modifying shoutbox to add an archive
Results 1 to 10 of 10

Thread: modifying shoutbox to add an archive

  1. #1
    Member
    Join Date
    May 2007
    Posts
    46

    modifying shoutbox to add an archive

    I have installed a wonderful php/jquery shoutbox, but it lacks an archive function. So i am trying to modify the script to add each message to the database once it is posted.

    I edited the addMessage function and added a database query:

    Code:
    	function addMessage($user, $msg, $color) {
    		$user = $this->checkUsername($user); if($user===false) { return $this->jsonEncode(array('error'=>'You cannot use that name!')); }
    		if(strlen(utf8_decode($user)) > 100) { return $this->jsonEncode(array('error'=>'Your name is too long!')); } $msg = utf8_encode(addslashes(strip_tags($msg)));
    		if(strlen($msg) > 500) { return $this->jsonEncode(array('error'=>'Your message is too long! Limit 500 characters.')); }
    		if((empty($user)) || ($user=='Your Name')) { return $this->jsonEncode(array('error'=>'Please enter your name!')); }
    		if((empty($msg)) || ($user=='Message')) { return $this->jsonEncode(array('error'=>'Please enter a message!')); }
    		if($this->isBanned($_SERVER['REMOTE_ADDR'])===true) { return $this->jsonEncode(array('error'=>'You are banned from this ShoutBox.')); }
    		if((empty($_SESSION['ShoutCloud-User'])) || (!isset($_SESSION['ShoutCloud-User'])) || ($_SESSION['ShoutCloud-User']!==$user)) { $_SESSION['ShoutCloud-User'] = $user; }
    		if((empty($_SESSION['ShoutCloud_Tag_Color'])) || ($_SESSION['ShoutCloud_Tag_Color']!==$color)) { $_SESSION['ShoutCloud_Tag_Color'] = $color; }
    		$allMsgs = unserialize(file_get_contents($this->msgsFile)); if(empty($_SESSION['ShoutCloud-User-Flood'])) { $_SESSION['ShoutCloud-User-Flood'] = 0; }
    		if($_SESSION['ShoutCloud-User-Flood'] > time()) { return $this->jsonEncode(array('error'=>'Please do not spam the messages! Wait 5 seconds in between posts.')); } $_SESSION['ShoutCloud-User-Flood'] = time() + 5;
    		$allMsgs[] = array('time' => time(), 'user' => $user, 'msg' => $msg, 'color' => $color, 'ip' => $_SERVER['REMOTE_ADDR']); $totalMsgs = count($allMsgs);
    		if($totalMsgs > 100) { $difference = ($totalMsgs - 100); $i=1; $allMsgs = array_reverse($allMsgs, true); while($i <= $difference) { $remove = array_pop($allMsgs); $i++; } $allMsgs = array_reverse($allMsgs, true);
    		} else { $difference = 0; } $msgFile = fopen($this->msgsFile, 'w');
    		if(fwrite($msgFile, serialize($allMsgs))) {
    				$dbtime = time();
    				$dbhost = 'localhost';
    				$dbname = 'pirate_piratepunk';
    				$dbuser = 'pirate_pirate';
    				$dbpasswd = '******';
    				mysql_connect($dbhost, $dbuser, $dbpasswd) or die(mysql_error());
    				mysql_select_db($dbname) or die(mysql_error());
    				$query = "INSERT INTO 1tchat (shout, user, time) VALUES ('$msg', '$user','$dbtime')";
    		fclose($msgFile); return $this->jsonEncode(array('status' => 'posted'));
    		} else { fclose($msgFile);
    		return $this->jsonEncode(array('error'=>'Your message could not be posted at this time.')); }
    
    	}
    But nothing is being added to the database. What did i do wrong ?


    Full php script:
    http://www.pirate-punk.net/tchat/shoutcloud.txt

    Javascript:
    http://www.pirate-punk.net/tchat/sho.../ShoutCloud.js

    Live shoutbox:
    http://www.pirate-punk.net/tchat/tch...forumuser=test

  2. #2
    Settled 4 red convertible dalecosp's Avatar
    Join Date
    Jul 2002
    Location
    Accelerating Windows at 9.81 m/s....
    Posts
    7,697
    I see a query:
    $query = "INSERT INTO 1tchat (shout, user, time) VALUES ('$msg', '$user','$dbtime')";
    ... but where does it get executed?
    /!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade! /!!!\ ereg() is deprecated --- don't use it!

    dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket

    Getting Help at All --- Collected Solutions to Common Problems --- Debugging 101 --- Unanswered Posts --- OMBE: Office Machines, Business Equipment

  3. #3
    Pna lbh ernq guvf
    Join Date
    Jul 2004
    Location
    Kansas City area
    Posts
    19,410
    I also see the use of the deprecated mysql extension which will be going away in the future; you should switch to MySQLi or PDO before that happens.

    In addition, I see function parameters being used inside of a SQL query without any sanitizing being done. If this isn't being done outside the function, then your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. See security.database.sql-injection for more info.

  4. #4
    Member
    Join Date
    May 2007
    Posts
    46
    Thank you it was a really stupid error -_-

    but now i have another problem, after adding the datas to my DB the accents looks like this

    = ééé

    what did i do wrong ?

    In addition, I see function parameters being used inside of a SQL query without any sanitizing being done. If this isn't being done outside the function, then your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. See security.database.sql-injection for more info.
    Sorry i don't understand what you mean. Could you give me an example of what i should change my code to in order to prevent sql injections ?

    adding mysql_real_escape_string() inside the function isn't enough ?

  5. #5
    Member
    Join Date
    May 2007
    Posts
    46
    Quote Originally Posted by anarchoi View Post
    Thank you it was a really stupid error -_-

    but now i have another problem, after adding the datas to my DB the accents looks like this

    = ééé

    what did i do wrong ?
    still having this problem

  6. #6
    Pedantic Curmudgeon Weedpacket's Avatar
    Join Date
    Aug 2002
    Location
    General Systems Vehicle "Thrilled To Be Here"
    Posts
    21,855
    It looks like you're using UTF-8 character encoding in one place and some other encoding in another (in the database vs. in the web page). Pick one encoding and make sure that's the one being used throughout (I'd suggest UTF-8).
    THERE IS AS YET INSUFFICIENT DATA FOR A MEANINGFUL ANSWER
    FAQs! FAQs! FAQs! Most forums have them!
    Search - Debugging 101 - Collected Solutions - General Guidelines - Getting help at all

  7. #7
    Member
    Join Date
    May 2007
    Posts
    46
    database is set to utf8_bin and script should be too:


    tchat.php
    Code:
    <?php
    session_start();
    header('Content-Type:text/html; charset=UTF-8');
    ?>
    <head>
    <title>T'CHAT Pirate-Punk.net & Resistance.tk</title>
    <?php
    if (empty($_GET['large'])) {
    echo "<link type=\"text/css\" rel=\"stylesheet\" href=\"shoutcloud/ShoutCloud-min.css\" media=\"screen\">";
    } else {
    echo "<link type=\"text/css\" rel=\"stylesheet\" href=\"shoutcloud/ShoutCloud-large.css\" media=\"screen\">";
    }
    ?>
    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js"></script> <script type="text/javascript" src="shoutcloud/ShoutCloud-min.js"></script>
    </head>
    <?php
    if (!empty($_GET['large'])) {
    echo "<body bgcolor=\"#000000\">";
    }
    ?>
    <?php include('shoutcloud.php'); ?>
    </body>

    shoutcloud.php

    Code too long to post, see source code here:
    http://www.pirate-punk.net/tchat/shoutcloud.txt

  8. #8
    Pedantic Curmudgeon Weedpacket's Avatar
    Join Date
    Aug 2002
    Location
    General Systems Vehicle "Thrilled To Be Here"
    Posts
    21,855
    Quote Originally Posted by anarchoi
    database is set to utf8_bin
    Double-check that this is not overridden at the table or column levels.
    Quote Originally Posted by anarchoi
    and script should be too:
    Check this in the browser.

    But I don't see the problem. http://www.pirate-punk.net/tchat/tch...forumuser=test
    THERE IS AS YET INSUFFICIENT DATA FOR A MEANINGFUL ANSWER
    FAQs! FAQs! FAQs! Most forums have them!
    Search - Debugging 101 - Collected Solutions - General Guidelines - Getting help at all

  9. #9
    Member
    Join Date
    May 2007
    Posts
    46
    Quote Originally Posted by Weedpacket View Post
    Double-check that this is not overridden at the table or column levels.Check this in the browser.
    phpmyadmin says that the columns are in utf8_bin

    Ok the shoutbox is fine, but i modified the shoutbox to create an archive. As you can see in the code, after each shout it will add the shout to the database. And when i check in phpmyadmin, the accents from the shouts are messed up after being added to DB

    Here's the result when i output the shout database:
    http://www.pirate-punk.net/tchat/chat_archive.php

    And it's not a problem with my output script since even when i check in phpmyadmin the accents are messed up

  10. #10
    Senior Member
    Join Date
    Mar 2009
    Posts
    802
    Two other areas to check your character encoding: your browser and the actual encoding of your source files, though it seems like the latter isn't really applicable in this case (but good to know anyway!).
    Declare variables, not war.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •