Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


worst PHP problem ever.

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
deleted user 111213
Grandmaster Cheater
Reputation: 0

Joined: 09 Nov 2007
Posts: 714
PostPosted: Sat Nov 29, 2008 4:26 pm    Post subject: worst PHP problem ever. Reply with quote
i'm still making that forum. i have the forum-index.php file. not much change.

Code:
<?php
session_start();
include'./global.php';

$action = mss($_GET['id']);
$actions_array = array('forum');
?>
<html>

<head>

<title>Nostrich's Forum</title>

<link rel="stylesheet" href="./style3.css" type="text/css" />

</head>

<body>

<center>

<div id="holder">

<div id="userInfo">

<?php

if($_SESSION['uid']){
$sql = "SELECT * FROM users WHERE id = '" . $_SESSION['uid'] . "'";
$res = mysql_query($sql) or die(mysql_error());

if(mysql_num_rows($res) == 0){
session_destroy();
echo "Please <a href='login2.php'>Login</a> to your account, or <a href='reg.php'>Register</a> a new account!\n";
}else{
$row = mysql_fetch_assoc($res);
echo "Welcome back,<a href=\"./forum-index.php?act=profile&id=".$row['id']."\">".$row['username']."</a>! <a href=\"./logout.php\">Logout</a>\n";
echo "<br>\n";
echo " <a href=\"./forum-index.php\">Forum Index</a>\n";
if($row['admin'] == '1'){
echo " | <a href=\"./admin/index.php\">Adminastrators section</a>\n";
}
}
}else{
echo "Please <a href='login2.php'>Login</a> to your account, or <a href='reg.php'>Register</a> a new account!\n";
}

?>

</div>

<div id="content">
<?php

if(!$action || !in_array($action,$actions_array)){
$sql1 = "SELECT * FROM forum_cats WHERE admin < ".$row['admin']. "+1";
$res1 = mysql_query($sql1) or die(mysql_error());

$i=1;

while ($row2 = mysql_fetch_assoc($res1)){
echo "<div id='fcontent'>\n";
echo "<div class='header' id=\"header_".$i."\" \">".$row2['name']."</div>\n";

$sql2 = "SELECT * FROM forum_sub_cats WHERE cid='".$row2['id']."' AND admin < ".$row['admin']."+1";
$res2 = mysql_query($sql2) or die(mysql_error());
while($row3 = mysql_fetch_assoc($res2)){
echo "<div id='content'>\n";
echo "<a href=\"./forum-index.php?act=forum&id=".$row3['id']."\">".$row3['name']."</a><br>\n";
echo "   " .$row3['desc'] . "\n";
echo "</div>\n";
}

echo "</div>\n";
$i++;
}
}else{
if($action == 'forum'){
include "./includes/forum.php";
}
}

?>
</div>

</div>

</center>

</body>

</html>


the new forum.php file in the includes directory
Code:
<?php

$id = $_GET['id'];

if($id){
   $sql = "SELECT * FROM forum_cats WHERE id='".$id."'";
   $res = mysql_query($sql) or die(mysql_error());
   if(mysql_num_rows($res) == 0){
      echo "The forum category you supplied does not exist!\n";
   }
}

?>


basically this is meant to make the forums disappear and if there is one that doesn't exist, it comes up with
Code:
 The forum category you supplied does not exist.


but it doesn't. i will post the global.php file but change it slightly.

Code:
<?php

$con = mysql_connect(localhost, "root", "")
or die(mysql_error());

mysql_select_db("353", $con);

function mss($value){
return mysql_real_escape_string(trim(strip_tags($value)));
}

?>
Back to top
View user's profile Send private message
Reak
I post too much
Reputation: 0

Joined: 15 May 2007
Posts: 3496
PostPosted: Sat Nov 29, 2008 5:54 pm    Post subject: Reply with quote
To start off, some tips:
Do NEVER use integer variables as string variables.
If you are checking for an integer var in MySQL you don't have to use the ' ' qoutes.
Using them will allow every string. Like, let's say $_GET['id'] is a string..? It's very unsecure for SQL-injection stuff.
Well in this case it's not that "dangerous" but in other stuff where it's security is neccesery it is.

Your code should work, but try this:
Code:
$id = $_GET['id'];

if($id > 0){
   $sql = "SELECT * FROM forum_cats WHERE id=$id";
   $res = mysql_query($sql) or die(mysql_error());
   if(mysql_num_rows($res) > 0){
      // Found, display it now
   }else{
      echo "The forum category you supplied does not exist!\n";
   }
}
Back to top
View user's profile Send private message
deleted user 111213
Grandmaster Cheater
Reputation: 0

Joined: 09 Nov 2007
Posts: 714
PostPosted: Sun Nov 30, 2008 3:02 am    Post subject: Reply with quote
Reak wrote:
To start off, some tips:
Do NEVER use integer variables as string variables.
If you are checking for an integer var in MySQL you don't have to use the ' ' qoutes.
Using them will allow every string. Like, let's say $_GET['id'] is a string..? It's very unsecure for SQL-injection stuff.
Well in this case it's not that "dangerous" but in other stuff where it's security is neccesery it is.

Your code should work, but try this:
Code:
$id = $_GET['id'];

if($id > 0){
   $sql = "SELECT * FROM forum_cats WHERE id=$id";
   $res = mysql_query($sql) or die(mysql_error());
   if(mysql_num_rows($res) > 0){
      // Found, display it now
   }else{
      echo "The forum category you supplied does not exist!\n";
   }
}


still didn't work.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites