PHP question

[Kon-Tiki]

Got two PHP questions.

1) I want to browse between entries on a page, and'm using $pagina to keep track of which page. The problem's that I'm redefining it each time, so it kinda loses its purpose, and gives an error when browsing back (instead of pagina-- becoming 0, it becomes -1). Anybody know how to fix this? I tried making it a session variable and using session_start(); but that didn't work.

2) In an SQL-query to check if other texts exist, I use this:

Code: Select all

DELETE FROM posts WHERE bericht = '$chkTekst'

$chkTekst comes from a checkbox value, then looks it up from a database. For some reason, it cuts off at the first space, though, and doesn't use the entire string for comparison, while it does seem to use the other strings entirely (so including everything after the first whitespace too) in that comparison, always giving no results. Is there a way to solve this?

Thanks in advance

[Kon-Tiki]

Ok, instructor had time and helped me on my way for the first one, which's solved (mostly. Still got to make sure you don't see an empty page when the total amounts of posts / amount of posts per page = 0. One Next-button too many then ::) )

[Solar]

1) I want to browse between entries on a page, and'm using $pagina to keep track of which page. The problem's that I'm redefining it each time, so it kinda loses its purpose, and gives an error when browsing back (instead of pagina-- becoming 0, it becomes -1).

Pass the variable in the URL - http://www.example.com?pagina=1. Details can be found in your PHP manual of choice.

$chkTekst comes from a checkbox value, then looks it up from a database. For some reason, it cuts off at the first space, though, and doesn't use the entire string for comparison, while it does seem to use the other strings entirely (so including everything after the first whitespace too) in that comparison, always giving no results. Is there a way to solve this?

Check whether you are correctly quoting the value throughout the code (not only in the SQL query).

Both ways can easily be exploited, especially the second part (SQL injection).

[Kon-Tiki]

Hurray! The browsing works! As for the string thing... I don't see anything wrong with my code. This's what it is (Dutch commenting, but those things don't matter):

Code: Select all

// Verwijderen van posts met bepaalde tekst
 if ($_GET['chkTekst']) {  // Stopt bij spaties
  $SQL_query = "DELETE FROM posts WHERE bericht = '$chkTekst'";
  if (mysql_query($SQL_query, $db_connection)) echo "Alle posts $chkTekst zijn succesvol verwijderd.<br>";
  else echo "Probleem bij het verwijderen: " . mysql_error() . "<br>";
 }

Same seems to go for the other text-fields. I tried no quotes, single quotes and double quotes (changing the echo-quotes accordingly). Only result that's worse, is with the double quotes (obviously).

[Candy]

1) I want to browse between entries on a page, and'm using $pagina to keep track of which page. The problem's that I'm redefining it each time, so it kinda loses its purpose, and gives an error when browsing back (instead of pagina-- becoming 0, it becomes -1).

Pass the variable in the URL - http://www.example.com?pagina=1. Details can be found in your PHP manual of choice.

Then, if you use guarded PHP code, which is safer:

Code: Select all

$pagina = $_GET["pagina"];

This prevents people from redefining variables you use in your code to stuff that makes the code do something else. Consider:

Code: Select all

http://somewebsite.com/admin/killuser.php?user=kontiki&authed=1

where the second parameter would be an internal variable that would be overridden, allowing anybody to "be admin" without authentication. If you don't enable it it overrides the default value, if you do enable it it just defines $_GET["authed"] which isn't equal to $authed.

For most things you want to use post parameters however. For page number info and stuff that just defines where you are get stuff is better. This way you can make your website give a consistent result for a given URL, while maintaining user authentication (not in the url that is) and session management.


You should give any database table you want to use somewhat intensively numbers. No matter how inhumane to assign everybody a number, it's a lot more effective and stable. You can't mis-spell a number.

[Kon-Tiki]

For now, I have one table, that's made like this:
ID -> int autonumber primary key
Name -> text
E-mail -> text
Message -> text

Now if I'd have another table with user information, I'd probably have to change Name to User_ID -> int and link it to the table of users, which'd have an ID -> int autonumber primary key as well.

Anyways, I already did that $pagina = $_GET['pagina'], but only cause I didn't want to change all $pagina references to $_GET['pagina']. Good thing I now know that it should be done like that, and why

[Solar]

Huh?

You might want to read on "table normalization" and avoiding redundancy of information.

If I see that correctly, you want to store multiple messages for a number of users, which are identified by name and e-mail. Each user can have multiple messages.

Common approach would be to have two tables:

ID -> int (primary key)
Name -> text
E-mail -> text

and

ID -> int (foreign key - same as in table 1)
Message -> text

[Kon-Tiki]

Nonono, for now, I want to store messages. There's no database of users or email addresses yet. It's a database of messages.

What I'm still looking into for now, is the string thing and security (already'm stripping all tags from all text input), plus how to allow smilies and BB code.

[Candy]

What I'm still looking into for now, is the string thing and security (already'm stripping all tags from all text input), plus how to allow smilies and BB code.

parse -> regenerate with HTML in place

Best do this while displaying pages. If you do it while putting stuff in DB (faster when mostly read) you'll end up transforming it back and making more code.

[Solar]

Nonono, for now, I want to store messages. There's no database of users or email addresses yet. It's a database of messages.

But you store user names and email addresses alongside, which is about as bad for a database designer as using only global variables is for a C coder...

[Kon-Tiki]

Got that now Guy next to me pointed out that I need to check for closed tags, though. Right now, I'm using str_replace, and'm processing it all in one, but it won't make sure that for each [ b ], there'll be a [ /b ]. Will keep on looking

[Solar]

If you have three or four problems at once, chances are that a) your design is borked or b) the task at hand is a bit over your head.

For the [ b ] / [ / b ] stuff, I would look into regular expressions - especially the non-greedy operator ('?') and the possesive quantifier ('+'). If you can make sense out of

Code: Select all

\[foo\]((?:[^\[]*+(?:(?!\[/?foo\]).)?)*+)\[/foo\]

you're a good deal closer to your goal.

[Kon-Tiki]

Ouch. I saw those last year when learning Perl, but forgot all 'bout that. Time to learn that again, I guess. Instructor just gave me this link and wished me good luck. He himself didn't really know how to do this either. So... time to learn ;D

[Candy]

If you can make sense out of

Code: Select all

\[foo\]((?:[^\[]*+(?:(?!\[/?foo\]).)?)*+)\[/foo\]

you're a good deal closer to your goal.

Does making a program that makes code out of it for me also count?