new_cat.php
?>
<?php
session_start();
include("global.php");
echo "<link href='style.css' rel='stylesheet' type='text/css' />";
?>
<title>Adding Category</title>
<div id="page">
<?php
$result000 = mysql_query("SELECT * FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result000)){
if($row['ban'] == 'yes'){
echo "<a href='logout.php'>logout</a><br>\n";
die("I'm sorry, but you are currently banned and may not view the site.");
}
}
if(!$_SESSION['username']){
header("Location: index.php");
}
$query = mysql_query("SELECT admin FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($query)){
$admin = $row['admin'];
}
if($admin != 1){
die("You are not authorized to be here.");
}
echo "<div id='user_info'>";
echo "<h6>Logged in as: ".$_SESSION['username'].".<br><a href='userchange.php'>Edit User Info</a> | Click here to <a href='logout.php'>logout</a> | <a href='index.php'>Main Page</a></h6>";
?>
</div>
<div id='page2'><center><h2>Adding New Category</h2>
<form action='new_cat.php' method='POST'>
<p>Category Name: <input type='text' name='cat_name'></p>
<p><input type='submit' value='Create Category' name='submit'></p>
</form>
<?php
$sub = $_POST['submit'];
$name = $_POST['cat_name'];
if($sub){
mysql_query("INSERT INTO forum_cats (cat_name) VALUES ('$name')");
echo "Created category <b>".$name."</b>!";
}
?>
</div>
<?php
//Save This as forums.php
?>
<?php
session_start();
include("global.php");
echo "<link href='style.css' rel='stylesheet' type='text/css' />\n";
?>
<title>Forums Page</title>
<div id="page">
<?php
$result000 = mysql_query("SELECT * FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result000)){
if($row['ban'] == 'yes'){
echo "<a href='logout.php'>logout</a><br>\n";
die("I'm sorry, but you are currently banned and may not view the site.");
}
}
if(!$_SESSION['username']){
die("You must login to view the topics!");
}
echo "<div id='user_info'>\n";
$id = $_GET['id'];
$result2 = mysql_query("SELECT * FROM forum_cats WHERE id = '".$id."'");
while($row = mysql_fetch_array($result2)){
$cat = $row['cat_name'];
}
echo "<h6>Logged in as: ".$_SESSION['username'].".<br><a href='userchange.php'>Edit User Info</a> | Click here to <a href='logout.php'>logout</a> | <a href='index.php'>Main Page</a></h6>";
?>
</div>
<div id='page2'><center><h3>Topics In Category: <?php
echo "<b>".$cat."</b>";
?>.</h3>
<form action='?id=<?php echo $id; ?>' method='POST'>
<input type='submit' value='New Topic' name='submit'>
</form>
<hr size='1' width='75%'>
<?php
$result = mysql_query("SELECT * FROM forum_sub_cats WHERE forum_cat_name = '".$cat."'");
while($row = mysql_fetch_array($result)){
echo "<a href='./topic.php?id=".$row['id']."'>".$row['sub_cat_name']."</a><br>\nDescription: <b>".$row['desc']."</b><br>\nDate Added: ".$row['date']."<hr size='1' width='50%'>\n<br>";
}
$sub = $_POST['submit'];
if($sub){
?>
<table border='0' cellpadding='5'>
<tr><th colspan='2'>New Topic</th></tr>
<form action='?id=<?php echo $id; ?>' method='POST'>
<tr><td>Topic Name: </td><td><input type='text' name='sub_name'></td><tr>
<tr><td>Topic Description: </td><td><input type='text' name='sub_desc'></td></tr>
<tr><td colspan='2' align='right'><input type='submit' value='Create Topic' name='submit2'></td></tr>
</form>
</table>
<?php
}
$sub2 = $_POST['submit2'];
$name = $_POST['sub_name'];
$desc = $_POST['sub_desc'];
if($sub2){
mysql_query("INSERT INTO forum_sub_cats (`sub_cat_name`, `forum_cat_name`, `desc`) VALUES ('$name', '$cat', '$desc')") or die(mysql_error());
echo "Added Topic <b>".$name."</b>!";
}
?>
<?php
//Save this as topic.php
?>
<?php
session_start();
include("global.php");
echo "<link href='style.css' rel='stylesheet' type='text/css' />\n";
?>
<title>Forums Page</title>
<div id="page">
<?php
$result000 = mysql_query("SELECT * FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result000)){
if($row['ban'] == 'yes'){
echo "<a href='logout.php'>logout</a><br>\n";
die("I'm sorry, but you are currently banned and may not view the site.");
}
}
if(!$_SESSION['username']){
die("You must login to view the posts!");
}
$result = mysql_query("SELECT * FROM users");
while($row = mysql_fetch_array($result)){
$uslevel = $row['admin'];
}
echo "<div id='user_info'>\n";
$id = $_GET['id'];
$result2 = mysql_query("SELECT * FROM forum_sub_cats WHERE id = '".$id."'");
while($row = mysql_fetch_array($result2)){
$cat = $row['sub_cat_name'];
}
$result1 = mysql_query("SELECT admin FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result1)){
$ulevel = $row['admin'];
}
echo "<h6>Logged in as: ".$_SESSION['username'].".<br><a href='userchange.php'>Edit User Info</a> | Click here to <a href='logout.php'>logout</a> | <a href='index.php'>Main Page</a></h6>";
?>
</div>
<div id='page2'><center><h3>Posts In Topic: <?php
echo "<b>".$cat."</b>";
?>.</h3>
<form action='?id=<?php echo $id; ?>' method='POST'>
</form>
<hr size='1' width='75%'>
<p>Posts:</p>
<?php
echo "<table border='0' cellpadding='5' cellspacing='5'>";
$result3 = mysql_query("SELECT * FROM posts WHERE forum_sub_cat_name = '".$cat."'");
while($row = mysql_fetch_array($result3)){
$user = $row['user'];
$post = $row['post'];
echo "<tr><td colspan='3'><hr size='1'></td></tr>";
echo "<tr align='left'><td colspan='2' align='center' bgcolor='#333333'><font color='#ffffff'>Username: <b>".$user."</b> Userlevel: ";
if($uslevel == 0){
echo "<b>Memeber</b>";
if($ulevel == 1){
echo " <br>\n<center><form action='?id=".$id."' method='POST'><input type='submit' name='edit' value='Edit'></form><form action='?id=".$id."' method='POST'><input type='submit' name='ban' value='Ban'></form>";
}
echo "</font></td></tr><tr><td align='left'>User Forum Pic: <br>\n".$row['display']."</td><td align='center'>Post: <br>\n<textarea rows='15' cols='20' readonly='readonly'>".$post."</textarea></td></tr>\n";
}else if($uslevel == 1){
echo "<b>Administrator</b>";
if($ulevel == 1){
echo " <br>\n<center><form action='?id=".$id."' method='POST'><input type='submit' name='edit' value='Edit'></form><form action='?id=".$id."' method='POST'><input type='submit' name='ban' value='Ban'></form>";
}
echo "</font></td></tr><tr><td align='left'>User Forum Pic: <br>\n".$row['display']."</td><td align='center'><textarea rows='15' cols='15' readonly='readonly'>".$post."</textarea></td></tr>\n";
}
echo "<tr><td bgcolor='#333333'><font color='#ffffff'>Posted: ".$row['date']."</font></td><td bgcolor='#333333'><font color='#ffffff'>Subject: ".$row['subject']."</font></td></tr>";
echo "<tr><td colspan='3'><hr size='1'></td></tr>";
}
echo "</table>";
?>
<hr size='1' width='75%'>
<form action='?id=<?php echo $id; ?>' method='POST'>
<table border='0' align='center' cellspacing='5'>
<tr><th colspan='2'>Add A Post</th></tr>
<tr><td>Subject: </td><td><input type='text' name='sub' size='20'></td></tr>
<tr><td>Comment: </td><td><textarea name='comment' rows='5' cols='20'></textarea></td></tr>
</tr><td colspan='2' align='right'><input type='submit' value='Add Post' name='submit'></td></tr>
</table>
</form>
<?php
$result3 = mysql_query("SELECT displaypic FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result3)){
$display = $row['displaypic'];
}
$sub = $_POST['submit'];
$subj = $_POST['sub'];
$com = $_POST['comment'];
if($sub){
if(($subj == '') || ($com == '')){
die("You did not enter a Subject and/or a Post!");
}
mysql_query("INSERT INTO posts (`user`, `post`, `subject`, `forum_sub_cat_name`, `display`) VALUES ('".$_SESSION['username']."', '$com', '$subj', '$cat', '<img src=$display width=150 height=150/>')") or die(mysql_error());
echo "Post Added!";
}
$sub2 = $_POST['edit'];
$sub3 = $_POST['ban'];
if($sub2){
?>
<form action='?id=<?php echo $id; ?>' method='POST'>
<p>Current Post: <textarea rows='15' cols='20' readonly='readonly'><?php echo $post; ?></textarea></p>
<p>New Post: <textarea name='npost' rows='5' cols='20'></textarea></p>
<p><input type='submit' name='edit2' value='Edit Post'></p>
</form>
<?php
}
$sub4 = $_POST['edit2'];
$npost = $_POST['npost'];
if($sub4){
mysql_query("UPDATE posts SET post = '".$npost."'") or die(mysql_error());
echo "Post Edited!";
}
if($sub3){
mysql_query("UPDATE users SET ban = 'yes' WHERE username = '".$user."'") or die(mysql_error());
echo "User Banned!";
}
?>
<?php
//Save this as logout.php
?>
<?php
session_start();
session_unset();
session_destroy();
header("Location: index.php");
?>
<?php
//Save this as global.php
//Make sure to edit the database names
?>
<?php
$connect = mysql_connect('localhost', 'username', 'password') OR die("Error: ".mysql_error());
$db = mysql_select_db('forum', $connect) OR die("Error: ".mysql_error());
?>
<?php
//Save this as userchange.php
?>
<?php
session_start();
include("global.php");
echo "<link href='style.css' rel='stylesheet' type='text/css' />\n";
?>
<title>User Administration</title>
<div id="page">
<?php
$result000 = mysql_query("SELECT * FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result000)){
if($row['ban'] == 'yes'){
echo "<a href='logout.php'>logout</a><br>\n";
die("I'm sorry, but you are currently banned and may not view the site.");
}
}
if(!$_SESSION['username']){
die("You must login to view this page!");
}
echo "<div id='user_info'>\n";
echo "<h6>Logged in as: ".$_SESSION['username'].".<br><a href='userchange.php'>Edit User Info</a> | Click here to <a href='logout.php'>logout</a> | <a href='index.php'>Main Page</a></h6>";
?>
</div>
<div id='page2'><center><h2>User Administration</h2>
<form action='userchange.php' method='POST'>
<table border='0'>
<tr><th>Change Password | </th><th>Current Pass:
<?php
$result = mysql_query("SELECT password FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result)){
echo $row['password'];
}
?></th></tr>
<tr><td>New Pass</td><td><input type='password' name='pass' maxsize=20 /></td></tr>
<tr><td>Confirm Pass</td><td><input type='password' name='pass2' maxsize=20 /></td></tr>
<tr><td colspan=2><input type="submit" value="Change Pass" name="submit"/></td></tr>
</table>
</form>
<?php
$np = $_POST['submit'];
$p = $_POST['pass'];
$p2 = $_POST['pass2'];
if($np){
if($p!=$p2){
die("Passwords Don't Match!<br>");
}
if(($p=='') || ($p2=='')){
die("Passwords Are Blank!<br>");
}
mysql_query("UPDATE users SET password = '".$p."' WHERE username = '".$_SESSION['username']."'") or die(mysql_error());
echo "Password Changed!";
}
?>
<form action='userchange.php' method='POST'>
<table border='0'>
<tr><th>Change Forum Display Pic </th><th>(Note, this will be resized to 150 x 150)</th></tr>
<tr><td>Forum Pic URL: </td><td><input type='text' name='url'></td></tr>
<tr><td colspan='2'><input type='submit' value='Change Pic' name='submit0'></td></tr>
</table>
</form>
<?php
$sub2 = $_POST['submit0'];
$url = $_POST['url'];
if($sub2){
mysql_query("UPDATE users SET displaypic = '".$url."' WHERE username = '".$_SESSION['username']."'");
echo "Forum Pic Changed!";
}
?>
</div>
<?php
//And finally, import this sql to your database
?>
CREATE TABLE IF NOT EXISTS `users` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`username` varchar(20) NOT NULL,
`password` varchar(20) NOT NULL,
`email` varchar(50) NOT NULL,
`admin` varchar(1) NOT NULL,
`joined` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`displaypic` varchar(500) NOT NULL,
`ip` varchar(60) NOT NULL,
`ban` varchar(10) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
CREATE TABLE IF NOT EXISTS `posts` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`user` varchar(20) NOT NULL,
`post` text NOT NULL,
`subject` varchar(20) NOT NULL,
`forum_sub_cat_name` varchar(60) NOT NULL,
`date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`display` varchar(500) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
CREATE TABLE IF NOT EXISTS `forum_sub_cats` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`sub_cat_name` varchar(60) NOT NULL,
`forum_cat_name` varchar(60) NOT NULL,
`desc` varchar(100) NOT NULL,
`date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
CREATE TABLE IF NOT EXISTS `forum_cats` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`cat_name` varchar(60) NOT NULL,
`date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`admin` varchar(1) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;
Hopes you like it :D
This code is horribly insecure. There are sql injection and xss holes. The code is a mess and very hard to follow. You should add some comments.
The way it stands now, I could delete your tables in your database and hijack sessions (there is a lot more I can do as well).
NO ONE USE THIS UNTIL THE ISSUES ARE FIXED!
This is dissapointing as I have been looking for a forum script to use for my site,
Would it be possible to add security to this to make this script secure ??
Hoping to hear a reply
@LloydFarrell!
Why don't you use phpBB?
@AUTHOR:
Thanks, but looks insecure! Improve it!
Also a lot of errors appear! Use error_reporting(E_ALL); when you code!
Tip:
Don't use:
if($_POST['submit']) {
//Code here
}
Use instead:
if(isset($_POST['submit'])) {
//Code here
}
Bug:
When you log-in, the "Welcome Guest" still apears!
After refreshing it's gone, but users will think login was unsuccessful !
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.