LuckY07 Posted December 8, 2007 Share Posted December 8, 2007 Hi, I am trying to use this premade php form that allows users to leave comments at my site. Currently I am using a WAMP on a localhost with a 'root' user to access MySQL. All configs are default, and i know the php and MySQL work since I have tested each and when i do phpinfo() i can see 'MySQL'. The form php/html code I got from http://www.tutorialized.com/view/tutorial/Shoutbox/3026 . When I enter all the info in the body and run my 'shoutbox.php' locally with a root user and my PW I get an 'HTTP 403 error', saying the page can't be displayed because it requires a login. Can someone check my code and point me in the direction to look for this problem, i would really appreciate it, tks. Here is my code: <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>Shoutbox</title> </head> <body> <? //the host, name, and password for your mysql mysql_connect("localhost","username","password"); //select the database mysql_select_db("news"); if($submit){ //use the PHP date function for the time $time=date("h:ia d/j/y"); // inserting it into the shoutbox table which we made in the mysql statements before $result=MYSQL_QUERY("INSERT INTO shoutbox (id,name,message,time)". "VALUES ('NULL','$name', '$message','$time')"); } ?> <? //returning the last 5 messages $result = mysql_query("select * from shoutbox order by id desc limit 5"); //the while loop while($r=mysql_fetch_array($result)){ //getting each variable from the table $time=$r["time"]; $id=$r["id"]; $message=$r["message"]; $name=$r["name"]; ?> <? echo $time ?><br> <? echo $name ?><br> <? echo $message ?><br> <? } ?> <form action="<? echo $php_self ?>" method="post"> <INPUT TYPE='TEXT' value='name' NAME='name' SIZE=30 maxlength='100'><br> <INPUT TYPE='TEXT' value='message' NAME='message' SIZE=30 maxlength='100'> <input type="submit" name="submit" value="submit"> </form> </body> </html> I can see the form fine, when i hit 'submit' i get taken to a new page with the error. Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted December 8, 2007 Share Posted December 8, 2007 Where is shoutbox.php stored? If you have wamp installed then it should be C:/wamp/www I believe. Also I noticed the script replies on register_globals. register_globals was disabled by default as of PHP4.2 and is now depreciated. Consider finding a more up to data tutorial, however the code is still workable just needs a few variable names to be changes to the $_POST superglobal. Another thing I noticed is it uses short tags (<? ?>). Short tags is not enabled by default when PHP is installed. Instead convert <? to <?php Quote Link to comment Share on other sites More sharing options...
LuckY07 Posted December 8, 2007 Author Share Posted December 8, 2007 I really appreciate you looking at this. I was thinking about making the following changes: "VALUES ('NULL','$name', '$message','$time')"); to: "VALUES ('NULL',$_POST['name'],$_POST['message'],$_POST['time'])"); is that all I need to do? also changed the short tags to proper <?php tags. I have been running php scripts in a folder on my c:\mywebsite folder, which is what i set my php directory to. do i need to change the MySQL directory as well? Quote Link to comment Share on other sites More sharing options...
LuckY07 Posted December 8, 2007 Author Share Posted December 8, 2007 another thing i was wondering about.. do you think i need to change: if($submit) to: if($_POST['submit']) any help you could give me is really appreciated, tks. Quote Link to comment Share on other sites More sharing options...
LuckY07 Posted December 8, 2007 Author Share Posted December 8, 2007 any ideas how to change my register_globals in this script to superglobal using the $_POST? I have tried a couple things and i cant get this script to add data to mysql and/or display data. The only thing that shows is the form. Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted December 8, 2007 Share Posted December 8, 2007 Yes those where the changes that needed to made. However with regarding the following I really appreciate you looking at this. I was thinking about making the following changes: "VALUES ('NULL','$name', '$message','$time')"); to: "VALUES ('NULL',$_POST['name'],$_POST['message'],$_POST['time'])"); That is ok for personal use however not for production use. It is not recommended to place raw user data ($_POST, $_GET, $_COOKIE, etc.) directly into a query as your query will be prone to SQL injection attacks, which can be used to hack your site, or even worse completely erase your database. In order to protect yourself from SQL injection attacks I'd recommend you to use the built in mysql_real_escape_string function. This will help to protect you from such attacks. So instead of doing: "VALUES ('NULL',$_POST['name'],$_POST['message'],$_POST['time'])"); Do: $name = mysql_real_escape_string($_POST['name']); $message= mysql_real_escape_string($_POST['message']); "VALUES ('NULL', '$name', $message, $time)"); You do not have run mysql_real_escape_string on all fields only those which store strings. If a fields only needs a number then validate with is_numeric to see if the data only contains numbers. Corrected Code: <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>Shoutbox</title> </head> <body> <?php //the host, name, and password for your mysql mysql_connect("localhost","username","password"); //select the database mysql_select_db("news"); if(isset($_POST['submit'])) { //use the PHP date function for the time $time = date("h:ia d/j/y"); /* protect ourselves from SQL Injection */ $name = mysql_real_escape_string($_POST['name']); $message= mysql_real_escape_string($_POST['message']); // inserting it into the shoutbox table which we made in the mysql statements before mysql_query("INSERT INTO shoutbox (id, name, message, time) VALUES ('NULL','$name', '$message','$time')"); } //returning the last 5 messages $result = mysql_query("select * from shoutbox order by id desc limit 5"); //the while loop while($r = mysql_fetch_array($result)) { //getting each variable from the table $time = $r['time']; $id = $r['id']; $message = $r['message']; $name = $r['name']; echo $time . "<br>\n"; echo $name . "<br>\n"; echo $message . "<hr>\n"; } ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <INPUT TYPE='TEXT' value='name' NAME='name' SIZE=30 maxlength='100'><br> <INPUT TYPE='TEXT' value='message' NAME='message' SIZE=30 maxlength='100'> <input type="submit" name="submit" value="submit"> </form> </body> </html> If you still get the 403 error message then check WAMP's configuration. Make sure you are running your script from http://localhost and not directly loading it into a web browser from c:\mywebsite Quote Link to comment Share on other sites More sharing options...
LuckY07 Posted December 8, 2007 Author Share Posted December 8, 2007 thank you very much. that worked like a charm. i'm not sure what exactly what was preventing it from using the MySQL db, but my guess is one of the following changes you made: $_SERVER['PHP_SELF'] instead of: <?php echo $php_self ?> or, I was thinking it was the IF-statement change: if($submit){ to: if(isset($_POST['submit'])) also, i wonder if encasing the entire script inside 1 php <?php ?> script helped. thanks again. i will tweak this code a lot before it goes live Quote Link to comment Share on other sites More sharing options...
LuckY07 Posted December 8, 2007 Author Share Posted December 8, 2007 i think i figured out what was preventing the SQL query to work. i played around with the settings u gave me and figured out the sole culprit was how i was referencing the '$_POST' command inside a query, which i don't think you can do. when i declared the variables before placing them in the query it worked! so basically the fix you taught me was you cant use a superglobal variable inside a query as i tried here: $result=MYSQL_QUERY("INSERT INTO shoutbox (id,name,message,time) ". "VALUES ('NULL', $_POST['name'], $_POST['message'], '$time')"); the fix was changing the above to: $name = mysql_real_escape_string($_POST['name']); $message= mysql_real_escape_string($_POST['message']); // inserting it into the shoutbox table which we made in the mysql statements before mysql_query("INSERT INTO shoutbox (id, name, message, time) VALUES ('NULL','$name', '$message','$time')"); thanks again wild Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted December 8, 2007 Share Posted December 8, 2007 so basically the fix you taught me was you cant use a superglobal variable inside a query as i tried here: $result=MYSQL_QUERY("INSERT INTO shoutbox (id,name,message,time) ". "VALUES ('NULL', $_POST['name'], $_POST['message'], '$time')"); You can use superglobal variables with in query if you wish (or any other string), however you have to wrap them in curly braces - {} if you use them inside double quotes. This is to do with how PHP parses arrays within quotes. Quote Link to comment Share on other sites More sharing options...
LuckY07 Posted December 8, 2007 Author Share Posted December 8, 2007 if i hit the 'refresh' button on my browser, it treats that the same as hitting the 'submit' button, any easy ways to fix this? tks. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 8, 2007 Share Posted December 8, 2007 When the user clicks the submit button, have the script do what it needs to do then reload the page by using header() - just don't pass any of the data in the form. That way when reload is pressed the page just reloads. Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted December 8, 2007 Share Posted December 8, 2007 redirect the user back to shoutbox.php when their post has been added to database. That way if the user hits the refresh button your web browser wont resend the POST data back to the page. <?php //the host, name, and password for your mysql mysql_connect("localhost","username","password"); //select the database mysql_select_db("news"); if(isset($_POST['submit'])) { //use the PHP date function for the time $time = date("h:ia d/j/y"); /* protect ourselves from SQL Injection */ $name = mysql_real_escape_string($_POST['name']); $message = mysql_real_escape_string($_POST['message']); // inserting it into the shoutbox table which we made in the mysql statements before mysql_query("INSERT INTO shoutbox (id, name, message, time) VALUES ('NULL','$name', '$message','$time')"); // redirect the user. header("Location: shoutbox.php"); } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>Shoutbox</title> </head> <body> <?php //returning the last 5 messages $result = mysql_query("select * from shoutbox order by id desc limit 5"); //the while loop while($r = mysql_fetch_array($result)) { //getting each variable from the table $time = $r['time']; $id = $r['id']; $message = $r['message']; $name = $r['name']; echo $time . "<br>\n"; echo $name . "<br>\n"; echo $message . "<hr>\n"; } ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <INPUT TYPE='TEXT' value='name' NAME='name' SIZE=30 maxlength='100'><br> <INPUT TYPE='TEXT' value='message' NAME='message' SIZE=30 maxlength='100'> <input type="submit" name="submit" value="submit"> </form> </body> </html> Notice I have moved the code block which adds the entry to the database before the html. This is because you cannot send any headers when there is any form of output. Output is considered anything outside of the php tags, or anything from echo/print/sprintf etc. Quote Link to comment Share on other sites More sharing options...
LuckY07 Posted December 8, 2007 Author Share Posted December 8, 2007 i tried the updated script wild, but i get the following errors when i hit submit: Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'username'@'localhost' (using password: YES) in C:\xxx\shoutbox.php on line 12 Warning: mysql_select_db() [function.mysql-select-db]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\xxx\shoutbox.php on line 14 Warning: mysql_select_db() [function.mysql-select-db]: A link to the server could not be established in C:\xxx\shoutbox.php on line 14 Warning: mysql_query() [function.mysql-query]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\xxx\shoutbox.php on line 27 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in C:\xxx\shoutbox.php on line 27 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\xxx\shoutbox.php on line 30 Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted December 9, 2007 Share Posted December 9, 2007 Have you used your mysql username/password for the mysql_connect function. Looks like you havn't. If you have installed MySQL and havn't setup username/password already then use root as the username and nothing for the password instead, eg: mysql_connect("localhost","root",""); You have to provide a valid username/password when connecting to mysql. Also ensure the mysql server is actually running too. Quote Link to comment Share on other sites More sharing options...
LuckY07 Posted December 9, 2007 Author Share Posted December 9, 2007 I changed my program name when I copied your code.. to shoutboxPHP.php, I forgot to change the following line: // redirect the user. header("Location: shoutbox.php"); to: // redirect the user. header("Location: shoutboxPHP.php"); I got it to work. Thanks for all your help wildteen Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.