mjxs Posted June 29, 2011 Share Posted June 29, 2011 Hey everyone. I'm new here and let me apologize if I am reposting a question; I've looked through the forums for a while and can't seem to find anything similar. I'm using Jono Bacon's "Practical PHP and MySQL with Applications" and working my way through his blog project. All seems good and well, but I got to the part about submitting new comments on blog posts. When I click the submit button, it should post the various information to the MySQL database. It does this, but the submit button doesn't refresh the page. It does submit the mysql query, so if I manually reload, the new comment shows up, but the submit button doesn't cause the page to refresh automatically. Below is my code. Any help is greatly appreciated. <?php require("config.php"); if(isset($_GET['id']) == TRUE) { if(is_numeric($_GET['id']) == FALSE) { $error = 1; } if($error == 1) { header("Location: " . $config_basedir); }else{ $validentry = $_GET['id']; } }else{ $validentry = 0; } //check to see if this page is being loaded as the result of a comment being submitted if($_POST['submit']){ $db = mysql_connect($dbhost, $dbuser, $dbpassword); //appears to return a pointer to the database mysql_select_db($dbdatabase, $db); $sql = "INSERT INTO comments(blog_id, tier, replyto, dateposted, name, comment) VALUES(" . $validentry . ", 1, 0, NOW(), '" . $_POST['name'] . "', '" . $_POST['comment'] . "');"; mysql_query($sql); header("Location: http://" . $HTTP_HOST . $SCRIPT_NAME . "?id=" . $validentry); }else{ //code goes here } require("header.php"); if($validentry == 0) { $sql = "SELECT entries.*, categories.cat FROM entries, categories WHERE entries.cat_id = categories.id ORDER BY dateposted DESC LIMIT 1;"; }else{ $sql = "SELECT entries.*, categories.cat FROM entries, categories WHERE entries.cat_id = categories.id AND entries.id = " . $validentry . " ORDER BY dateposted DESC LIMIT 1;"; } $result = mysql_query($sql); $row = mysql_fetch_assoc($result); echo "<h2>" . $row['subject'] . "</h2><br>"; echo "<i>In <a href='viewcat.php?id=" . $row['cat_id'] . "'>" . $row['cat'] . "</a> - Posted on " . date("D jS F Y g.iA", strtotime($row['dateposted'])) . "</i>"; echo "<p>"; echo nl2br($row['body']); echo "</p>"; //form the SQL; we only want top level comments as these are relpies to the post itself $commsql = "SELECT * FROM comments WHERE blog_id = " . $validentry . " AND tier = 1 ORDER BY dateposted DESC;"; //now send the query $commresult = mysql_query($commsql); //now count how many comments we have $num_commrows = mysql_num_rows($commresult); echo "<div id='comment'>"; if ($num_commrows == 0) { echo "<p><i>No comments.</i></p>"; }else{ $i = 0; //the take the result and put it into an array - use this as the sentinel control while($commrow = mysql_fetch_assoc($commresult)) { //first set up the formatting tag. Build a table echo "<table><tr class='commentinfo'><td class='commentauthor'>"; //post the comment info; name and date echo "<a name='comment" . $i . "'>"; echo "Comment by " . $commrow['name'] . "</a></td>"; //next cell, put the date on the far right echo "<td class='commentdate'>"; echo date("D jS F Y g.iA", strtotime($commrow['dateposted'])) . "</td></tr><tr><td class='commentbody' colspan=2>"; echo $commrow['comment']; echo "</td></tr>"; //stick in the reply button; echo "<tr class='commentoptions'><td colspan=2>[reply]</td></tr>"; echo "</table>"; //now we stick in relpies to the comments $repsql = "SELECT * FROM comments WHERE blog_id = " . $validentry . " AND tier = 2 AND replyto = " . $commrow['id'] . " ORDER BY dateposted DESC;"; $represult = mysql_query($repsql); $num_reprows = mysql_num_rows($represult); if ($num_reprows > 0) { $j = 0; //the take the result and put it into an array - use this as the sentinel control while($reprow = mysql_fetch_assoc($represult)) { //first set up the formatting tag. Build a table echo "<table style='margin-left:50px;'><tr class='commentinfo'><td class='commentauthor'>"; //post the comment info; name and date echo "Comment by " . $reprow['name'] . "</td>"; //next cell, put the date on the far right echo "<td class='commentdate'>"; echo date("D jS F Y g.iA", strtotime($reprow['dateposted'])) . "</td></tr><tr><td class='commentbody' colspan=2>"; echo $reprow['comment']; echo "</td></tr>"; echo "</table>"; } } $i++; } } //close off the div tag echo "</div>"; ?> <h3>Leave a comment</h3> <form action="<?php echo $_SERVER['SCRIPT_NAME'] . "?id=" . $validentry; ?>" method="post"> <table> <tr> <td>Your name:</td> <td><input type="text" name="name"></td> </tr> <tr> <td>Comments:</td> <td><textarea name="comment" rows="10" cols="50"></textarea></td> <tr> <td></td> <td><input type="submit" name="submit" value="Add comment"></td> </tr> </table> </form> <?php require("footer.php"); ?> Quote Link to comment Share on other sites More sharing options...
fugix Posted June 29, 2011 Share Posted June 29, 2011 so you're saying that when you click the submit button, it doesn't refresh the screen at all? or just the actual page that your tables are on? Quote Link to comment Share on other sites More sharing options...
mjxs Posted June 29, 2011 Author Share Posted June 29, 2011 so you're saying that when you click the submit button, it doesn't refresh the screen at all? or just the actual page that your tables are on? Correct. The page stays completely static, as if the button, it does nothing. But if I manually refresh the new comments are there. Quote Link to comment Share on other sites More sharing options...
mjxs Posted June 30, 2011 Author Share Posted June 30, 2011 I don't suppose anyone has any ideas? Still haven't found a resolution :/ Quote Link to comment Share on other sites More sharing options...
floridaflatlander Posted June 30, 2011 Share Posted June 30, 2011 I'm using Jono Bacon's "Practical PHP and MySQL with Applications" and working my way through his blog project. Does this guy have a forum? Most authors do. Also look at your forms html and see if anything sticks out Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted June 30, 2011 Share Posted June 30, 2011 so you're saying that when you click the submit button, it doesn't refresh the screen at all? or just the actual page that your tables are on? Correct. The page stays completely static, as if the button, it does nothing. But if I manually refresh the new comments are there. It sounds like the MySQL insert is happening later than expected. Maybe the insert is happening after the code where you get the list of comments. Have you tried adding debugging code throughout the script to see if things are executing as expected? For example, you can make sure the $validentry is set to the value you expect by doing something like this: if(isset($_GET['id']) == TRUE) { //... }else{ $validentry = 0; } echo $validentry; You can see if the form is being submitted by doing something like: if($_POST['submit']){ echo 'here'; If the code works as expected, keep moving throughout the code until you hopefully find the bug. Quote Link to comment Share on other sites More sharing options...
mjxs Posted June 30, 2011 Author Share Posted June 30, 2011 Well, $validentry must be the right value otherwise the rest of the code would fall apart (since it's used to determine what post a new comment is attached to, and the comments DO work the page just doesn't refresh). Nonetheless, I still inserted the code as you suggest and sure enough it is the right value. The SQL injection is literally the first thing that happens. I also noted that the bracket ("}") in the else condition where it says "//code goes here" was supposed to be just before the call for footer.php so I changed that. However, it still doesn't update the page. I used your suggestion for an echo call after the $_POST['submit'] condition but since the page doesn't refresh, it doesn't even get to that point. I know that header() will fail if any information is processed on the client-side before that call is executed but I can't see anywhere where anything, even whitespace, would be sent to the client; since it is injecting data to my mySQL database, I know it is getting into that part of the if statement, but for some reason, the clicking of that button just isn't causing the browser to reload the page. I'm wondering if this could have something to do with browser caching issues? I'm going to try it in IE but if anyone has any additional suggestions, by all means, please help. Quote Link to comment Share on other sites More sharing options...
mjxs Posted June 30, 2011 Author Share Posted June 30, 2011 Apologies for the double post. I just changed this line: header("Location: http://" . $HTTP_HOST . $SCRIPT_NAME . "?id=" . $validentry); to header("Location: http://www.google.com/"); And sure enough, now when I submit a comment, I get redirected to google. So why isn't my page refreshing and how can I fix it? Is there something wrong with the header() code? UPDATE: I stuck the following line in: echo "<h1>HTTP_HOST: " . $HTTP_HOST . "<BR>SCRIPT_NAME: " . $SCRIPT_NAME . "<BR>validentry: " . $validentry; and I got this: Notice: Undefined variable: HTTP_HOST in C:\xampp\htdocs\blog\viewentry.php on line 47 Notice: Undefined variable: SCRIPT_NAME in C:\xampp\htdocs\blog\viewentry.php on line 47 I'm taking a wild guess that these variables or this syntax is deprecated? Quote Link to comment Share on other sites More sharing options...
fugix Posted June 30, 2011 Share Posted June 30, 2011 before using it in your header, try to echo it to validate that it is a legitimate url Quote Link to comment Share on other sites More sharing options...
mjxs Posted June 30, 2011 Author Share Posted June 30, 2011 Aha. The culprit? This: header("Location: http://" . $HTTP_HOST . $SCRIPT_NAME . "?id=" . $validentry); Needed to be this: header("Location: http://" . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'] . "?id=" . $validentry); I guess the syntax for predefined variables must have changed some time after the publication of the manual I'm using. Either way, I've spent years working with and debugging C, Java and VB, but php is clearly an all-new sort of monster in this sense. None the less, thanks for all your help and hopefully I didn't waste too much of this board's time. I'll try to keep the n00b issues to a minimum Quote Link to comment Share on other sites More sharing options...
fugix Posted June 30, 2011 Share Posted June 30, 2011 Aha. The culprit? This: header("Location: http://" . $HTTP_HOST . $SCRIPT_NAME . "?id=" . $validentry); Needed to be this: header("Location: http://" . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'] . "?id=" . $validentry); I guess the syntax for predefined variables must have changed some time after the publication of the manual I'm using. Either way, I've spent years working with and debugging C, Java and VB, but php is clearly an all-new sort of monster in this sense. None the less, thanks for all your help and hopefully I didn't waste too much of this board's time. I'll try to keep the n00b issues to a minimum wow yeah, didn't even notice that, dumb of me...those variables are stored in the $_SERVER predefined array. Glad you found your error Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted June 30, 2011 Share Posted June 30, 2011 Maybe you're already aware of this, but your code is currently susceptible to MySQL injection attacks. You may want to take a look at the following article: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php And become familiar with the mysql_real_escape_string() function: http://php.net/manual/en/function.mysql-real-escape-string.php Also, I've never used $_SERVER['SCRIPT_NAME'] so I'm not sure if it has the same problems as $_SERVER['PHP_SELF']: http://www.mc2design.com/blog/php_self-safe-alternatives Quote Link to comment Share on other sites More sharing options...
fugix Posted June 30, 2011 Share Posted June 30, 2011 the reason why $_SERVER['PHP_SELF'] poses such an issue as far as injection is concerned, is because it incorporates $_SERVER['PATH_INFO'] which can be tampered with by users. To my knowledge, $_SERVER['SCRIPT_NAME'] does not incorporate PATH_INFO, however I would check a reference before being confident Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.