Jump to content

Help with my custom forums

yuws

By yuws
in PHP Coding Help

 Share

Recommended Posts

yuws Newbie

yuws

Posted
Posted

Ive been building a custom forums, and i was wondering if anyone would check it over and maybe add security fixes?

 

And also i need help with showing pages for posts/topic, mines bugged.

 

Here is the forum.php file, which is the file that shows the topic.

 

<?php include('mysql.php'); ?>
<?php
  if (isset($_GET['f'])) {
    $forum = $_GET['f'];
  } else {
    $forum = 1;
  }
  $fnamequery = 'SELECT * FROM `[f]forums` WHERE `num` = '.$forum.'';
  $fnameresult = mysql_query($fnamequery);
  while ($fnamerow = mysql_fetch_assoc($fnameresult)) {
    $forumname = $fnamerow['name'];
  $catnum = $fnamerow['cat'];
  }
  $cnamequery = 'SELECT * FROM `[f]cats` WHERE `num` = '.$catnum.'';
  $cnameresult = mysql_query($cnamequery);
  while ($cnamerow = mysql_fetch_assoc($cnameresult)) {
    $catname = $cnamerow['name'];
  }
  $findertext = '<a href=viewforum.php?f='.$forum.'>'.$forumname.'</a>'; // [save for post] ' > <a href=viewforum.php?f='.$forum.'>'.$forumname.'</a>'
?>
<?php include('header.php'); ?>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
      <tr>
        <td> </td>
        <td width="10%" align="center" valign="middle" class="bold">Posts</td>
        <td width="25%" class="bold">Last Post</td>
      </tr>
<?php
  // Check how many pages to make
  $postcount = 0;
  $pagecount = 0;
  $countquery = 'SELECT * FROM `[f]topic` WHERE `forum` = '.$forum.' ORDER BY `num` DESC';
  $countresult = mysql_query($countquery);
  while ($countrow = mysql_fetch_assoc($countresult)) {
    $postcount++;
  }
  $pagecount = ceil($postcount/20);
  if ($pagecount == 0) {
    $pagecount = 1;
  }
  // Now set page
  if (isset($_GET['p'])) {
    $page = $_GET['p'];
  } else {
    $page = 1;
  }
  if(isset($_COOKIE['rs_usr'])) {
    $userQuery = mysql_query("SELECT `mgroup` FROM `uber3_players` WHERE `name` = '".$_COOKIE['rs_usr']."'") or die(mysql_error());
    $userRow = mysql_fetch_array($userQuery);
    $rights = $userRow['mgroup'];
    if($forum == 1 && $rights >= 4){
    $reply = '<img src="ico/reply.gif" /> <a href="post.php?f='.$forum.'">New Topic</a> ';
    } else if($forum != 1){
    $reply = '<img src="ico/reply.gif" /> <a href="post.php?f='.$forum.'">New Topic</a> ';
    }
  }
  $startpost = ($page - 1) * 20;
  echo '	<tr bgcolor="#000000">
        <td colspan="1" style="border-left: 2px solid #382418; border-top: 2px solid #382418;">Page <b>'.$page.'</b> of <b>'.$pagecount.' </td>
	<td colspan="2" style="border-right: 2px solid #382418; border-top: 2px solid #382418;" align="right">'.$reply.' <img src="ico/refresh.gif" width="15" height="15" /><a href="'.$_SERVER['PHP_SELF'].'?f='.$_GET['f'].'"> Refresh</a></td>
        </tr>
      <tr>';
    $forumquery = 'SELECT * FROM `[f]topic` WHERE `forum` = '.$forum.' ORDER BY `num` DESC';
    $forumresult = mysql_query($forumquery);
while ($forumrow = mysql_fetch_assoc($forumresult)) {
	if($forumrow['name'] == "") $forumrow['name'] = "Untitled";
	$hidden = $forumrow['hidden'];

	if($hidden == 0){	
		echo '
			<td align="left" valign="top" style="border-left: 2px solid #382418;" bgcolor="#191919"><a href="viewpost.php?p='.$forumrow['num'].'">'.$forumrow['name'].'</a><br />Created by '.$forumrow['username'].'</td>
			<td width="10%" align="center" valign="middle" bgcolor="#191919">'.$forumrow['postcount'].'</td>
			<td width="25%" style="border-right: 2px solid #382418;" bgcolor="#191919">'.$forumrow['lastpostdate'].'<br />
			by '.$forumrow['lastpostname'].'</td>
			</tr>
			<tr>
				<td colspan="3" style="border-left: 2px solid #382418; border-right: 2px solid #382418;" bgcolor="#000000"> </td>
			</tr>';
	} else {
		echo '
			<td align="left" valign="top" style="border-left: 2px solid #382418;" bgcolor="#191919">This thread has been hidden</td>
			<td width="10%" align="center" valign="middle" bgcolor="#191919"></td>
			<td width="25%" style="border-right: 2px solid #382418;" bgcolor="#191919"></td>
			</tr>
			<tr>
				<td colspan="3" style="border-left: 2px solid #382418; border-right: 2px solid #382418;" bgcolor="#000000"> </td>
			</tr>';
	}
}
echo '	  <tr>
    <td colspan="3" style="border-top: 2px solid #382418;"> </td>
  </tr>';
?>
    </table><br />
<?php include('footer.php'); ?>

 

Here is viewpost.php, which is the file that shows the post.

 

<?php include('mysql.php'); ?>
<?php
  if (isset($_GET['p'])) {
    $topic = $_GET['p'];
  } else {
    $topic = 1;
  }
  $tnamequery = 'SELECT * FROM `[f]topic` WHERE `num` = \''.$topic.'\'';
  $tnameresult = mysql_query($tnamequery);
  while ($tnamerow = mysql_fetch_assoc($tnameresult)) {
    $forumnum = $tnamerow['forum'];
$topicname = $tnamerow['name'];
  }
  $fnamequery = 'SELECT * FROM `[f]forums` WHERE `num` = \''.$forumnum.'\'';
  $fnameresult = mysql_query($fnamequery);
  while ($fnamerow = mysql_fetch_assoc($fnameresult)) {
    $catnum = $fnamerow['cat'];
$forumname = $fnamerow['name'];
  }
  $cnamequery = 'SELECT * FROM `[f]cats` WHERE `num` = \''.$catnum.'\'';
  $cnameresult = mysql_query($cnamequery);
  while ($cnamerow = mysql_fetch_assoc($cnameresult)) {
    $catname = $cnamerow['name'];
  }
  $findertext = ' <a href=viewforum.php?f='.$forumnum.'>'.$forumname.'</a> > <a href="viewpost.php?p='.$topic.'">'.$topicname.'</a>';
?>
<?php include('header.php'); ?>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<?php
  // Check how many pages to make
  $postcount = 0;
  $pagecount = 0;
  $countquery = 'SELECT * FROM `[f]post` WHERE `topic` = \''.$topic.'\' ORDER BY `num` ASC';
  $countresult = mysql_query($countquery);
  while ($countrow = mysql_fetch_assoc($countresult)) {
    $postcount++;
  }
  $pagecount = ceil($postcount/10);
  if ($pagecount == 0) {
    $pagecount = 1;
  }
  // Now set page
  if (isset($_GET['pg'])) {
    $page = $_GET['pg'];
  } else {
    $page = 1;
  }
  if(isset($_COOKIE['rs_usr'])) {
    $reply = '<img src="ico/reply.gif" /> <a href="post.php?t='.$topic.'">Reply</a> ';
  }
  echo '	<tr bgcolor="#000000">
        <td colspan="1" class="brown-left">Page <b>'.$page.'</b> of <b>'.$pagecount.' </td>
	<td colspan="1" class="brown-right" align="right">'.$reply.' <img src="ico/refresh.gif" width="15" height="15" /><a href="'.$_SERVER['PHP_SELF'].'?p='.$_GET['p'].'"> Refresh</a></td>
        </tr><tr><td colspan="2"> </td>';
    $postquery = 'SELECT * FROM `[f]topic` WHERE `num` = \''.$topic.'\'';
    $postresult = mysql_query($postquery);
while ($postrow = mysql_fetch_assoc($postresult)) {
      $userquery = 'SELECT * FROM `uber3_players` WHERE `name` = \''.$postrow['username'].'\'';
      $userresult = mysql_query($userquery);
  while ($userrow = mysql_fetch_assoc($userresult)) {
  if ($userrow['mgroup'] == 0) {
    $title = ''; //User
	$icon = '';
	$bordercolor = "#3f2e0f";
	$leftcolor = "#2c200a";
	$rightcolor = "#1f1707";
  }
  if ($userrow['mgroup'] == 1) {
    $title = '<div class="modtype">Forum Mod</div>';
	$icon = '<img src="ico/crown_green.gif" /> ';
	$bordercolor = "#294729";
	$leftcolor = "#092709";
	$rightcolor = "#092009";
  }
  if ($userrow['mgroup'] == 4) {
    $title = '<div class="modtype">Funified Mod</div>';
	$icon = '<img src="ico/crown_gold.gif" /> ';
	$bordercolor = "#957c07";
	$leftcolor = "#645305";
	$rightcolor = "#403503";
  }
  if ($userrow['mgroup'] == 9) {
    $title = '<div class="modtype">Funified Mod</div>';
	$icon = '<img src="ico/crown_gold.gif" /> ';
	$bordercolor = "#294729";
	$leftcolor = "#092709";
	$rightcolor = "#092009";
  }
      echo '  <tr>
    <td width="150" rowspan="2" bgcolor="'.$leftcolor.'" style="border: 4px solid '.$bordercolor.'; border-right: 0px none;"  align="center" valign="top">'.$icon.' '.$postrow['username'].'<br />'.$title.'</td>
    <td align="right" bgcolor="'.$rightcolor.'" style="border-top: 4px solid '.$bordercolor.'; color: #888888; border-right: 4px solid '.$bordercolor.';" valign="top">'.$postrow['date'].'</td>
  </tr>
  <tr>
    <td align="left" bgcolor="'.$rightcolor.'" valign="top" style="border-bottom: 4px solid '.$bordercolor.'; border-right: 4px solid '.$bordercolor.';">'.$postrow['text'].'<br /><br /></td>
  </tr>
  <tr>
    <td colspan="2"> </td>
  </tr>';
  	  }
    }

    $postquery = 'SELECT * FROM `[f]post` WHERE `topic` = \''.$_GET['p'].'\' ORDER BY `num` ASC';
    $postresult = mysql_query($postquery);
$postlimit = 0;
$postnum = -1;
while ($postrow = mysql_fetch_assoc($postresult)) {
  $postlimit++;
      $userquery = 'SELECT * FROM `uber3_players` WHERE `name` = \''.$postrow['username'].'\'';
      $userresult = mysql_query($userquery);
  while ($userrow = mysql_fetch_assoc($userresult)) {
  if ($userrow['mgroup'] == 0) {
    $title = ''; //Users
	$icon = '';
	$bordercolor = "#3f2e0f";
	$leftcolor = "#261d14";
	$rightcolor = "#1f1707";
  }
  if ($userrow['mgroup'] == 1) {
    $title = '<div class="modtype">Forum Mod</div>';
	$icon = '<img src="ico/crown_green.gif" /> ';
	$bordercolor = "#294729";
	$leftcolor = "#092709";
	$rightcolor = "#092009";
  }
  if ($userrow['mgroup'] == 4) {
    $title = '<div class="modtype">Funified Mod</div>';
	$icon = '<img src="ico/crown_gold.gif" /> ';
	$bordercolor = "#8c7a16";
	$leftcolor = "#4c4205";
	$rightcolor = "#3e3605";
  }
  if ($userrow['mgroup'] ==  {
    $title = '<div class="modtype">Funified Mod</div>';
	$icon = '<img src="ico/crown_gold.gif" /> ';
	$bordercolor = "#8c7a16";
	$leftcolor = "#4c4205";
	$rightcolor = "#3e3605";
  }
	$hidden = $postrow['hidden'];
	if($hidden == 0){
	echo '
		<tr>
				<td width="150" rowspan="2" bgcolor="'.$leftcolor.'" style="border: 4px solid '.$bordercolor.'; border-right: 0px none;"  align="center" valign="top">'.$icon.' '.$postrow['username'].'<br />'.$title.'</td>
		<td align="right" bgcolor="'.$rightcolor.'" style="border-top: 4px solid '.$bordercolor.'; color: #888888; border-right: 4px solid '.$bordercolor.';" valign="top">'.$postrow['date'].'</td>
		</tr>
		<tr>
			<td align="left" bgcolor="'.$rightcolor.'" valign="top" style="border-bottom: 4px solid '.$bordercolor.'; border-right: 4px solid '.$bordercolor.';">'.$postrow['text'].'<br /><br /></td>
		</tr>
		<tr>
			<td colspan="2"> </td>
		</tr>
	';
	} else {
	/*
	$bordercolor = "#3f2e0f";
	$leftcolor = "#2c200a";
	$rightcolor = "#1f1707";
	*/
	echo '
	<tr>
				<td width="150" rowspan="2" bgcolor="#2c200a" style="border: 4px solid #3f2e0f; border-right: 0px none;"  align="center" valign="top"></td>
		<td align="right" bgcolor="#1f1707" style="border-top: 4px solid #3f2e0f; color: #888888; border-right: 4px solid #3f2e0f;" valign="top">'.$postrow['date'].'</td>
		</tr>
		<tr>
			<td align="left" bgcolor="#1f1707" valign="top" style="border-bottom: 4px solid #3f2e0f; border-right: 4px solid #3f2e0f;">The contents of this message have been hidden<br /><br /></td>
		</tr>
		<tr>
			<td colspan="2"> </td>
		</tr>
	';
	}
  	  }
    }
?>
    </table><br />

<center>Quick find code: <?php echo $topic; ?></center>
<?php include('footer.php'); ?>

 

 

And posting topics/ replys is messed up. when you reply/make a topic, it doesn't make it into a new line if its long, it just keeps the post getting longer and longer.

 

here is post.php

 

<?php
include ('mysql.php');
if (isset($_POST['Submit']) && isset($_COOKIE['rs_usr'])) {
  // Set correct date
  $date = date(j."-".M."-".Y." ".H.":".i.":".s);
  // Well, we have to get a few pieces of data =D
  if (!isset($_POST['topic'])) {
	$topic = $_POST['forum'];
	$topicquery = 'SELECT * FROM `[f]topic` WHERE `num` = \''.$topic.'\'';
	$topicresult = mysql_query($topicquery);
	while ($topicrow = mysql_fetch_assoc($topicresult)) {
		$forum = $topicrow['forum'];
		$topicpostz = $topicrow['postcount'];
	}
	$forumquery = 'SELECT * FROM `[f]forums` WHERE `num` = \''.$forum.'\'';
	$forumresult = mysql_query($forumquery);
	while ($forumrow = mysql_fetch_assoc($forumresult)) {
		$forumpostz = $forumrow['postcount'];
	}
	$topicpostz++;
	$forumpostz++;
  } else {
    $forum = $_POST['forum'];
    $forumquery = 'SELECT * FROM `[f]forums` WHERE `num` = \''.$forum.'\'';
	$forumresult = mysql_query($forumquery);
	while ($forumrow = mysql_fetch_assoc($forumresult)) {
		$forumthreadz = $forumrow['threadcount'];
	}
	$forumthreadz++;
  }
  // Now we get all our input, and stuff them into variables
  // Make sure there not trying to use html =3
  $message = str_replace("<", "<", $_POST['message']);
  $message = str_replace(">", ">", $message);
  // Add the breaks
  $message = str_replace("
", "<br />", $message);
  $hide = 0;
  // Now onto topic, make sure there not trying to use HTML
  $name = str_replace("<", "<", $_POST['topic']);
  $name = str_replace(">", ">", $name);
  if($name == "") $name = "Untitled";

  // Just to put everything in a line and avoid MySQL errors
  $name = str_replace("
", " ", $name);
  // Now, were done with all the updating CRAP, now to add the post =3
  // Now, if its a post, we want this:
  if (!isset($_POST['topic'])) {
    mysql_query("INSERT INTO `[f]post` (`num`, `topic`, `text`, `username`, `date`) VALUES ('', '".$topic."', '".$message."', '".$_COOKIE['rs_usr']."', '".$date."')");
    mysql_query("UPDATE `[f]forums` SET `postcount` = '".$forumpostz."', `lastpostdate` = '".$date."', `lastpostname` = '".$_COOKIE['rs_usr']."' WHERE `num` = '".$forum."' ") or die('Error1');
    mysql_query("UPDATE `[f]topic` SET `postcount` = '".$topicpostz."', `lastpostdate` = '".$date."', `lastpostname` = '".$_COOKIE['rs_usr']."' WHERE `num` = '".$topic."'") or die('Error2');
  } else {
  // Else we want this:
    mysql_query("UPDATE `[f]forums` SET `threadcount` = '".$forumthreadz."', `lastpostdate` = '".$date."', `lastpostname` = '".$_COOKIE['rs_usr']."' WHERE `num` = '".$forum."'") or die('Error3');
    mysql_query("INSERT INTO `[f]topic` ( `num` , `forum` , `name` , `text` , `username` , `postcount` , `lastpostdate` , `lastpostname` , `date`, `hidden`) VALUES (NULL, '".$forum."', '".$name."', '".$message."', '".$_COOKIE['rs_usr']."', '1', '".$date."', '".$_COOKIE['rs_usr']."', '".$date."', '".$hide."')") or die(mysql_error());
  }
  // Now, we setup our redirect =) Go to the post!
  // If it was a post, we want to go into the topic
  if (!isset($_POST['topic'])) {
    $redirect = "viewpost.php?p=".$topic;
  } else {
  // Else we know its a new topic, and we want to view it on in the forum
    $redirect = "viewforum.php?f=".$forum;
  }
  // Well, now there redirected and blah blah
  $posttext = '  <table width="100%" border="0" cellspacing="0" cellpadding="0" style="border: 2px solid #382418; background-color: #1c1610;">
  <tr>
  <td><center>You will be redirected shortly</center><meta http-equiv="Refresh" content="2;url='.$redirect.'"></td>
  </tr>
  </table>';
} else if (!isset($_POST['Submit']) && isset($_COOKIE['rs_usr'])) {
  if (isset($_GET['t'])) {
    $foruminput = '<tr><td width="150">Topic:</td><td><input type="text" name="forum" value="'.$_GET['t'].'" readonly="readonly" /></td></tr>';
  } else {
    $foruminput = '  <tr><td width="150">Topic Name:</td><td><input type="text" name="topic"></td></tr>
  <tr><td width="150">Forum:</td><td><input type="text" name="forum" value="'.$_GET['f'].'" readonly="readonly" /></td></tr>';
  }
  $posttext = '  <form action="'.$_SERVER['PHP_SELF'].'" method="post">
  <table width="100%" border="0" cellspacing="0" cellpadding="0" style="border: 2px solid #382418; background-color: #1c1610;">
  <tr><td width="150">Username:</td><td>'.$crown.''.$_COOKIE['rs_usr'].'</td></tr>
  '.$foruminput.'
  <tr><td width="150" align="left" valign="top">Message:</td><td><textarea style="width: 100%;" rows="10" name="message"></textarea></td></tr>
  <tr><td colspan="2" align="center" valign="top"><input type="submit" name="Submit" value="Submit"></td></tr>
  </table>
  </form>';
} else {
  $posttext = '  <table width="100%" border="0" cellspacing="0" cellpadding="0" style="border: 2px solid #382418; background-color: #1c1610;">
  <tr>
  <td>You must be logged in to use this feature.</td>
  </tr>
  </table>';
}
include ('header.php');
echo $posttext;
include ('footer.php');

 

 

 

Any other files needed just tell me. If you have any fixes just paste the code. Thanks , Yuws

Link to comment
https://forums.phpfreaks.com/topic/148428-help-with-my-custom-forums/
Share on other sites
kickstart Member

kickstart

Posted
Posted

Hi

 

Fair bit of code to go through there.

 

One thing I noticed is that you use $_GET['f'] (for example) and if it is set you assign it to $forum. Bit insecure. While you could fully clean it I would be inclined to just use $forum = intval($_GET['f']);. This would return 0 if it was passed a pure character value.

 

You are also using inverted commas around numeric field values in some of the SQL.

 

You might also want to do a check that the user has access to the particular forum they have tried to view.

 

All the best

 

Keith

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.