[SOLVED] Shoutbox

[supermerc]

Hey, I took a basic shoutbox tutorial from spono and Im trying to modify it so only registered users can post, and it would post with their username.

 

I manage to make it so only registered users can post but when i tried to make it so when users posts it uses their username, that didnt really work out. For example when you arnt logged in, only the message on the shoutbox shows, no username, like this :message and when you are logged in, all the messages apear as if that user posted them.

 

this is my code:

 

<?php
if($submit)
{
   //use the PHP date function for the time
   $time=date("h:ia d/j/y");
   
   // inserting it into the shoutbox table which we made in the mysql statements before
   $result=MYSQL_QUERY("INSERT INTO shoutbox (id, name,message,time)".
      "VALUES ('NULL','$message','name','$time')");
}
?>
<?php
//returning the last 5 messages
$result = mysql_query("select * from shoutbox order by id desc limit 15");

//the while loop
while($r=mysql_fetch_array($result))
{		
   //getting each variable from the table
   $time=$r["time"]; 
   $id=$r["id"];
   $message=$r["message"];
   $name=$_SESSION['s_username'];
?>
   <? echo $name ?>:
   <? echo $message ?><br>
<?php } ?>
<?php
if($_SESSION['s_logged_n']){
echo "
<form action='$php_self' method='post'><p></p>
<INPUT TYPE='TEXT' value='message' NAME='message' SIZE='25' maxlength='100'>
<input type='submit' name='submit' value='submit'>
</form>";}
else
{
}
?>

 

Thanks

[bwochinski]

A few changes really.. some of them fixing the problem, others security and coding practice.

 

<?php
if($_POST['submit'] AND $_SESSION['s_logged_in'])
?>

On line 2 I changed your variables over to superglobals and added a check that the user posting the info is logged in, otherwise people can post to this script from their own form and still insert data.

 

<?php
$result=MYSQL_QUERY("INSERT INTO shoutbox (name,message,time)".
?>

On line 8, I just took out the 'id' parameter, since you were just specifying it as NULL it doesn't need to be there. Nothing wrong with it per-se, mostly a preference for less code.

 

<?php
"VALUES ('".mysql_real_escape_string($_SESSION['s_username'])."','".mysql_real_escape_string($_POST['message'])."','$time')");
?>

On line 9, I reordered your parameters (originally it looks like you were putting the message into the name field?), and added the "mysql_real_escape_string()" function around the text fields.  That will prevent SQL injections in this query.  Also used the $_SESSION superglobal for the "name" field, as you want to actually insert the name of the person who posted the message along with it.

 

<?php
   $message=htmlspecialchars($r["message"]);
   $name=htmlspecialchars($r["name"]);
?>

Lines 22 and 23 I added the "htmlspecialchars()" functions to disable html in messages people have posted (thereby preventing any inserted javascript from running).  Also, you were setting $name to the username from $_SESSION, which contains the information of the person currently viewing the page.  You want to fill $name from the database.

 

I obviously haven't tested the modifications, but that's the areas where I see issues.

 

 

[supermerc]

mmm I did the changes you told me and now I cant submit any posts, it doesnt work at all.

 

<?php
//the host, name, and password for your mysql
mysql_connect("server","username","password");

//select the database
mysql_select_db("database");

if($_POST['submit'] AND $_SESSION['s_logged_in'])
{
   //use the PHP date function for the time
   $time=date("h:ia d/j/y");
   
   // inserting it into the shoutbox table which we made in the mysql statements before
  $result=MYSQL_QUERY("INSERT INTO shoutbox (name,message,time)".
      "VALUES ('".mysql_real_escape_string($_SESSION['s_username'])."','".mysql_real_escape_string($_POST['message'])."','$time')");
}
?>
<?php
//returning the last 5 messages
$result = mysql_query("select * from shoutbox order by id desc limit 15");

//the while loop
while($r=mysql_fetch_array($result))
{		
   //getting each variable from the table
   $time=$r["time"]; 
   $id=$r["id"];
   $message=htmlspecialchars($r["message"]);
   $name=htmlspecialchars($r["name"]);
?>
   <? echo $name ?>:
   <? echo $message ?><br>
<?php } ?>
<?php
if($_SESSION['s_logged_n']){
echo "
<form action='$php_self' method='post'><p></p>
<INPUT TYPE='TEXT' value='message' NAME='message' SIZE='25' maxlength='100'>
<input type='submit' name='submit' value='submit'>
</form>";}
else
{
}
?>

 

Is the code after your changes

[bwochinski]

oh... is your session variable "s_logged_n" ?? (my brain just saw "in")

[supermerc]

well this is from my login script

 

			$_SESSION['s_logged_n'] = 'true';
		$_SESSION['s_username'] = $username;
		$_SESSION['s_name'] = $row['Name'];

[bwochinski]

ok what I meant was that you needed to change the name of the $_SESSION variable to whatever it's supposed to be on this line:

if($_POST['submit'] AND $_SESSION['s_logged_in'])

[supermerc]

Thx alot it works now, one last thing, would you happen to know how to make the messages with an alternate background color, for example someone posts something the background is white, then next who posts background is grey. To avoid confusion?

[bwochinski]

<?php
//the while loop
while($r=mysql_fetch_array($result))
{		
   if ( $bgcolor == 'white' ) { $bgcolor = 'gray'; }
   else { $bgcolor = 'white'; }

   //getting each variable from the table
   $time=$r["time"]; 
   $id=$r["id"];
   $message=htmlspecialchars($r["message"]);
   $name=htmlspecialchars($r["name"]);
?>
<div style="background: <?=$bgcolor;?>">
   <?=$name;?>:<?=$message;?>
</div>
<?php } ?>

 

Something like that would work...

[supermerc]

Thx alot