jeger003 Posted January 15, 2009 Share Posted January 15, 2009 hello everyone! i have a classified site and i display a table in php with all my users ads.....i want to highlight every other row so that i can be able to read it quicker. also this will be a public table i would appreciate it if you can tell me if you see any security risks....i recieve ALOT of hackers who enter mysql injections. here is my code: $sql_query = "SELECT id FROM sessions WHERE session = \"".$_COOKIE["session"]."\""; $results = mysql_query($sql_query) or die(mysql_error()); while($user_id = mysql_fetch_array($results)) $query = 'SELECT title,price,date,id,duration FROM classifieds WHERE seller = '.$user_id['id'].' '; $result2 = mysql_query($query) or die(mysql_error()); echo "<table border='0' cellpadding='2' bordercolor='#009900'>"; echo "<tr>"; echo "<td align='center' bgcolor='#009900'><b><font color='#FFFFFF' size='2'>ID</font></b></td>"; echo "<td bgcolor='#009900'><b><font color='#FFFFFF' size='2'>Date</font></b></td>"; echo "<td align='center' bgcolor='#009900'><b><font color='#FFFFFF' size='2'>Title</font></b></td>"; echo "<td align='center' bgcolor='#009900'><b><font color='#FFFFFF' size='2'>Price</font></b></td>"; echo "<td align='center' bgcolor='#009900'><b><font color='#FFFFFF' size='2'>Duration</font></b></td>"; echo "</tr>"; while($LogF = mysql_fetch_array($result2)) { echo "<tr>"; echo "<td bgcolor='#94FF79' > <font size='2'>".$LogF['id']."</font></td>"; echo "<td bgcolor='#94FF79' > <font size='2'>".$LogF['date']."</font></td>"; echo "<td bgcolor='#94FF79' > <font size='2'>".urldecode($LogF['title'])."</font></td>"; echo "<td bgcolor='#94FF79' > <font size='2'>".$LogF['price']."</font></td>"; echo "<td bgcolor='#94FF79' > <font size='2'>".$LogF['duration']."</font></td>"; echo "</tr>"; } echo "</table>"; Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted January 15, 2009 Share Posted January 15, 2009 I haven't tested this but it might work: $count = 1 while($LogF = mysql_fetch_array($result2)) { if($count == 1) { echo "<tr>"; echo "<td bgcolor='#94FF79' > <font size='2'>".$LogF['id']."</font></td>"; echo "<td bgcolor='#94FF79' > <font size='2'>".$LogF['date']."</font></td>"; echo "<td bgcolor='#94FF79' > <font size='2'>".urldecode($LogF['title'])."</font></td>"; echo "<td bgcolor='#94FF79' > <font size='2'>".$LogF['price']."</font></td>"; echo "<td bgcolor='#94FF79' > <font size='2'>".$LogF['duration']."</font></td>"; echo "</tr>"; } elseif($count == 2) { echo "<tr>"; echo "<td bgcolor='#000000' > <font size='2'>".$LogF['id']."</font></td>"; echo "<td bgcolor='#000000' > <font size='2'>".$LogF['date']."</font></td>"; echo "<td bgcolor='#000000' > <font size='2'>".urldecode($LogF['title'])."</font></td>"; echo "<td bgcolor='#000000 > <font size='2'>".$LogF['price']."</font></td>"; echo "<td bgcolor='#000000' > <font size='2'>".$LogF['duration']."</font></td>"; echo "</tr>"; $count = 1 } $count++ } Please let me know if that works I am kinda curious myself lol. Quote Link to comment Share on other sites More sharing options...
Philip Posted January 15, 2009 Share Posted January 15, 2009 I'm just following ngreenwood6 today Just optimizing the code above, same principles. <?php $color = '#000000'; // define color first while($LogF = mysql_fetch_array($result2)) { echo "<tr>"; echo "<td bgcolor='$color' > <font size='2'>".$LogF['id']."</font></td>"; echo "<td bgcolor='$color' > <font size='2'>".$LogF['date']."</font></td>"; echo "<td bgcolor='$color' > <font size='2'>".urldecode($LogF['title'])."</font></td>"; echo "<td bgcolor='$color' > <font size='2'>".$LogF['price']."</font></td>"; echo "<td bgcolor='$color' > <font size='2'>".$LogF['duration']."</font></td>"; echo "</tr>"; // Of course you could shorthand the following: // Or even put it in array to get multiple colors. if($color == '#000000') { $color = '#94FF79'; } else { $color = '#000000'; } } ?> Edit: forgot to define color before the loop Also, ngreenwood - on "$count = 1" you're missing a semicolon, but otherwise it would work Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted January 15, 2009 Share Posted January 15, 2009 I was just about to tell you hat you needed to change the count to color before the while but I definitely like your solution better. Quote Link to comment Share on other sites More sharing options...
xtopolis Posted January 15, 2009 Share Posted January 15, 2009 @the OP Color alternations, their examples work, and you could shorten the if statement to a one liner $color = ($color == '#000000') ? '#94FF79' : '#000000'; Regarding security: Where do you verify the value of $_COOKIE['session'] ? Cookies can be modified/faked/etc... Also these lines: $sql_query = "SELECT id FROM sessions WHERE session = \"".$_COOKIE["session"]."\""; $results = mysql_query($sql_query) or die(mysql_error()); while($user_id = mysql_fetch_array($results)) $query = 'SELECT title,price,date,id,duration FROM classifieds WHERE seller = '.$user_id['id'].' '; $result2 = mysql_query($query) or die(mysql_error()); Seem off to me.. It seems like it's only returning one result set.. so I don't think you need a while loop. $user_id = mysql_fetch_array($results); ^-- could change to that if I'm understanding it right. Other than that, not much to look at because you only have one point of entry displayed. Quote Link to comment Share on other sites More sharing options...
jeger003 Posted January 15, 2009 Author Share Posted January 15, 2009 hey everyone Thanks SOOO MUCH FOR THE HELP!!! im sorry im just coming back from school this code below by kingphilip worked best very well done I'm just following ngreenwood6 today Just optimizing the code above, same principles. <?php $color = '#000000'; // define color first while($LogF = mysql_fetch_array($result2)) { echo "<tr>"; echo "<td bgcolor='$color' > <font size='2'>".$LogF['id']."</font></td>"; echo "<td bgcolor='$color' > <font size='2'>".$LogF['date']."</font></td>"; echo "<td bgcolor='$color' > <font size='2'>".urldecode($LogF['title'])."</font></td>"; echo "<td bgcolor='$color' > <font size='2'>".$LogF['price']."</font></td>"; echo "<td bgcolor='$color' > <font size='2'>".$LogF['duration']."</font></td>"; echo "</tr>"; // Of course you could shorthand the following: // Or even put it in array to get multiple colors. if($color == '#000000') { $color = '#94FF79'; } else { $color = '#000000'; } } ?> Edit: forgot to define color before the loop Also, ngreenwood - on "$count = 1" you're missing a semicolon, but otherwise it would work @ngreenwood6 yours worked great as well but i was only coloring the first row and the rest were black im not sure why. @xtopolis i think i may be having a security risk cause the cookies are being verify right off of the users computer and matched with my sessions table........thats how i'm able to display specific ads to the specific user.....so once a session is created in the sessions table it uses the user_id. should i be worried about that? and thanks for the fix up on the WHILE im not sure why i did it like that. THANKS AGAIN GUYS Quote Link to comment Share on other sites More sharing options...
xtopolis Posted January 15, 2009 Share Posted January 15, 2009 Are you using custom session handling or are you just doing something involving cookies to track a user in a db on top of normal sessions? I ask because your cookie is name "session" rather than "PHPSESSID"? Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 15, 2009 Share Posted January 15, 2009 This code is a little more efficient/flexible IMHO - and uses only one query and protects against SQL injection. I would highly suggest you use styles within your HTML. The FONT tag has been depricated since HTML 4.01 in 1999! Plus, you can use style classes that allow you to change the style for every cell with a single modification insterad of modifying each individual cell declaration in the HTML //Get the user records $query = "SELECT id, date, title, price, duration FROM classifieds JOIN sessions ON classifieds.seller = sessions.id WHERE sessions.session = '" . mysql_real_escape_string($_COOKIE['session']) . "'"; $result = mysql_query($query) or die(mysql_error()); if (!mysql_num_rows($result)) { echo "There were no results"; } else { //Create table header echo "<table style=\"font-size:10pt;" border=\"0\" cellpadding=\"2\">\n"; echo "<tr style=\"background-color:#009900;text-align:center;color:#FFFFFF;font-weight:bold;\">\n"; echo "<th>ID</th>\n"; echo "<th>Date</th>\n"; echo "<th>Title</th>\n\n"; echo "<th>Price</th>"; echo "<th>Duration</th>\n"; echo "</tr>\n"; //Display records while($LogF = mysql_fetch_array($result2)) { $bgcolor = ($bgcolor!='#94FF79') ? '#94FF79' : '#000000'; echo "<tr>"; foreach ($LogF as $field => $value) { echo "<td style=\"background-color:{#94FF79};\"> "; echo ($field!='title') ? $value : urldecode($value); echo "</td>\n"; } } echo "</table>"; } Quote Link to comment Share on other sites More sharing options...
jeger003 Posted January 15, 2009 Author Share Posted January 15, 2009 Are you using custom session handling or are you just doing something involving cookies to track a user in a db on top of normal sessions? I ask because your cookie is name "session" rather than "PHPSESSID"? well im just using cookies as a way to find the user ID of the person that just logged in. This way Im able to display there specific ad. My site is a script and its very complicated how they designed it but i found the cookies to be the only way to get a users id. because as soon as they log in a session is created in the sessions Table and after an hour or so it's deleted. yes I am using cookies to track a user in a db on top of normal sessions and the code you guys helped me put together i used that and put it into a module that the site allows me to create.The i can take that module and put it where ever i want to and it displays the users ads. i dont really know any other way to do it. How can I use "PHPSESSID" or do you know another way that i can do it? @mjdamato your code looks awesome never seen it done like this. i havent had the chance to put it to the test yet cause I'm at work but I cant wait to. You guys are absolutely wonderful! Thanks! Quote Link to comment Share on other sites More sharing options...
xtopolis Posted January 15, 2009 Share Posted January 15, 2009 Don't trust the cookie. If they login, they should have their userid stored in their session variables, or at least a way to access it. (be it lookup of username or w.e) but you should always base it on the server's knowledge, not the clients - clients can never be trusted. PHPSESSID is the default name of a cookie created by PHP when a user starts a session (session_start) You can change the name etc, but since you don't know what i meant, it probably is still the default. All I'm saying is that you should get the userid based on their login credentials, not a value supplied by them that you "assume" is what you had it at last time. You can still do all your database tracking etc. However, if a new cookie is created upon every logon then it's not as big of a deal, but still bad practice [trusting the client]. Quote Link to comment Share on other sites More sharing options...
jeger003 Posted January 15, 2009 Author Share Posted January 15, 2009 Don't trust the cookie. If they login, they should have their userid stored in their session variables, or at least a way to access it. (be it lookup of username or w.e) but you should always base it on the server's knowledge, not the clients - clients can never be trusted. PHPSESSID is the default name of a cookie created by PHP when a user starts a session (session_start) You can change the name etc, but since you don't know what i meant, it probably is still the default. All I'm saying is that you should get the userid based on their login credentials, not a value supplied by them that you "assume" is what you had it at last time. You can still do all your database tracking etc. However, if a new cookie is created upon every logon then it's not as big of a deal, but still bad practice [trusting the client]. yea, i never knew what PHPSESSID really was. i will have to look into that cause my sites security is kind of all over the place. i know what you mean about cookies and how they have been used to hack or get users info. thank you for the help!! Quote Link to comment Share on other sites More sharing options...
jeger003 Posted January 16, 2009 Author Share Posted January 16, 2009 hey guys i was about to mark this topic solved.....but i have one last small thing i'd like to add....... i went through mjdamato code but i couldnt get it to work.........but how do i make it so that if there is nothing to display it displays a message like "no ads available" like mjdamato has it......i would appreciate this last thing thanks guys Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 16, 2009 Share Posted January 16, 2009 You could simply use the same kind of logic I used - check if there are any records in the result. If so, show the results. If not, show an appropriate message. When you say you couldn't get the code to work, what does that mean? Were there errors? If so, what? I don't have your database to test with so the code was just written "off the cuff" and I didn't even test it for syntax errors. Any code I provide is typically as a guide for the person to build on. Which is why my sig states "I do not always test the code I provide, so there may be some syntax errors.". If you want to provide some specifics I'll be happy to help troubleshoot. Quote Link to comment Share on other sites More sharing options...
jeger003 Posted January 16, 2009 Author Share Posted January 16, 2009 You could simply use the same kind of logic I used - check if there are any records in the result. If so, show the results. If not, show an appropriate message. When you say you couldn't get the code to work, what does that mean? Were there errors? If so, what? I don't have your database to test with so the code was just written "off the cuff" and I didn't even test it for syntax errors. Any code I provide is typically as a guide for the person to build on. Which is why my sig states "I do not always test the code I provide, so there may be some syntax errors.". If you want to provide some specifics I'll be happy to help troubleshoot. I apologize if i offended you in anyway.....i had no intentions.....the error i recieve is Fatal error: Call to a member function FetchRow() on a non-object im not sure why cause i checked and double checked everything. Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 16, 2009 Share Posted January 16, 2009 No offense taken. OK, I see the error. I changed some of the variable names for "consistency". For example, if you are doing two queries and you have completely consumed the results of the first query before running the second query I reuse the variable for the query results. I can't confirm this, but it would seem logical that this would be more efficient from a memory perspective. If the first set of results are in one variable and you create a second variable for the second reslut - all of that data is in memory. By reusing the variable the first set of data is removed from memory and replaced by the second set. Plus, if I do use mutiple variables for queries or query results I would to give them descriptive names instead of $results1, $results, etc. There's nothing wrong with using those - it's a preference thing. But, it does make it easier if you have to go back to code at a later time. Anyway, just change this //Display records while($LogF = mysql_fetch_array($result2)) To this //Display records while($LogF = mysql_fetch_array($result)) Quote Link to comment Share on other sites More sharing options...
jeger003 Posted January 16, 2009 Author Share Posted January 16, 2009 hahah i works! yea i know what you mean......it does make it very difficult to go back to the code....i usaully end up rushing the whole thing and kind of naming it random stuff thank you for your help......i greatly appreciate it! Quote Link to comment Share on other sites More sharing options...
Nimbuz Posted January 16, 2009 Share Posted January 16, 2009 Oh, I just came across this (alternate rows) topic yesterday. This should work: for ($i=0; $i<10; $i++) { echo (($i % 2 == 0) ? 'even' : 'odd'); } ...because dividing by 2 will have a remainder of only 0 or 1. Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 16, 2009 Share Posted January 16, 2009 Oh, I just came across this (alternate rows) topic yesterday. This should work: for ($i=0; $i<10; $i++) { echo (($i % 2 == 0) ? 'even' : 'odd'); } ...because dividing by 2 will have a remainder of only 0 or 1. How is that more efficient than this $bgcolor = ($bgcolor!='#94FF79') ? '#94FF79' : '#000000'; The code you posted requires the script to maintain a counter variable and perform a division on each loop. And, then you could determine the value for the background color. The code I posted only has to do a single comparison to determine the color. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.