2 Birds, 1 Stone... PHP And Testing

Soldato
Joined
11 Apr 2003
Posts
4,210
Location
Notts
Hi all, finaly got my site working how I want, at least in IE6, and FF, just wanted a few people with other browsers, operating systems, resolutions etc to test it if you can please :)

http://cpanel.lincoln.ac.uk/dci125/index.shtml

Also trying to get my guestbook working, can anyone see anything wrong with the following code for creating my table?:

Code:
<?php
// create table
// connecting to database

$sel=mysql_connect("localhost","cpanelu_dci125","******");
if (!$sel)
  {
  die('Could not connect: ' . mysql_error());
  }

// select database

mysql_select_db("cpanelu_dci125", $sel);

echo "db selected & connected to $sel";

// create table

$dat="CREATE TABLE guestbook
(
commentID int NOT NULL AUTO_INCREMENT, 
PRIMARY KEY(commentID),
Name varchar(15),
Email varchar(40),
Comment varchar(1000)
)";

echo "creating table now";

mysql_query($dat,$sel);

mysql_close($sel);
?>

I get the message:

db selected & connected to Resource id #2creating table now

However when I got to insert a comment it gives the error:

Error: Table 'cpanelu_dci125.guestbook' doesn't exist
 
With:

Code:
<?php
// create table
// connecting to database

$sel=mysql_connect("localhost","cpanelu_dci125","*******");
if (!$sel)
  {
  die('Could not connect: ' . mysql_error());
  }

// select database

mysql_select_db("cpanelu_dci125", $sel);

echo "db selected & connected to $sel";

// create table

$dat="CREATE TABLE guestbook
(
commentID int NOT NULL AUTO_INCREMENT, 
PRIMARY KEY(commentID),
Name varchar(15),
Email varchar(40),
Comment varchar(1000)
)";

echo "creating table now";

mysql_query($dat,$sel);

mysql_error()

mysql_close($sel);
?>

I get the following error:

Parse error: parse error, unexpected T_STRING in /home2/cpanelu/public_html/dci125/guestbook/connect.php on line 35

Edit, nevermind adding a ";" to the end of mysql_error()
fixed that, and I just got the origional message again
 
Last edited:
I have tried installing a program called wizmysqladmin, however it seems to only allow me to create a primary key, and not alter it, could anyone please help me get this set up :) my msn is 06039966 [at] students.lincoln.ac.uk if you would be willing to help me over msn please add me :)
 
Ok thanks all, managed to get a table created (All be it not the way I wanted to!) But now I cant fetch the data from my table, I am using the following code:

Code:
<?php

$sel = mysql_connect("localhost","cpanelu_dci125","********");
if (!$sel)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("cpanelu_dci125", $sel);

$comment = mysql_query("SELECT * FROM guestbook");

while($line = mysql_fetch_array($result))
  {
  echo $line['name'] . " " . $line['email'] . " " .$line['comment'];
  echo "<br />";

  }
mysql_close($sel);
?>

But get the following error:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home2/cpanelu/public_html/dci125/guestbook/display.php on line 13
 
punky_munky said:
Should be
mysql_fetch_array($comment)
Thanks :) only problem now is it looks a total mess e.g:

Andrew Not telling you! Whats with all the latin?
Andrew Not telling you! Whats with all the latin?
Andrew Etc Ooops sorry for the double post!

I want it to look like this:

Name: Andrew

Email: Not Telling You!

Comment: Whats with all the latin?

________________________________________________________

Name: Andrew

Email: Etc

Comment: Ooops sorry for the double post!

________________________________________________________
 
Is this method valid?

Code:
while($line = mysql_fetch_array($comment))
  {
  echo "Name: ";
  echo $line['name'];
  echo "<br />";
  echo "Email: ";
  echo $line['email'];
  echo "<br />";
  echo "Comment: ";
  echo $line['comment'];
  echo "<br />";
  echo "<br />";
  echo "<hr />";

  }
mysql_close($sel);
?>

Edit, also how can i make it so it displays the newest comment on top, down to oldest?
 
Last edited:
Looking at w3 schools I found some bits and bobs, and im currently trying to get it so that a user can input their email into a form, and they will then get an email, I can make it email me at a set address, however I cannot make it take the email from the form and send to that, I currently have:

Code:
			<?php
				mysql_query("SELECT * FROM newsLetter);
				$to = "$email";
				$subject = "Welcome!";
				$txt = "Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!";
				$headers = "From: OverclockersVortex.co.uk" . "\r\n" .
				"CC: [email protected]";
				mail($to,$subject,$txt,$headers);
				?>
			<?php

But that is not working, any ideas?
 
psyr33n said:
a) mysql_query("SELECT * FROM newsLetter);

Spot what's wrong.

b) $to = "$email";

Not an error, but no interpolation means no need for quotation.

As for "not working", can you elaborate?
Parse error: parse error, unexpected T_VARIABLE in /home2/cpanelu/public_html/dci125/assets/library/global/insert.php on line 32
 
psyr33n said:
Did you read my post, by any chance?
Aye I had already tried it without the quotation marks and got this error:

Parse error: parse error, unexpected T_STRING in /home2/cpanelu/public_html/dci125/assets/library/global/insert.php on line 33

Code:
			<?php
				$email = mysql_query("SELECT * FROM newsLetter);
				$to = $email;
				$subject = "Welcome!";
				$txt = "Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!";
				$headers = "From: OverclockersVortex.co.uk" . "\r\n" .
				"CC: [email protected]";
				mail($to,$subject,$txt,$headers);
				?>
			<?php
 
Edit, got it semi working, using the following code, only problem is it just sends it to the first email, not the newest!

Code:
<?php
	$sel = mysql_connect("localhost","cpanelu_dci125","Manypeop");
	if (!$sel)
  	{
  		die('Could not connect: ' . mysql_error());
  	}
	mysql_select_db("cpanelu_dci125", $sel);

	$comment = mysql_query("SELECT * FROM newsLetter");
	$line = mysql_fetch_array($comment);
  	$to = $line['email'];
	$subject = "Welcome!";
	$txt = "Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!";
	$headers = "From: OverclockersVortex.co.uk" . "\r\n" .
	"CC: Overclockersvortex.co.uk";
	mail($to,$subject,$txt,$headers);
	mysql_error();
	
	mysql_close($sel);
?>

Ok, I think I have it working, would people mind testing it and letting me know if they get an email? Thanks :)

http://cpanel.lincoln.ac.uk/dci125/index.shtml
 
Last edited:
arrond said:
Ok, I think I have it working, would people mind testing it and letting me know if they get an email? Thanks :)

http://cpanel.lincoln.ac.uk/dci125/index.shtml

Yep its working. If you are having trouble creating a table and adding some data, here the method I use

Code:
<?php

// Declare and initialize variables
$database   = "Your database name";
$hostName   = "localhost";
$loginName  = "Your username";
$passwdName = "You Password";

// Formulate the create table query - Obviously chnage the sql for your table
$query1 = "CREATE TABLE IF NOT EXISTS tblLinks (
	`ID` INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
	`URL` VARCHAR(255) UNIQUE NOT NULL,
	`Title` VARCHAR(255),
	`Description` VARCHAR(255)) TYPE=MyISAM";

// Formulate the insert row query
$query2 = "INSERT IGNORE INTO tblLinks (`URL`,`Title`,`Description`) VALUES 
('URL Here,' Page Title Here','Descrition Goes here')";
//Repeat format above to add more entries

// Connect to the server
$link = mysql_connect($hostName,$loginName,$passwdName);
// Check result
if (!$link) {
   echo "Could not connect to mysql<br>";
   echo 'MySQL Error: ' . mysql_error();
   exit;
}

// Select the database
$result = mysql_select_db($database, $link);
// Check result
if (!$result) {
   echo "Could not select database<br>";
   echo 'MySQL Error: ' . mysql_error();
   exit;
}

// Send the create table query to the database and execute it
$result = mysql_query($query1, $link);
// Check result
if (!$result) {
   echo "DB Error, could not query the database<br>";
   echo 'MySQL Error: ' . mysql_error();
   exit;
}

// Send the insert row query to the database and execute it
$result = mysql_query($query2, $link);
// Check result
if (!$result) {
   echo "DB Error, could not query the database<br>";
   echo 'MySQL Error: ' . mysql_error();
   exit;
}

// Get the number of rows affected by the last query
$affected_rows = mysql_affected_rows($link);

echo "Your data has been successfully exported<br>";
echo "Added $affected_rows record(s)";

// Close the link to the database
mysql_close($link);

?>

Hope this helps. Contains some error checking as well :)[/QUOTE]
Thanks, will give it a shot :) Glad its working, took a lot of brain power hehe, Im enjoying learning all this much more than seems normal :D

Only thing now is that, well 2 things:

1) People can enter script into the comment, and email boxes that cause problems, e.g last night someone had this going:

Code:
<script type="text/javascript">
alert('Sanitise all user input!');
alert('Otherwise people will inject code into your site');
alert('Like this');
</script>

2) The email looks a bit of a mess, e.g:

Dear User, this is just a quick email to thank you for signing up to the OCV newsletter!We look forward to sending you many exciting newsletters in the future! Thanks again the OCV Team!

I have tried to format it using html, but that does not work, so cant have it looking how I want:




Dear User,
this is just a quick email to thank you for signing up to the OCV newsletter! We look forward to sending you many exciting newsletters in the future!

Thanks again the OCV Team!
 
Last edited:
Just wondering how can I validate my forms so people cant insert code like < and > because so far had someone insert my entire site into my guestbook twice, and some java script :/
 
arrond said:
Its called sql injection. Its very common. Heres a simply script you need to apply to your code

Code:
<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
    OR die(mysql_error());

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
?>

This is very simple, i would recommend looking into it further but it can get complicated. Basically your goal is to validate input to stop people gaining access by bypassing your password such as using "' OR ''='" which changes the sql query to ignore password entry.

Hope this helps ;)
Ah, the problem is not to do with passwords, its just people breaking my guestbook by inserting code into it, instead of leaving a nice comment, so I need to:

1) Make it so they cannot insert code by making it automaticaly format out < and >
2) Make it so if they enter a realy long word e.g m000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 it goes onto the next line, not breaks my page :(
 
arrond said:
Your guessbook is taking in user input, that is how they are able to inject code. You should validate Name, email and comment input. Your using php and a database to store the comments, yes?
Yes I am :) Problem is I just dont know how to validate them to stop unwanted input :(
 
arrond said:
Ok its a bit hard to explain everyting if you dont know but on my site you can also post comments, very similar to yours except you can only enter a name and comment. This is my code:

Code:
<?php

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO tblcom (Name, Comment, `Date`) VALUES (%s, %s, %s, %s)",
					   
                       GetSQLValueString($_POST['Name'], "text"),
					   GetSQLValueString($_POST['Comment'], "text"),
                       GetSQLValueString($_POST['Date'], "date"));
                       
  mysql_select_db($database_blog, $blog);
  $Result1 = mysql_query($insertSQL, $blog) or die(mysql_error());

  $insertGoTo = "comments.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}
?>

Its a bit complicated i know, most of this was generated for me.
Aye is a bit complicated, cant work out where it stops certain characters being entered even :(
 
Ah well lots of searching and I still cant figure it out, All I know is I want it to do something like

Search Comment, if HTML Tags then replace with " "
Search comment, If word > 20 characters then replace with " "
Submit to database
 
Ok, I tried to use the following code, but it did nothing at all...
Code:
			<?php
				$sel = mysql_connect("localhost","cpanelu_dci125","Manypeop");
				if (!$sel)
  				{
  					die('Could not connect: ' . mysql_error());
  				}
				mysql_select_db("cpanelu_dci125", $sel);

				$comment = mysql_query("SELECT * FROM guestbook ORDER BY commentID DESC");
				$line = mysql_fetch_array($comment);
				$line['name'] = strip_tags($line['name']);
				$line['email'] = strip_tags($line['email']);
				$line['comment'] = strip_tags($line['comment']);
				$line['name'] = substr($line['name'], 0, 50);
				$line['email'] = substr($line['email'], 0, 70);
				$line['comment'] = substr($line['comment'], 0, 30);
				$line['name'] = mysql_real_escape_string($line['name']);
				$line['email'] = mysql_real_escape_string($line['email']);
				$line['comment'] = mysql_real_escape_string($line['comment']);
	
				mysql_error();
	
				mysql_close($sel);
			?>
 
Back
Top Bottom