Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /* In response to a Yahoo Answer's Question */
- // http://pastebin.com/RjEFuzwe Same script without comments
- // session_start(); // Depending on whether or not you're using Sessions.
- // Using header() --> Headers cannot be sent if data has already been sent to the user, either by echo, print or php error message.
- /* Message Functions */
- // Use of tabled messages based on your initial example
- function errorMsg($msg){
- // Checks to see if the supplied msg is an array of messages.
- if(is_array($msg)){
- $r = '<table>';
- foreach($msg as $m){
- $r .= '<tr><td style="color: #900;font-weight: bold;">' . $m . '</td></tr>' . PHP_EOL;
- }
- return $r . '</table>';
- }else{
- return '<table><tr><td style="color: #900;font-weight: bold;">' . $msg . '</td></tr></table>'; // #900 is a medium Red
- }
- }
- function goodMsg($msg){
- return '<table><tr><td style="color: #090;font-weight: bold;">' . $msg . '</td></tr></table>'; // #090 is a medium Green
- }
- /* Variables */
- $output = ''; // Will hold the desired output;
- $title = $_POST['title'];
- $content = $_POST['content'];
- $category = $_POST['category'];
- $form = <<<FORM
- <form action="./test.php" method="post" style="background-color: #000;">
- <table>
- <tr>
- <td><font color="white"><b>Title:</b></font></td>
- <td><input type="text" name="title" value="$title"></td>
- </tr>
- <tr>
- <td><font color="white"><b>Content:</b></font></td>
- <td><textarea name="content" rows="6" col="80">$content</textarea></td>
- </tr>
- <tr>
- <td><font color="white"><b>Category</b></font></td>
- <td>
- <select name="category">
- <option value="General Discussion">General Discussion</option>
- <option value="Suggestions">Suggestions</option>
- <option value="Complaints">Complaints</option>
- <option value="Problem Reporting">Problem Reporting</option>
- </select>
- </td>
- </tr>
- <tr>
- <td colspan="2"><input type="submit" name="postbtn" value="Post"></td>
- </tr>
- </table>
- </form>
- FORM;
- /* Logged In Check */
- // No Idea where $username and $userid are coming from, I'm assuming a $_SESSION or $_COOKIE variable
- // If it is a Session variable, then you will need to start the session at the beginning of the script with a: session_start();
- $username = $_COOKIE['username'];
- $userid = $_COOKIE['userid'];
- if( !$username || !$userid){
- header('Refresh: 5; url=/login/login.php'); // Header is sent before output of data.
- echo errorMsg('You need to be logged in to access this page. <a href="/login/login.php" >Login</a>');
- exit;
- }
- /* Form Checking And Processing */
- if ($_POST['postbtn']){
- $currenttime = date("h:i A");
- $currentdate = date("F d, Y");
- $errors = Array(); // Will hold the error Messages.
- /* Error Checking */
- if ((strlen($title) < 10) || (strlen($title) > 50)){
- $errors[] = 'Title must be longer than 10 and less than 50 characters';
- }
- if ((strlen($content) < 50) || (strlen($content) > 1000)){
- $errors[] = 'Content must be longer than 50 and less than 1000 characters';
- }
- if( count($errors) > 0){ // Errors Occurred
- $output = errorMsg($errors) . $form;
- }else{ // No Errors Occurred Continue with post.
- require ("connect.php");
- // Title and Content need to be cleaned from SQL Injection and other harmfull attacks.
- // Although mysql_real_escape_string() is not perfect, it does offer descent protection.
- // Better protection can come from Prepared Statements.
- // mysql_real_escape_string() requires a connection to a mysql database, that is why I
- // didn't suggest using it before on the initial variable declaration.
- // Be aware that the addition of escaping can create entries longer than 50 (title) or 1000 (content).
- // The database column limits should be altered to address these possibilities.
- $title = mysql_real_escape_string( $title );
- $content = mysql_real_escape_string( $content );
- $category = mysql_real_escape_string( $category ); // Although you set these yourself, someone can alter them to be harmful.
- $query = mysql_query("SELECT id FROM posts WHERE title='$title' LIMIT 1"); // I am assuming that there is a column by the name of 'id', but it should be the column with the least amount of data.
- // Returning more data than you need (content), will take up more resources.
- // If all you're doing is checking for the existence, then you simply need to return 1 column Item
- // Limiting it to one, will result in MySQL stopping the search after it locates one, as oppose to
- // continueing to search the whole table for a match.
- if ($query && mysql_num_rows($query) === 0){ // Check to ensure query was successful and then check to see that there is no rows returned.
- if( mysql_query("INSERT INTO posts (title, content, time, date, author, category) VALUES ('$title', '$content', '$currenttime', 'on $currentdate', '$username', '$category')") ){
- // Success, no need to double check with another query.
- header('Refresh: 5; url=./posts.php?title=' . $title);
- $output = goodMsg('Your message was posted successfully.<br>If you are not redirected to the post in 5 seconds. Click the link below.<br> <a href="">' . $title . '</a>');
- }else{
- $output = errorMsg('There was an Internal Error, while attempting to save your post. Please try again in a few minutes.') . $form; // Output the form
- }
- }else{
- $output = errorMsg('There is already a post with that Title, please select another.') . $form; // Output the form.
- }
- // mysql_close($conn); // Or whatever variable your connection is stored.
- }
- }else{
- $output = $form; // Default output;
- }
- echo $output; // Output the output
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement