Anyone To check My code??

Question

mrcniceguy 5 Posting Whiz in Training

16 Years Ago

The code is sending for profile comment,I dont know what is wrong with my code because when i click the POSTCOMMENT button It just gives a blank Page,with no Error desplayed
or Any message.
And actualy the Datas are not sent.

<?php 

 //Connect to the database server
$dbcnx=@mysql_connect('localhost','root','650715');
 if(!$dbcnx){
exit('<p>Unable to connect to the database</p>');
}
//select the joke database
if(!@mysql_select_db('register')){
 exit('<p>Unable to locate the profile'.
 'Database at the this time.</p>');
}

if(isset($_GET['id'])){    

$userid=$_GET['id']; 
 $user=$_SESSION['user'];

 if(isset($_POST['comment'])){
 $comment=$_POST['comment'];
 $sql="INSERT INTO profcomment SET
 comment='$comment',
 user='$userid',
 sender='$user';
 //commentdate=CURDATE()";
if(@mysql_query($sql)){
echo '<p>Your comment has been added.</p>';

}else{
 echo '<p><font color=white>Error adding submitted comment:</font>';
   mysql_error() .'</p>';
}
}

$result=@mysql_query("SELECT  *FROM profcomment where user='$userid'");
$num=mysql_num_rows($result);




 echo"<font color=red>There are $num comments </font><br>";
if(!$result){
exit('<p>Error perfoming query:' .
 mysql_error() .'</p>');
}

//Diaplay the text of each profcomment in paragraph
while($row=mysql_fetch_array($result)){
         $sender=$row['sender'];
        $comment=$row['comment'];
         $date=$row['commentdate'];



echo "<table width=280 height=5 align=center border=1 cellpadding=3 cellspacing=2 bordercolor=black bgcolor=creem>";
echo "<tr><td>
<p>$comment</p>
<p>posted by:<font color=blue>$sender</font> date:<font color=blue>$date</font></p></td></tr>";
echo "</table>";

}
}
?>

<table border=0 width=100 height=50 cellspacing=1 cellpadding=1 align=right>
<tr >
<td valign=top>
<form action=<?php echo$_SERVER['PHP_SELF'];?>  method=POST >
<textarea name="comment" rows=2 cols=32>
</textarea></tr>
<tr><td align=right>
<input type="submit" name="submit" value="postcomment"/>
</form> </center>


</td>
</tr>


</table>

</td>
</TR>
</table>

I need your help Please!!!

php

Edited 11 Years Ago by Reverend Jim because: Fixed formatting

3 Contributors
6 Replies
101 Views
1 Day Discussion Span
Latest Post 16 Years Ago Latest Post by nav33n

nav33n 472 Purple hazed!

16 Years Ago

Here are some things you need to fix.
You are checking if $_GET is set. Say, for example, the user follows a link and gets to this page. comments.php?id=4 . Then it will enter the condition isset($_GET) and does the required action. But, when the user fills in the comment and clicks on submit, $_GET doesn't hold any value anymore. So, it skips isset($_GET) block.
Secondly, there is no session_start. And, most importantly, don't use @ to supress the errors. You will never know where you are going wrong.

nav33n 472 Purple hazed!

16 Years Ago

pass id in a hidden field when the form is submitted. Use $_REQUEST instead of $_GET. $_REQUEST can handle both $_GET and $_POST. Thats all !
Oh, have session_start on top of your script.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

mrcniceguy 5 Posting Whiz in Training · Answer 1 · 2008-05-21T19:05:00+00:00

now can you advice me,
as you said if the user writes a comment it will skip the isset($_GET) function.
what can i do to make it work because i`m using as you explained above that the user must follow the link.
I removed the @ symbol nothing changed.

rgviza 8 Light Poster · Answer 2 · 2008-05-21T21:00:22+00:00

This script is also vulnerable to sql injection.

Always filter your input variables.

Google "sql injection prevention in php" or someone will steal all of your data and compromise your accounts. It would take under 5 minutes with this script.

You need to do length checking, and character filtering.

If you accept input data when building login form, filter for XSS as well.

This applies to all scripts even non-login pages since your registered users can use SQL injection too. Very scary stuff...

-r

mrcniceguy 5 Posting Whiz in Training · Answer 3 · 2008-05-22T01:17:18+00:00

i never used hidden values,
if can show me how accodding to my code i`ll appreciate.

nav33n 472 Purple hazed! Team Colleague Featured Poster · Answer 4 · 2008-05-22T12:48:33+00:00

Simple. The first time you follow the link, you will have the id. <input type="hidden" name="id" value="<?php echo $id; ?>"> where $id is id's value.