2 Birds, 1 Stone... PHP And Testing

jcb33 · 4 Apr 2007 at 00:11

Hi all, finaly got my site working how I want, at least in IE6, and FF, just wanted a few people with other browsers, operating systems, resolutions etc to test it if you can please

http://cpanel.lincoln.ac.uk/dci125/index.shtml

Also trying to get my guestbook working, can anyone see anything wrong with the following code for creating my table?:

Code:

<?php
// create table
// connecting to database

$sel=mysql_connect("localhost","cpanelu_dci125","******");
if (!$sel)
  {
  die('Could not connect: ' . mysql_error());
  }

// select database

mysql_select_db("cpanelu_dci125", $sel);

echo "db selected & connected to $sel";

// create table

$dat="CREATE TABLE guestbook
(
commentID int NOT NULL AUTO_INCREMENT, 
PRIMARY KEY(commentID),
Name varchar(15),
Email varchar(40),
Comment varchar(1000)
)";

echo "creating table now";

mysql_query($dat,$sel);

mysql_close($sel);
?>

I get the message:

db selected & connected to Resource id #2creating table now

However when I got to insert a comment it gives the error:

Error: Table 'cpanelu_dci125.guestbook' doesn't exist

jcb33 · 4 Apr 2007 at 00:23

With:

Code:

<?php
// create table
// connecting to database

$sel=mysql_connect("localhost","cpanelu_dci125","*******");
if (!$sel)
  {
  die('Could not connect: ' . mysql_error());
  }

// select database

mysql_select_db("cpanelu_dci125", $sel);

echo "db selected & connected to $sel";

// create table

$dat="CREATE TABLE guestbook
(
commentID int NOT NULL AUTO_INCREMENT, 
PRIMARY KEY(commentID),
Name varchar(15),
Email varchar(40),
Comment varchar(1000)
)";

echo "creating table now";

mysql_query($dat,$sel);

mysql_error()

mysql_close($sel);
?>

I get the following error:

Parse error: parse error, unexpected T_STRING in /home2/cpanelu/public_html/dci125/guestbook/connect.php on line 35

Edit, nevermind adding a ";" to the end of mysql_error()
fixed that, and I just got the origional message again

jcb33 · 4 Apr 2007 at 15:22

I have tried installing a program called wizmysqladmin, however it seems to only allow me to create a primary key, and not alter it, could anyone please help me get this set up

my msn is 06039966 [at] students.lincoln.ac.uk if you would be willing to help me over msn please add me

jcb33 · 4 Apr 2007 at 21:23

Ok thanks all, managed to get a table created (All be it not the way I wanted to!) But now I cant fetch the data from my table, I am using the following code:

Code:

<?php

$sel = mysql_connect("localhost","cpanelu_dci125","********");
if (!$sel)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("cpanelu_dci125", $sel);

$comment = mysql_query("SELECT * FROM guestbook");

while($line = mysql_fetch_array($result))
  {
  echo $line['name'] . " " . $line['email'] . " " .$line['comment'];
  echo "<br />";

  }
mysql_close($sel);
?>

But get the following error:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home2/cpanelu/public_html/dci125/guestbook/display.php on line 13

jcb33 · 4 Apr 2007 at 21:43

punky_munky said:
Should be
mysql_fetch_array($comment)

Thanks

only problem now is it looks a total mess e.g:

Andrew Not telling you! Whats with all the latin?
Andrew Not telling you! Whats with all the latin?
Andrew Etc Ooops sorry for the double post!

I want it to look like this:

Name: Andrew

Email: Not Telling You!

Comment: Whats with all the latin?

________________________________________________________

Name: Andrew

Email: Etc

Comment: Ooops sorry for the double post!

________________________________________________________

jcb33 · 4 Apr 2007 at 21:50

Is this method valid?

Code:

while($line = mysql_fetch_array($comment))
  {
  echo "Name: ";
  echo $line['name'];
  echo "<br />";
  echo "Email: ";
  echo $line['email'];
  echo "<br />";
  echo "Comment: ";
  echo $line['comment'];
  echo "<br />";
  echo "<br />";
  echo "<hr />";

  }
mysql_close($sel);
?>

Edit, also how can i make it so it displays the newest comment on top, down to oldest?

jcb33 · 4 Apr 2007 at 22:52

punky_munky said:
Not wanting to sound rude but perhaps you should have a read up on the basics of SQL and PHP? http://www.w3schools.com/ is a good place to start.

Nah not rude at all, have never done any php before so need to learn from scratch basicaly

jcb33 · 4 Apr 2007 at 23:14

punky_munky said:
Not wanting to sound rude but perhaps you should have a read up on the basics of SQL and PHP? http://www.w3schools.com/ is a good place to start.

Ta managed to get my guestbook working now, only thing I cant find how to do is a validation, I want it so that if a post is over the browser width it goes onto the next line

http://cpanel.lincoln.ac.uk/dci125/guestbook/guestbook.shtml

jcb33 · 5 Apr 2007 at 01:19

Looking at w3 schools I found some bits and bobs, and im currently trying to get it so that a user can input their email into a form, and they will then get an email, I can make it email me at a set address, however I cannot make it take the email from the form and send to that, I currently have:

Code:

			<?php
				mysql_query("SELECT * FROM newsLetter);
				$to = "$email";
				$subject = "Welcome!";
				$txt = "Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!";
				$headers = "From: OverclockersVortex.co.uk" . "\r\n" .
				"CC: [email protected]";
				mail($to,$subject,$txt,$headers);
				?>
			<?php

But that is not working, any ideas?

jcb33 · 5 Apr 2007 at 08:03

psyr33n said:
a) mysql_query("SELECT * FROM newsLetter);

Spot what's wrong.

b) $to = "$email";

Not an error, but no interpolation means no need for quotation.

As for "not working", can you elaborate?

Parse error: parse error, unexpected T_VARIABLE in /home2/cpanelu/public_html/dci125/assets/library/global/insert.php on line 32

jcb33 · 5 Apr 2007 at 13:14

psyr33n said:
Did you read my post, by any chance?

Aye I had already tried it without the quotation marks and got this error:

Parse error: parse error, unexpected T_STRING in /home2/cpanelu/public_html/dci125/assets/library/global/insert.php on line 33

Code:

			<?php
				$email = mysql_query("SELECT * FROM newsLetter);
				$to = $email;
				$subject = "Welcome!";
				$txt = "Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!";
				$headers = "From: OverclockersVortex.co.uk" . "\r\n" .
				"CC: [email protected]";
				mail($to,$subject,$txt,$headers);
				?>
			<?php

jcb33 · 5 Apr 2007 at 13:27

Edit, got it semi working, using the following code, only problem is it just sends it to the first email, not the newest!

Code:

<?php
	$sel = mysql_connect("localhost","cpanelu_dci125","Manypeop");
	if (!$sel)
  	{
  		die('Could not connect: ' . mysql_error());
  	}
	mysql_select_db("cpanelu_dci125", $sel);

	$comment = mysql_query("SELECT * FROM newsLetter");
	$line = mysql_fetch_array($comment);
  	$to = $line['email'];
	$subject = "Welcome!";
	$txt = "Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!";
	$headers = "From: OverclockersVortex.co.uk" . "\r\n" .
	"CC: Overclockersvortex.co.uk";
	mail($to,$subject,$txt,$headers);
	mysql_error();
	
	mysql_close($sel);
?>

Ok, I think I have it working, would people mind testing it and letting me know if they get an email? Thanks

http://cpanel.lincoln.ac.uk/dci125/index.shtml

jcb33 · 5 Apr 2007 at 14:04

arrond said:
Ok, I think I have it working, would people mind testing it and letting me know if they get an email? Thanks

http://cpanel.lincoln.ac.uk/dci125/index.shtml

Yep its working. If you are having trouble creating a table and adding some data, here the method I use

Code:

<?php

// Declare and initialize variables
$database   = "Your database name";
$hostName   = "localhost";
$loginName  = "Your username";
$passwdName = "You Password";

// Formulate the create table query - Obviously chnage the sql for your table
$query1 = "CREATE TABLE IF NOT EXISTS tblLinks (
	`ID` INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
	`URL` VARCHAR(255) UNIQUE NOT NULL,
	`Title` VARCHAR(255),
	`Description` VARCHAR(255)) TYPE=MyISAM";

// Formulate the insert row query
$query2 = "INSERT IGNORE INTO tblLinks (`URL`,`Title`,`Description`) VALUES 
('URL Here,' Page Title Here','Descrition Goes here')";
//Repeat format above to add more entries

// Connect to the server
$link = mysql_connect($hostName,$loginName,$passwdName);
// Check result
if (!$link) {
   echo "Could not connect to mysql<br>";
   echo 'MySQL Error: ' . mysql_error();
   exit;
}

// Select the database
$result = mysql_select_db($database, $link);
// Check result
if (!$result) {
   echo "Could not select database<br>";
   echo 'MySQL Error: ' . mysql_error();
   exit;
}

// Send the create table query to the database and execute it
$result = mysql_query($query1, $link);
// Check result
if (!$result) {
   echo "DB Error, could not query the database<br>";
   echo 'MySQL Error: ' . mysql_error();
   exit;
}

// Send the insert row query to the database and execute it
$result = mysql_query($query2, $link);
// Check result
if (!$result) {
   echo "DB Error, could not query the database<br>";
   echo 'MySQL Error: ' . mysql_error();
   exit;
}

// Get the number of rows affected by the last query
$affected_rows = mysql_affected_rows($link);

echo "Your data has been successfully exported<br>";
echo "Added $affected_rows record(s)";

// Close the link to the database
mysql_close($link);

?>

Hope this helps. Contains some error checking as well

[/QUOTE]
Thanks, will give it a shot

Glad its working, took a lot of brain power hehe, Im enjoying learning all this much more than seems normal

Only thing now is that, well 2 things:

1) People can enter script into the comment, and email boxes that cause problems, e.g last night someone had this going:

Code:

<script type="text/javascript">
alert('Sanitise all user input!');
alert('Otherwise people will inject code into your site');
alert('Like this');
</script>

2) The email looks a bit of a mess, e.g:

Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!

I have tried to format it using html, but that does not work, so cant have it looking how I want:

Dear User,
this is just a quick email to thank you for signing up to the OCV newsletter! We look forward to sending you many exciting newsletters in the future!

Thanks again the OCV Team!

jcb33 · 6 Apr 2007 at 01:10

Just wondering how can I validate my forms so people cant insert code like < and > because so far had someone insert my entire site into my guestbook twice, and some java script :/

jcb33 · 6 Apr 2007 at 01:38

arrond said:
Its called sql injection. Its very common. Heres a simply script you need to apply to your code

Code:

<?php // Connect $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error()); // Query $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password)); ?>

This is very simple, i would recommend looking into it further but it can get complicated. Basically your goal is to validate input to stop people gaining access by bypassing your password such as using "' OR ''='" which changes the sql query to ignore password entry.

Hope this helps

Ah, the problem is not to do with passwords, its just people breaking my guestbook by inserting code into it, instead of leaving a nice comment, so I need to:

1) Make it so they cannot insert code by making it automaticaly format out < and >
2) Make it so if they enter a realy long word e.g m000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 it goes onto the next line, not breaks my page

jcb33 · 6 Apr 2007 at 01:50

arrond said:
Your guessbook is taking in user input, that is how they are able to inject code. You should validate Name, email and comment input. Your using php and a database to store the comments, yes?

Yes I am

Problem is I just dont know how to validate them to stop unwanted input

jcb33 · 6 Apr 2007 at 02:05

arrond said:

Ok its a bit hard to explain everyting if you dont know but on my site you can also post comments, very similar to yours except you can only enter a name and comment. This is my code:

Code:

<?php

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO tblcom (Name, Comment, `Date`) VALUES (%s, %s, %s, %s)",
					   
                       GetSQLValueString($_POST['Name'], "text"),
					   GetSQLValueString($_POST['Comment'], "text"),
                       GetSQLValueString($_POST['Date'], "date"));
                       
  mysql_select_db($database_blog, $blog);
  $Result1 = mysql_query($insertSQL, $blog) or die(mysql_error());

  $insertGoTo = "comments.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}
?>

Its a bit complicated i know, most of this was generated for me.

Aye is a bit complicated, cant work out where it stops certain characters being entered even

jcb33 · 6 Apr 2007 at 02:55

Ah well lots of searching and I still cant figure it out, All I know is I want it to do something like

Search Comment, if HTML Tags then replace with " "
Search comment, If word > 20 characters then replace with " "
Submit to database

jcb33 · 6 Apr 2007 at 13:16

Ok, I tried to use the following code, but it did nothing at all...

Code:

			<?php
				$sel = mysql_connect("localhost","cpanelu_dci125","Manypeop");
				if (!$sel)
  				{
  					die('Could not connect: ' . mysql_error());
  				}
				mysql_select_db("cpanelu_dci125", $sel);

				$comment = mysql_query("SELECT * FROM guestbook ORDER BY commentID DESC");
				$line = mysql_fetch_array($comment);
				$line['name'] = strip_tags($line['name']);
				$line['email'] = strip_tags($line['email']);
				$line['comment'] = strip_tags($line['comment']);
				$line['name'] = substr($line['name'], 0, 50);
				$line['email'] = substr($line['email'], 0, 70);
				$line['comment'] = substr($line['comment'], 0, 30);
				$line['name'] = mysql_real_escape_string($line['name']);
				$line['email'] = mysql_real_escape_string($line['email']);
				$line['comment'] = mysql_real_escape_string($line['comment']);
	
				mysql_error();
	
				mysql_close($sel);
			?>