PHP/SQL feedback forum

DJMK4

DJMK4

DJMK4

Soldato
Joined
1 Dec 2004
Posts
23,076
Location
S.Wales
Im building a feedback forum from scratch, i was doing fine until i started implementing a time-stamp feature to stamp the posts, i was using the current_date function in SQL but someone advised me to use the now() function instead, which im implementing, See the below code:


Form:
Code: 
<form action='action.php' method='post'>

Name: <input type='text' name='name' size='20'><br>

Comment:<br>

<textarea name='comment' rows='5' cols='40'></textarea><br>

<input type='submit' name='submit' value='submit'></form>


Action:
Code: 
<?php

include "connect.php";

if(isset($_POST['submit']))

{

   $date=$_POST['date'];

   $name=$_POST['name'];

   $comment=$_POST['comment'];

   
   if(strlen($name)<1)


   {
	 print "You did not enter a name.";

   }

   else if(strlen($comment)<1)

   {

      print "You did not enter a comment.";

   }

   else

   {

	  $insert="Insert into visitordata (name,COMMENT,DATE) values('$name','$comment',now())";

      mysql_query($insert) or die("Could not insert comment");

      print "Comment added. <A href='display.php'>Click here</a> to see all comments.";

     }

  }

?>


Display:
Code: 
<?php

include "connect.php";

$getdata="SELECT * from visitordata order by entryid desc";

$getdata2=mysql_query($getdata) or die("Could not get data");

while($getdata3=mysql_fetch_array($getdata2))

{

  $getdata3[name]=strip_tags($getdata3[NAME]);

  $getdata3[comment]=strip_tags($getdata3[COMMENT]);
  print "-------------------------------------------------------------";
  print "<br>";
  print "Date/Time: $getdata3[DATE]";
  
  print "Name: $getdata3[NAME]<br>";
  
  print "$getdata3[COMMENT]<br>";

 
  

  }

but as you can see, if you goto www.dmoranda.co.uk/form.php i get the message "Did not enter a name" when i did..

anyone else spot an obvious mistake?
 
First of all I would try doing a var_dump on the $_POST variable to see if the data that you are expecting is actually being passed through, and take it from there.
 
Arrgh

SQL Injection!!

Wrapp all of your user input to the database using this function

PHP: 
function safe($value)
	{
	    // Stripslashes
	    if (get_magic_quotes_gpc()) {
	        $value = stripslashes($value);
	    }
	    // Quote if not a number or a numeric string
	    if (!is_numeric($value)) {
	        $value = "'" . mysql_real_escape_string($value) . "'";
	    }
	    return $value;
	}

Do you have errors enabled on your server?

im getting

Code: 
Notice: Undefined index: date in /home/jaffassite/public_html/ocuk/action.php on line 7
running on my host.
 
Last edited:
I have to say now my PHP/SQL is basic, and i do not know what your going on about when you say SQL Injection :p

Sorry, and yes errors are enabled, but i do not get any errors my end?
 
[Sniper][Wolf] said:
I have to say now my PHP/SQL is basic, and i do not know what your going on about when you say SQL Injection :p

Sorry, and yes errors are enabled, but i do not get any errors my end?
Click to expand...

SQL Injection is where users can manipulate your SQL Query, this is possible if you don't filter your input.

If i put a name in such as ' UNION INSERT... then it would muck up your query. You should be especially careful as this can lead to the script outputting usernames and passwords etc.

http://en.wikipedia.org/wiki/SQL_injection

The error you can see here:

Code: 
$date=$_POST['date'];

This line adds the $_POST input with the name date to a variable. From your form you can see that there is no input with the name date in your form.

Use the PHP date() function: http://uk2.php.net/date
 
Got it working thanks..

Bit im abit confused about, even after reading that link you gave me is the correct formatting for the output of the date. I want to use for example:

Monday 23rd April 2007

which in my eyes needs the following code added

Code: 
date('l, F j, Y')

as the string variable, then down the bottom somewhere i just output now()

it this the correct procedure?
 
Code: 
<?php

include "connect.php";

if(isset($_POST['submit']))

{

   date('l jS F Y'); 

   $name=$_POST['name'];

   $comment=$_POST['comment'];

   
   if(strlen($name)<1)


   {
	 print "You did not enter a name.";

   }

   else if(strlen($comment)<1)

   {

      print "You did not enter a comment.";

   }

   else

   {

	  $insert="Insert into visitordata (NAME,COMMENT,DATE) values('$name','$comment',now())";

      mysql_query($insert) or die("Could not insert comment");

      print "Comment added. <A href='display.php'>Click here</a> to see all comments.";

     }

  }

?>

like so?
 
PHP: 
<?php

include "connect.php";

	if(isset($_POST['submit'])) {

		$date = date('l jS F Y'); 
		$name = $_POST['name'];
		$comment = $_POST['comment'];   
			if (strlen($name) < 1) {
				print "You did not enter a name.";

			}
			else if(strlen($comment) < 1) {
				print "You did not enter a comment.";
			
			} else {
				$insert="INSERT INTO `visitordata` ( `NAME` , `COMMENT` , `DATE` ) VALUES ( " . safe($name) . " , " . safe($comment) . ", " . safe($date) . " )";
				mysql_query($insert) or die("Could not insert comment");
				print "Comment added. <a href='display.php'>Click here</a> to see all comments.";
			}

	}
  
	function safe($value)
    {
        // Stripslashes
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        // Quote if not a number or a numeric string
        if (!is_numeric($value)) {
            $value = "'" . mysql_real_escape_string($value) . "'";
        }
        return $value;
    }  

?>

Tidied up some of your indentation and white spaces. SQL injection now patched :)
 
You must log in or register to reply here.
Back
Top Bottom