[Matt Maclennan]

Hi Guys!

I am currently doind a comment board for a PHP page, and the problem is, now that I have assigned numbered roles (1 being a normal user) it is outputting the role number instead of the user name. Below image shows what I mean...



Comments page code:

<?php
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Digispace - Level up with us!</title>
<link href="global.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="header"></div>
<div id="wrapper">
<div id="links">
<a href="index.html"><img src="images/header_01.png" width="133" height="50" alt="logo" style="float:left; margin-top:-15px; padding-right:70px;" /></a>
<ul id="menuLinks">
<li><a href="games.php">Games</a></li>
<li><a href="login.php">Login</a></li>
<li><a href="register.php">Register</a></li>
<li><a href="contact.html">Contact</a></li>
</ul>
</div>
<p>
<div id="left">
<?
include 'dbconnect.php';
$game_ID = $_GET['id'];
$_SESSION['id'] = $game_ID;
$output = mysql_query("SELECT * FROM game WHERE game_ID = '$game_ID'");
$image = mysql_query("SELECT imageUrl FROM game WHERE game_ID = '$game_ID'");
$alt = mysql_query("SELECT gameName FROM game WHERE game_ID = '$game_ID'");
$row2 = mysql_fetch_array($image, MYSQL_ASSOC);
$row3 = mysql_fetch_array($alt, MYSQL_ASSOC);
echo "<table border='0' id='games'>";

while($row = mysql_fetch_array($output))
{
echo "<tr>";
echo "<td></td>" . "<td><h1>" . $row['gameName']. "</h1></td>";
echo "</tr>";
echo "<tr>";
echo "<td>Platform:</td>" . "<td>" . $row['platform']. "</td>";
echo "</tr>";
echo "<tr>";
echo "<td></td>"."<td>" . $row['description']. "</td>";
echo "</tr>";
}
echo "</table>";
include 'close.php';
?>
</p>
</div>
<div id ="right">
<img src="<?php echo $row2['imageUrl']?>" alt="<?php echo $row3['gameName']?>" />
</div>
<div id="bottom">
<p>
<a href="games.php">Back</a>
</p>
<h3>Comments</h3>
<?
include 'dbconnect.php';
echo "<table border='0' id='comments'>";
if(session_is_registered('user')){
	echo "<form action='commentPost.php' method='post'>";
	echo "<tr>";
	echo "<td style='vertical-align:top;'>Comment</td><td><textarea name='comments' cols='30' rows='10'></textarea></td>";
	echo "</tr>";
	echo "<tr>";
	echo "<td></td><td><input name='submit' type='submit' value='Submit' />";
	echo "</tr>";
}
else
{
echo "<p>Login to post your own comment on the game!</p>";
}
echo "</table>";
include 'close.php';
?>
<br />
<?
include 'dbconnect.php';
$comments = mysql_query("SELECT * FROM comments WHERE $game_ID = page_ID");
echo "<table border='0' id='commentsOutput'><th width='15%' class='commentsHeader'><h3>User Name</h3></th><th class='commentsHeader'><h3>Comment</h3></th><th class='commentsHeader'></th>";
while($row4 = mysql_fetch_array($comments))
{
echo "<tr>";
echo "<td>" . $row4['userName'] . "</td>";
echo "<td>" . $row4['comment'] . "</td>";
if(session_is_registered('admin')){
echo "<td>"."<a href='deleteComment.php?id=" . $row4['comment_ID'] . "'>Delete</a>"."</td>";
}
echo "</tr>";
}
echo "</table>";
include 'close.php';
?>
</p>
</div>
</div>
</body>
</html>

Insert comment page code

<?
session_start('id', 'userName');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Digispace - Level up with us!</title>
<link href="global.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="header"></div>
<div id="wrapper">
<div id="links">
<a href="index.html"><img src="images/header_01.png" width="133" height="50" alt="logo" style="float:left; margin-top:-15px; padding-right:70px;" /></a>
<ul id="menuLinks">
<li><a href="games.php">Games</a></li>
<li><a href="login.php">Login</a></li>
<li><a href="register.php">Register</a></li>
<li><a href="contact.html">Contact</a></li>
</ul>
</div>
<p>
<div id="left">
<?
include 'dbconnect.php';
$userName = $_SESSION['user'];
$comment = $_REQUEST["comments"];
$game_ID = $_SESSION['id'];
$query = "INSERT INTO comments (userName, comment, page_ID) VALUES ('$userName', '$comment', '$game_ID')";
mysql_query ($query);
echo "Thanks, your comment has been added!";
include 'close.php';
?>
</div>
</p>
</div>
</div>
</body>
</html>

Any ideas will be great, and +1'd! Sorry if that is a bit long winded!

Thanks!

Matt

[rallport]

Ouch at that code

[Matt Maclennan]

rallport, on 20 January 2012 - 06:51 PM, said:

Ouch at that code

what's up with it? wouldn't mind feedback!

[webdesigner93]

Matt Maclennan, on 20 January 2012 - 06:53 PM, said:

what's up with it? wouldn't mind feedback!

its poorly coded code, heres a few things i notice off the bat.

1.Your using mysql instead of the newer mysqli or PDO
2.Your not using mysqli_escape_string any where to prevent againest mysql injections
3.Your using session_is_registered which is DEPRECATED as of PHP 5.3.0. so you should just do

if(isset($_SESSION['admin'])){
//
}

4.Your not checking if your variables are set before actually grabbing values, this prevents undefined index errors from building up in your error log..

like i said these are just a few

[Matt Maclennan]

webdesigner93, on 21 January 2012 - 03:36 PM, said:

its poorly coded code, heres a few things i notice off the bat.

1.Your using mysql instead of the newer mysqli or PDO
2.Your not using mysqli_escape_string any where to prevent againest mysql injections
3.Your using session_is_registered which is DEPRECATED as of PHP 5.3.0. so you should just do

if(isset($_SESSION['admin'])){
//
}

4.Your not checking if your variables are set before actually grabbing values, this prevents undefined index errors from building up in your error log..

like i said these are just a few

Okay, thanks for the feedback!

In terms of the MySQL, I know about the new release, just stuck on MySQL at the moment. Also, just learnt about SQL injections, so will add the code in

Thanks for the feedback though!

[webdesigner93]

Matt Maclennan, on 24 January 2012 - 08:54 PM, said:

Okay, thanks for the feedback!

In terms of the MySQL, I know about the new release, just stuck on MySQL at the moment. Also, just learnt about SQL injections, so will add the code in

Thanks for the feedback though!

Np glad to help

[GalaxyTramp]

$query = "INSERT INTO comments (userName, comment, page_ID) VALUES ('$userName', '$comment', '$game_ID')";

Should this not read

$query = "INSERT INTO comments (userName, comment, page_ID) VALUES ('$userName', '$comment', '$page_ID')";

[Matt Maclennan]

GalaxyTramp, on 25 January 2012 - 05:05 PM, said:

$query = "INSERT INTO comments (userName, comment, page_ID) VALUES ('$userName', '$comment', '$game_ID')";

Should this not read

$query = "INSERT INTO comments (userName, comment, page_ID) VALUES ('$userName', '$comment', '$page_ID')";

Hi there!

Thanks for the idea! However, I declared a variable "Game_ID", which is getting the id number from the URL, so that is fine. It's just the User Role (1,2,3) instead of the User Name going into the comments table, which is obviously not how it should be!

[GalaxyTramp]

Matt Maclennan, on 25 January 2012 - 11:21 PM, said:

Hi there!

Thanks for the idea! However, I declared a variable "Game_ID", which is getting the id number from the URL, so that is fine. It's just the User Role (1,2,3) instead of the User Name going into the comments table, which is obviously not how it should be!

<?
session_start('id', 'userName');

//Should read

session_start('id', 'user');
?>



$userName = $_SESSION['user'];
$comment = $_REQUEST["comments"];
$game_ID = $_SESSION['id'];

This post has been edited by GalaxyTramp: 26 January 2012 - 09:37 AM