SHARE
TWEET

Untitled

a guest Apr 29th, 2017 82 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. Using the DDL provided, write a small PHP application that allows a user to type the title of a post in a form field and have it fetch the title and body of that post from the "posts" table.
  3. Key items:
  4. The solution must echo the typed field back to the user
  5. The file must work in PHP 5.2
  6. The DB configuration should be editable at the top of the file.
  7. The solution must protect against XSS, SQL Injection and CSRF attacks, but should allow for HTML in the returned content.
  8. Use any combination of procedural and OOP that you see fit
  9.  
  10. Write your code sample below:
  11. */
  12.  
  13. <?PHP
  14.  
  15. $dbhost = 'localhost'; // Database Server
  16. $dbuser = 'root'; // Database User
  17. $dbpass = ''; // Database Password
  18. $dbname = 'test';  //Database Name
  19.  
  20. mysql_connect($dbhost, $dbuser, $dbpass) or die("failed to connect to mysql: " . mysql_error());
  21. mysql_select_db($dbname) or die("failed to select db: " . mysql_error());
  22.  
  23.  
  24. if (!isset($_SESSION)) {
  25.     session_start();
  26. }
  27. if (!isset($_SESSION['token'])) {
  28.     $token = md5(uniqid(rand(), TRUE));
  29.     $_SESSION['token'] = $token;
  30. }
  31. else
  32. {
  33.     $token = $_SESSION['token'];
  34. }
  35.  
  36. $message = NULL;
  37. $title = '';
  38. $content = '';
  39.  
  40. $posts = array();
  41.  
  42.  
  43.  
  44. if(isset($_POST['submit']) && $_POST['title'] != NULL ){
  45.     if($_SESSION['token'] != $_POST['token']){
  46.         die;
  47.     }
  48.    $title = mysql_real_escape_string($_POST['title']);
  49.  
  50.     $sql = 'SELECT id, title, content FROM `posts` WHERE title ="'. $title .'"';
  51.     $results  = dbQuery($sql);
  52.    
  53.     $i = 0;
  54.     while( $row = mysql_fetch_array($results)) {
  55.         $posts[$i]['title'] = $row['title'];
  56.         $posts[$i]['content'] = $row['content'];
  57.         ++$i;
  58.     }
  59. }
  60.  
  61.  
  62.  
  63.  
  64. function dbQuery($sql)
  65. {
  66.     $result = mysql_query($sql);
  67.     if(!$result){
  68.         throw new Exception(mysql_error()."\n"."Query: " . $sql);
  69.     }
  70.     return $result;
  71. }
  72. ?>
  73.  
  74.  
  75.  
  76.  
  77.  
  78.  
  79. <html>
  80.     <body>
  81.         <form action="<?PHP $_SERVER['PHP_SELF'] ?>" method="POST">
  82.             <label for="title">Title to find:</label>
  83.             <input type="text" id="title" name="title">
  84.             <input type="hidden" name="token" value="<?php echo $token ?>">
  85.             <input type="submit" value="Find" name="submit">
  86.         </form>
  87.         <hr>
  88.         <?php if(!empty($posts)){ ?>
  89.             <h2>Your search for <?php echo htmlspecialchars($title, ENT_QUOTES, 'UTF-8'); ?> returned the following results</h2>
  90.            
  91.             <?php foreach($posts as $post){ ?>
  92.                 <h3><?php echo htmlspecialchars($post['title'], ENT_QUOTES, 'UTF-8'); ?></h3> <BR>
  93.                 <?php echo htmlspecialchars($post['content'], ENT_QUOTES, 'UTF-8'); ?>
  94.             <?php } ?>
  95.         <?php } ?>
  96.     </body>
  97. </html>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top