Code efficiency and security

music_man

I made this small blogging script (one file) and I was wondering if there were any ways I could speed it up and make it more efficient?

One known problem is that the "Edit entries" title displays under the form when one is editing an entry.

Any security problems that you can find would be most helpful. I am not too sure about the mysql functions.

Here is the code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">

body{
font-family: verdana, sans-serif;
margin: 0em 10em 0 10em;
}

h1,h2,h3,h4 {
margin: 0; font-weight: normal;
}

.form {
width: 40em;
}

.form label{
width: 6em;
float: left;
}

#container{
width: 50em;
}

#header{
text-align: center;
}

#navigation{
text-align: center;
}

#navigation ul{
list-style: none;
margin: 0;
padding: 0;
border-bottom: 1px solid #eee;
}

#navigation li{
display: inline;
padding: 1em;
}

#navigation li a{
text-decoration: none;
color: blue;
font-size: .8em;
}

#content{
font-size: 1em;
}

.error{
color: red;
}

.notice{
color: green;
}

</style>
<title></title>
</head>
<body>
<div id="container">
<div id="header">
<h2>Welcome to your blog</h2>
</div>
<br />
<div id="navigation">
<ul><li><a href="<?=$_SERVER['PHP_SELF']?>">Home/Write entry</a></li><li><a href="<?=$_SERVER['PHP_SELF']?>?do=edit">Edit/Delete entries</a></li></ul>
</div>
<br />
<div id="content">
<?php

function dbconnect() {

// set database server access variables:
$host = "###";
$user = "###";
$pass = "###";
$db = "###";

// open connection
mysql_connect($host, $user, $pass) or die ("Unable to connect!");

// select database
mysql_select_db($db) or die ("Unable to select database!");

}

function dbdisconnect() {

mysql_close();

}

$showform = TRUE;

if (isset($_POST['submit']))
{

$error = '';
$title = stripslashes(trim($_POST['title']));
$content = stripslashes(trim($_POST['content']));
$date = date("jS\/F\/Y");
if(!$title)
{
    $error[] = "Title";
}
if(!$content)
{
    $error[] = "Content";
}
if($error)
{
    foreach ($error as $value)
    {
        $errors .= "<li>" . $value . "</li>";
    }
    $message = '<p class="error">Please check your</p><ul>' . $errors . '</ul>';
    $showform = TRUE;
}

else {

if($action=="write")
{
    dbconnect();
    $query = "INSERT INTO blog (title, content, date) VALUES ('$title', '$content', '$date')";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    dbdisconnect();
    $message = '<p class="notice">Posted. <a href="index.php">Back</a></p>';
    $showform = FALSE;
}

if($action=="edit")
{

dbconnect();
        $query = "UPDATE blog SET title = '$title', content = '$content', date = '$date' WHERE id='$id'";
        $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
        dbdisconnect();
        $message = '<p class="notice">Entry edited. <a href="index.php?do=edit">Back</a></p>';
        $showform = FALSE;

}
}

}


switch($act)
    {
        case "change":
dbconnect();
        $query = "SELECT id, title, content, date FROM blog WHERE id='$id'";
        $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
        $row = mysql_fetch_row($result)
        ?>
        <?php echo $message ?>
        <?php if($showform)
        {
            ?>
<br />
            <form method="POST" action="<?=$_SERVER['PHP_SELF']?>">
	<div class="form">
            <label for="title">Title:</label><input type="text" name="title" value="<?php echo $row[1]; ?>" /><br />
            <label for="content">Content:</label><textarea name="content" cols="60" rows="20" /><?php echo $row[2]; ?></textarea><br />
            <input type="hidden" name="action" value="edit" />
            <input type="hidden" name="id" value="<?php echo $row[0]; ?>" />
            <input type="submit" name="submit" value="Edit entry">
</div>
            </form>
            <?php
        }
        dbdisconnect();
        break;
        case "delete":
	dbconnect();
        $id = $_GET["id"];
        $query = "DELETE FROM blog WHERE id='$id'";
        $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
        dbdisconnect();
        break;
    }


switch($do)
{
    case "edit":
dbconnect();
    $query = "SELECT id, title, content, date FROM blog";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    if (mysql_num_rows($result) > 0)
    {
	echo "<h3>Edit/Delete entries</h3>";
        echo "<ul type=\"square\">";
        while($row = mysql_fetch_row($result))
        {
            echo "<li>";
            echo "<a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=change&id=" . $row[0] .">".$row[1]."</a> | <a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=delete&id=" . $row[0] .">Delete</a></li>";
        }
        echo "</ul>";
    }
    else
    {
        echo "<p class=\"notice\">You have published no entries</p>";
    }
    dbdisconnect();

break;
default:
?>
<h3>Write entry</h3>
    <?php echo $message ?>
    <?php if($showform)
    {
        ?>
<br />
        <form method="POST" action="<?=$_SERVER['PHP_SELF']?>">
<div class="form">
        <label for="title">Title:</label><input type="text" name="title" value="<?php echo $title; ?>" /><br />
        <label for="content">Content:</label><textarea name="content" cols="60" rows="20" /><?php echo $content; ?></textarea><br />
        <input type="hidden" name="action" value="write" />
        <input type="submit" name="submit" value="Publish entry">
</div>
        </form>
        <?php
    }
}
?>
</div>
</div>
</body>
</html>

bradgrafelman

If you're not asking about a specific problem, this thread should probably be moved to the Code Critique forum. Other than that...

You're using short tag syntax. I would highly advise that you never use it.
While I suppose checking if $title is false might work, I would recommend using a function like [man]empty/man to make sure you're getting the desired results.
You concatenate values onto $errors, which was never defined. You might want to initialize that variable like you did with $error.
You're vulnerable to SQL injection - you've stripped the slashes (if they were even added, i.e. if magic_quotes_gpc was enabled) from the POST'ed data. This is a big security risk.
You have quotes around the id field in your UPDATE query (actually in a couple of places)... I'm betting that the id MySQL column is of a numeric type (and if it isn't, it should be), therefore you want to pass MySQL a number - not a string.
As a general rule of thumb, I don't think you want users to see as much information in error messages. The way you have error messages, with them echo'ing the attempted query and MySQL error string, is fine for debugging purposes, but once you actually put this script into production you should remove that type of information.
You could always reduce the filesize (and actually cleanup the script so it looks better) by removing all of the HTML and storing it in separate files that are included only when they are needed. If you need to use variables inside these files - the $_SERVER['PHP_SELF'] variable, for example - you can always put strings inside of the HTML file such as {PHP_SELF} and use [man]str_replace/man in your PHP script to replace the keywords in the HTML include file with the appropriate variables.

EDIT: Heh.. looks like this thread was moved by the time I finished composing my post... glances around over his shoulders for a mod lurking about...and spots cgraz

music_man

Thanks very much for your reply.

Is removing the quotes for id

WHERE id=$id

Is this right?

$title = empty(trim($_POST['title']))

How am I open to SQL injection?

I sorta get the HTML thing... So I make an html file called "edit.html" and in my php I go

include("edit.html");

and in my edit.html file I have the {php_self} thing. I am assuming I do the str_replace in the main php file?

I don't get it:

$phpself = $_SERVER['PHP_SELF'];
$title = "Blog";

$phpself_replace = str_replace("{phpself}", $phpself, "{phpself}");

$title_replace = str_replace("{title}", $title, "{title}");

include("html/top.html");

top.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" href="css/style.css" />
<title></title>
</head>
<body>
<div id="container">
<div id="header">
<h2>{title}</h2>
</div>
<br />
<div id="navigation">
<ul><li><a href="{phpself}">Home/Write entry</a></li><li><a href="{phpself}?do=edit">Edit/Delete entries</a></li></ul>
</div>
<br />
<div id="content">

halojoy

bradgrafelman wrote:
1. You're using short tag syntax.
I would highly advise that you never use it.

good point, bradgrafelman
It is a basic little thing, but what is the gain using shorttags?
Compared to the future troubles and extrawork you may bring upon yourself.

I dont know how many people I have to tell this in a week!
It makes me sick.
Any php programmers using this bad habbit
and so bringing php starters into potential headaches,
with scripts that dont work at a server supporting a good recommended standard PHP,
should be sent to prison right away!

Just the other day I surfed in a php software support forum.
A 'clever' php forum owner and developer was telling about his script.
He had just been asked in 'strange problems forum',
why his brilliant php script he is offering for public download to many ordinary people
did not run at a php server.

Thanks to php error_reporting it was not too hard for this man
to find out that this server used php_short_tags = OFF .... in php.ini.

So he would spend the next weekend with replacing <? and <?=$variable ?>
with the by http://php.net/ officially recommended <?php and <?php echo $variable; ?>

PHP software applications can have several 100 php pages .... !!!

Well, to sum it up:
Some has to find out the rough and hard way,
before they would want to understand what is a good and basic thing.

😃
😃

music_man

I tried putting it into HTML but I couldn't get it to go so I put the forms into functions. Only now it won't come up with the mysql values when editing an entry.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" href="css/style.css" />
<title></title>
</head>
<body>
<div id="container">
<div id="header">
<h2>Blog</h2>
</div>
<br />
<div id="navigation">
<ul><li><a href="index.php">Home/Write entry</a></li><li><a href="index.php?do=edit">Edit/Delete entries</a></li></ul>
</div>
<br />
<div id="content">

<?php
$phpself = $_SERVER['PHP_SELF'];
/************************************************************\
* Show the editing form
\************************************************************/
function showeditform()
{
    echo "<h3>Edit/Delete entries</h3>";
    echo "<br />";
    echo "<form method=\"POST\" action=\"$phpself\">";
    echo "<div class=\"form\">";
    echo "<label for=\"title\">Title:</label><input type=\"text\" name=\"title\" value=\"$row[1]\" />";
    echo "<br />";
    echo "<label for=\"content\">Content:</label>";
    echo "<textarea name=\"content\" cols=\"60\" rows=\"20\" />$row[2]</textarea>";
    echo "<br />";
    echo "<input type=\"hidden\" name=\"action\" value=\"edit\" />";
    echo "<input type=\"hidden\" name=\"id\" value=\"$row[0]\" />";
    echo "<input type=\"submit\" name=\"submit\" value=\"Edit entry\">";
    echo "</div>";
    echo "</form>";
}
/************************************************************\
* Show the writing form
\************************************************************/
function showwriteform()
{
    echo "<h3>Write entry</h3>";
    echo "<br />";
    echo "<form method=\"POST\" action=\"$phpself\">";
    echo "<div class=\"form\">";
    echo "<label for=\"title\">Title:</label><input type=\"text\" name=\"title\" value=\"$title\" />";
    echo "<br />";
    echo "<label for=\"content\">Content:</label>";
    echo "<textarea name=\"content\" cols=\"60\" rows=\"20\" />$content</textarea>";
    echo "<br />";
    echo "<input type=\"hidden\" name=\"action\" value=\"write\" />";
    echo "<input type=\"submit\" name=\"submit\" value=\"Publish entry\">";
    echo "</div>";
    echo "</form>";
}
/************************************************************\
* Connect to database
\************************************************************/
function dbconnect()
{
    $host = "localhost";
    $user = "";
    $pass = "";
    $db = "";
    mysql_connect($host, $user, $pass) or die ("Unable to connect!");
    mysql_select_db($db) or die ("Unable to select database!");
}
/************************************************************\
* Disconnect from database
\************************************************************/
function dbdisconnect()
{
    mysql_close();
}
$showform = TRUE;
if (isset($_POST['submit']))
{
    $error = '';
    $errors = '';
    $title = trim($_POST['title']);
    $content = trim($_POST['content']);
    $date = date("jS\/F\/Y");
    if(!$title)
    {
        $error[] = "Title";
    }
    if(!$content)
    {
        $error[] = "Content";
    }
    if($error)
    {
        foreach ($error as $value)
        {
            $errors .= "<li>" . $value . "</li>";
        }
        $message = '<p class="error">Please check your</p><ul>' . $errors . '</ul>';
        $showform = TRUE;
    }
    else
    {
        if($action=="write")
        {
            dbconnect();
            $query = "INSERT INTO blog (title, content, date) VALUES ('$title', '$content', '$date')";
            $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
            dbdisconnect();
            $message = '<p class="notice">Posted.</p>';
            $showform = FALSE;
        }
        if($action=="edit")
        {
            dbconnect();
            $query = "UPDATE blog SET title = '$title', content = '$content', date = '$date' WHERE id=$id";
            $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
            dbdisconnect();
            $message = '<p class="notice">Entry edited. <a href="index.php?do=edit">Back</a></p>';
            $showform = FALSE;
        }
    }
}
switch($act)
{
    case "change":
    dbconnect();
    $query = "SELECT id, title, content, date FROM blog WHERE id='$id'";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    $row = mysql_fetch_row($result);
    echo $message;
    if($showform);
    {
        showeditform();
    }
    dbdisconnect();
    break;
    case "delete":
    dbconnect();
    $id = $_GET["id"];
    $query = "DELETE FROM blog WHERE id='$id'";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    dbdisconnect();
    break;
}
switch($do)
{
    case "edit":
    dbconnect();
    $query = "SELECT id, title, content, date FROM blog";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    if (mysql_num_rows($result) > 0)
    {
        echo "<ul>";
        while($row = mysql_fetch_row($result))
        {
            echo "<li>";
            echo "<a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=change&id=" . $row[0] .">".$row[1]."</a> | <a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=delete&id=" . $row[0] .">Delete</a></li>";
        }
        echo "</ul>";
    }
    else
    {
        echo "<p class=\"notice\">You have published no entries</p>";
    }
    dbdisconnect();
    break;
    default:
    echo $message;
    if($showform);
    {
        showwriteform();
    }
}
?>

</div>
</div>
</body>
</html>

music_man

Another issue is that the title for Editing/Deleting entries does not display when looking at the ?do=edit page,

bradgrafelman

    if(!$title) 
    { 
        $error[] = "Title"; 
    }

This is the place where I suggested using a function like [man]empty/man might be more appropriate, or even something like this, now that I think about it:

    if($title === '') 
    { 
        $error[] = "Title"; 
    }

Otherwise, if they give the field a value of '0', it'll probably equate to FALSE using a loose comparison (two equal signs vs. three).

halojoy

<?php

function showeditform(){
    echo "<form method=\"POST\" action=\"$phpself\">";
    echo "<input type=\"hidden\" name=\"action\" value=\"edit\" />";
    echo "</form>";}
function showwriteform(){
    echo "<form method=\"POST\" action=\"$phpself\">";
    echo "<input type=\"hidden\" name=\"action\" value=\"write\" />";
    echo "</form>";}
/************************************************************/

// START HERE
?>

<a href="index.php">Home/Write entry</a>
<a href="index.php?do=edit">Edit/Delete entries</a>

<?php

$action='';
if(isset($_POST['action'])) $action=$_POST['action'];

$act='';
if (isset($_GET['act'])) $act= $_GET['act'];

$do='';
if (isset($_GET['do'])) $do=  $_GET['do'];

$showform = TRUE;

if (isset($_POST['submit'])){

if($error){
    $message = '<p class="error">Please check your</p><ul>' . $errors . '</ul>';
    $showform = TRUE;
}
else{
    if($action=="write"){
        $message = '<p class="notice">Posted.</p>';
        $showform = FALSE;
    }
    if($action=="edit"){
        $message = '<p class="notice">Entry edited. <a href="index.php?do=edit">Back</a></p>';
        $showform = FALSE;
    }
}
}

switch($act){
    case "change":
    echo $message;
    if($showform){
        showeditform();
    }
    break;

case "delete":
$id = $_GET["id"];   $query = "DELETE FROM blog WHERE id='$id'";
$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
break;
}

switch($do){
    case "edit":
    if (mysql_num_rows($result) > 0){
      echo "<a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=change&id=" . $row[0] .">".$row[1]."</a>
            <a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=delete&id=" . $row[0] .">Delete</a>";
    }
    else{
        echo "<p class=\"notice\">You have published no entries</p>";
    }
    break;

default:
echo $message;
if($showform){
    showwriteform();
}
}
?>

I have stripped this code, and only kept the flow structure of your script.
To sort it out.

You use no less than 3 variables
To control what should happen:
$action
$act
$do

It is important that these variables get their values correct.

Even if you now are at a server with register_globals = ON
it is good to program for this script to work with register_globals = OFF
because this is the good setting that most server will use.
In case you want tto move to another server or share your script with somebody.

So my changes/additions are these, in beginning of script:

$action='';
if(isset($_POST['action'])) $action=$_POST['action'];

$act='';
if (isset($_GET['act'])) $act= $_GET['act'];

$do='';
if (isset($_GET['do'])) $do=  $_GET['do'];

I also in a couple of lines removed the semi-colon ;

after an IF statement

if($showform);
{
showwriteform();

}

changed to

if($showform)
{
showwriteform();

}

You have a basically nice script.
Well done!

🙂 🙂
.

bradgrafelman

If you wanted to shorten the code by a couple of lines, you could do this:

<?php 

function showeditform(){ 
    echo "<form method=\"POST\" action=\"$phpself\">"; 
    echo "<input type=\"hidden\" name=\"action\" value=\"edit\" />"; 
    echo "</form>";} 
function showwriteform(){ 
    echo "<form method=\"POST\" action=\"$phpself\">"; 
    echo "<input type=\"hidden\" name=\"action\" value=\"write\" />"; 
    echo "</form>";} 
/************************************************************/ 

// START HERE 
?> 

<a href="index.php">Home/Write entry</a> 
<a href="index.php?do=edit">Edit/Delete entries</a> 

<?php 

$action = ( isset($_GET['action']) ? $action = $_GET['action'] : '');
$act = ( isset($_GET['act']) ? $act = $_GET['act'] : '');
$do = ( isset($_GET['do']) ? $do = $_GET['do'] : '');
$showform = TRUE; 

if (isset($_POST['submit'])){ 

if($error){ 
    $message = '<p class="error">Please check your</p><ul>' . $errors . '</ul>'; 
    $showform = TRUE; 
} 
else{ 
    if($action=="write"){ 
        $message = '<p class="notice">Posted.</p>'; 
        $showform = FALSE; 
    } 
    if($action=="edit"){ 
        $message = '<p class="notice">Entry edited. <a href="index.php?do=edit">Back</a></p>'; 
        $showform = FALSE; 
    } 
} 
} 

switch($act){ 
    case "change": 
    echo $message; 
    if($showform){ 
        showeditform(); 
    } 
    break; 

case "delete": 
$id = intval($_GET["id"]); // used intval to validate user input
$query = "DELETE FROM blog WHERE id=$id";  // removed quotes around id column value
$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); 
break; 
} 

switch($do){ 
    case "edit": 
    if (mysql_num_rows($result) > 0){ 
      echo "<a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=change&amp;id=" . $row[0] .">".$row[1]."</a> 
            <a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=delete&amp;id=" . $row[0] .">Delete</a>"; // url encoded the second & sign before id in both links
    } 
    else{ 
        echo "<p class=\"notice\">You have published no entries</p>"; 
    } 
    break; 

default: 
echo $message; 
if($showform){ 
    showwriteform(); 
} 
} 
?>

I've commented lines where I made additional edits.

EDIT: Halojoy - didn't you lose a bunch of his code? Where did all of the other MySQL queries and stuff go? I've gotta head to work, so I don't have time to correct this now... I'll try to come back here after I get off work.

halojoy

hey buddy.
you probably missed one of my first declarations that goes with the code
in my post above

I have stripped this code, and only kept the flow structure of your script.
To sort it out.

bradgrafelman

Ah, yes, that would explain it.

music_man

Thanks for your great replies 😃

I have copied the flow and added the mysql stuff to it. There are some problems that I can't seem to fix.

It won't delete the entry now
The $phpself variable does not reflect what page it is on, I saved this file as index2.php and it did not change the links.
It doesn't post and when I select an entry to edit, the fields are blank.

Any ideas?

<?php

function showeditform(){
    echo "<h3>Edit/Delete entries</h3>";
    echo "<br />";
    echo "<form method=\"POST\" action=\"$phpself\">";
    echo "<div class=\"form\">";
    echo "<label for=\"title\">Title:</label><input type=\"text\" name=\"title\" value=\"$row[1]\" />";
    echo "<br />";
    echo "<label for=\"content\">Content:</label>";
    echo "<textarea name=\"content\" cols=\"60\" rows=\"20\" />$row[2]</textarea>";
    echo "<br />";
    echo "<input type=\"hidden\" name=\"action\" value=\"edit\" />";
    echo "<input type=\"hidden\" name=\"id\" value=\"$row[0]\" />";
    echo "<input type=\"submit\" name=\"submit\" value=\"Edit entry\">";
    echo "</div>";
    echo "</form>";
}
function showwriteform(){
    echo "<h3>Write entry</h3>";
    echo "<br />";
    echo "<form method=\"POST\" action=\"$phpself\">";
    echo "<div class=\"form\">";
    echo "<label for=\"title\">Title:</label><input type=\"text\" name=\"title\" value=\"$title\" />";
    echo "<br />";
    echo "<label for=\"content\">Content:</label>";
    echo "<textarea name=\"content\" cols=\"60\" rows=\"20\" />$content</textarea>";
    echo "<br />";
    echo "<input type=\"hidden\" name=\"action\" value=\"write\" />";
    echo "<input type=\"submit\" name=\"submit\" value=\"Publish entry\">";
    echo "</div>";
    echo "</form>";
}
function quote_smart($value)
{
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}
function dbdisconnect()
{
    mysql_close();
}
function dbconnect()
{
    $host = "";
    $user = "";
    $pass = "";
    $db = "";
    mysql_connect($host, $user, $pass) or die ("Unable to connect!");
    mysql_select_db($db) or die ("Unable to select database!");
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" href="css/style.css" />
<title></title>
</head>
<body>
<div id="container">
<div id="header">
<h2>Blog</h2>
</div>
<br />
<div id="navigation">
<a href="index.php">Home/Write entry</a>
<a href="index.php?do=edit">Edit/Delete entries</a>
</div>
<br />
<div id="content">
<?php

$phpself = $_SERVER['PHP_SELF'];
$action = ( isset($_GET['action']) ? $action = $_GET['action'] : '');
$act = ( isset($_GET['act']) ? $act = $_GET['act'] : '');
$do = ( isset($_GET['do']) ? $do = $_GET['do'] : '');
$showform = TRUE;

if (isset($_POST['submit'])){

if($error){
    $message = '<p class="error">Please check your</p><ul>' . $errors . '</ul>';
    $showform = TRUE;
}
else{
    if($action=="write"){
dbconnect();
$query = sprintf("INSERT INTO blog (title, content, date) VALUES (%s, %s, '$date')",
           quote_smart($_POST['title']),
           quote_smart($_POST['content']));
$result = mysql_query($query);
            dbdisconnect();
            $message = '<p class="notice">Posted.</p>';
            $showform = FALSE;
        }
        if($action=="edit"){
dbconnect();
            $query = "UPDATE blog SET title = '$title', content = '$content', date = '$date' WHERE id=$id";
            $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
            dbdisconnect();
            $message = '<p class="notice">Entry edited. <a href="index.php?do=edit">Back</a></p>';
            $showform = FALSE;
        }
    }
}

switch($act){
    case "change":
    echo $message;
    if($showform){
        showeditform();
    }
    break;

case "delete":
$id = intval($_GET["id"]); // used intval to validate user input
$query = "DELETE FROM blog WHERE id=$id";  // removed quotes around id column value
$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
break;
}

switch($do){
    case "edit":
    dbconnect();
    $query = "SELECT id, title, content, date FROM blog";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    if (mysql_num_rows($result) > 0)
    {
        echo "<ul>";
        while($row = mysql_fetch_row($result))
        {
            echo "<li>";
            echo "<a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=change&amp;id=" . $row[0] .">".$row[1]."</a>
            <a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=delete&amp;id=" . $row[0] .">Delete</a>";
        }
        echo "</ul>";
    }
    else
    {
        echo "<p class=\"notice\">You have published no entries</p>";
    }
    dbdisconnect();
    break;

default:
echo $message;
if($showform){
    showwriteform();
}
}
?>

music_man

It started to work but I thought I would try and add another thing to it whereby when editing, if the user changes the content but then it comes up with an error, it shows the updated content. I can't seem to get it to go though...

Also, the header displays under the editing form... Any ideas on how to bring that up?

<?php

function showeditform($row, $title, $content){

/* This is where it saves the content changed... */

if($newvariables) {
$title = $title;
$content = $content;
$id = $row[0];
}

else {
$title = $row[1];
$content = $row[2];
$id = $row[0];
}

echo "<br />";
echo "<form method=\"POST\" action=\"$phpself\">";
echo "<div class=\"form\">";
echo "<label for=\"title\">Title:</label><input type=\"text\" name=\"title\" value=\"$title\" />";
echo "<br />";
echo "<label for=\"content\">Content:</label>";
echo "<textarea name=\"content\" cols=\"60\" rows=\"20\" />$content</textarea>";
echo "<br />";
echo "<input type=\"hidden\" name=\"action\" value=\"edit\" />";
echo "<input type=\"hidden\" name=\"id\" value=\"$id\" />";
echo "<input type=\"submit\" name=\"submit\" value=\"Edit entry\">";
echo "</div>";
echo "</form>";
}
function showwriteform($title, $content){
echo "<br />";
echo "<form method=\"POST\" action=\"$phpself\">";
echo "<div class=\"form\">";
echo "<label for=\"title\">Title:</label><input type=\"text\" name=\"title\" value=\"$title\" />";
echo "<br />";
echo "<label for=\"content\">Content:</label>";
echo "<textarea name=\"content\" cols=\"60\" rows=\"20\" />$content</textarea>";
echo "<br />";
echo "<input type=\"hidden\" name=\"action\" value=\"write\" />";
echo "<input type=\"submit\" name=\"submit\" value=\"Publish entry\">";
echo "</div>";
echo "</form>";
}
function quote_smart($value) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
function dbdisconnect()
{
mysql_close();
}
function dbconnect()
{
$host = "";
$user = "";
$pass = "";
$db = "";
mysql_connect($host, $user, $pass) or die ("Unable to connect!");
mysql_select_db($db) or die ("Unable to select database!");
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head profile="http://gmpg.org/xfn/11">
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /=true /=true />
    <link rel="stylesheet" href="css/style.css" /=true />
    <title></title>
  </head>
  <body>
    <div id="container">
      <div id="header">
        <h2>Blog</h2>
      </div>
      <br /=true />
      <div id="navigation">
        <a href="index2.php">Home/Write entry</a>
        <a href="index2.php?do=edit">Edit/Delete entries</a>
</div>
<br />
<div id="content">
        <?php

    $phpself = "index2.php";
    $act = ( isset($_GET['act']) ? $act = $_GET['act'] : '');
    $do = ( isset($_GET['do']) ? $do = $_GET['do'] : '');
    $showform = TRUE;

    if (isset($_POST['submit'])){

$title = trim($_POST['title']);
$content = trim($_POST['content']); 
$error = '';
$errors = '';
$date = date("jS\/F\/Y");
if($title == '')
{
        $error[] = "Title";
}

if($content == '')
{
        $error[] = "Content";
}

    if($error){
            foreach ($error as $error_list)
    {
    $errors .= "<li>" . $error_list . "</li>";
    }
            $message = '<p class="error">Please check your</p><ul>' . $errors . '</ul>';
            $showform = TRUE;
    }

    if($action=="edit"){

            $newvariables = TRUE;

    }

    else{
            if($action=="write"){
    dbconnect();
    $query = sprintf("INSERT INTO blog (title, content, date) VALUES (%s, %s, '$date')",
            quote_smart($_POST['title']),
            quote_smart($_POST['content']));
    $result = mysql_query($query);
            dbdisconnect();
            $message = '<p class="notice">Posted.</p>';
            $showform = FALSE;
            }
            if($action=="edit"){
    dbconnect();
            $query = "UPDATE blog SET title = '$title', content = '$content', date = '$date' WHERE id=$id";
            $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
            dbdisconnect();
            $message = '<p class="notice">Entry edited.</p>';
            $showform = FALSE;
            }
    }
    }

    switch($act){
    case "change":
    dbconnect();
$query = "SELECT id, title, content, date FROM blog WHERE id='$id'";
$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
$row = mysql_fetch_row($result);
echo $message;
        if($showform){
                showeditform($row, $title, $content);
        }
        dbdisconnect();
        break;
        case "delete":
                  dbconnect();
        $id = intval($_GET["id"]);
        $query = "DELETE FROM blog WHERE id=$id";
        $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
        dbdisconnect();
        break;
        }

    switch($do){
    case "edit":
    echo "<h3>Edit/Delete entries</h3>";
    dbconnect();
    $query = "SELECT id, title, content, date FROM blog";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    if (mysql_num_rows($result) > 0)
    {
            echo "<ul>";
            while($row = mysql_fetch_row($result))
            {
            echo "<li>";
            echo "<a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=change&amp;id=" . $row[0] .">".$row[1]."</a>
            <a href=" . $_SERVER['PHP_SELF'] . "?do=edit&amp;act=delete&amp;id=" . $row[0] .">Delete</a>";
            }
            echo "</ul>";
    }
    else
    {
            echo "<p class=\"notice\">You have published no entries</p>";
    }
    dbdisconnect();
    break;

    default:
echo "<h3>Write entry</h3>";
        echo $message;
        if($showform){
                showwriteform($title, $content);
        }
        }
        ?>
</div>
</div>
</body>
</html>

music_man

Here is my updated code. What do you think?

<?php
/************************************************************\
* Config
\************************************************************/
$basedirectory = "http://localhost/websites/jc2/admin/";
$mainfile = "index.php";
/************************************************************\
* Connect to database
\************************************************************/
function dbconnect()
{
    $host = ""; // Pretty sure you wont need to change that
    $user = ""; // Your username
    $pass = ""; // ... And password
    $db = ""; // The database name
    mysql_connect($host, $user, $pass) or die ("Unable to connect!");
    mysql_select_db($db) or die ("Unable to select database!");
}
/************************************************************\
* Disconnect from database
\************************************************************/
function dbdisconnect()
{
    mysql_close();
}
/************************************************************\
* Show writing form
\************************************************************/
function showwriteform($title, $content)
{
    echo "<br />";
    echo "<form method=\"POST\" action=\"$mainfile\">";
    echo "<div class=\"form\">";
    echo "<label for=\"title\">Title:</label><input type=\"text\" name=\"title\" value=\"$title\" />";
    echo "<br /><br />";
    echo "<label for=\"content\">Content:</label>";
    echo "<textarea name=\"content\" cols=\"60\" rows=\"20\" />$content</textarea>";
    echo "<br /><br />";
    echo "<input type=\"hidden\" name=\"action\" value=\"write\" />";
    echo "<input type=\"submit\" name=\"submit\" value=\"Publish entry\">";
    echo "</div>";
    echo "</form>";
}/************************************************************\
* Show editing form
\************************************************************/
function showeditform($row)
{
    echo "<br />";
    echo "<form method=\"POST\" action=\"$mainfile\">";
    echo "<div class=\"form\">";
    echo "<label for=\"title\">Title:</label><input type=\"text\" name=\"title\" value=\"$row[1]\" />";
    echo "<br /><br />";
    echo "<label for=\"content\">Content:</label>";
    echo "<textarea name=\"content\" cols=\"60\" rows=\"20\" />$row[2]</textarea>";
    echo "<br /><br />";
    echo "<input type=\"hidden\" name=\"action\" value=\"edit\" />";
    echo "<input type=\"hidden\" name=\"id\" value=\"$row[0]\" />";
    echo "<input type=\"submit\" name=\"submit\" value=\"Edit entry\">";
    echo "</div>";
    echo "</form>";
    echo "<br />";
    echo "<hr />";
}
/************************************************************\
* Protect from SQL injection
\************************************************************/
function quote_smart($value)
{
    if (get_magic_quotes_gpc())
    {
        $value = stripslashes($value);
    }
    if (!is_numeric($value))
    {
        $value = "'" . mysql_real_escape_string($value) . "'";
    }

return $value;
}
/************************************************************\
* Call to page
\************************************************************/
if($calltopage) {

dbconnect();
    $query = "SELECT id, title, content, date FROM blog";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    if (mysql_num_rows($result) > 0)
    {
        while($row = mysql_fetch_row($result))
        {
            echo "<a name=\"$row[0]\" />";
            echo "<h3>$row[1]</h3>";
            echo "<p>$row[3]</p>";
            echo "<p>$row[2]</p>";
            echo "<hr />";
        }
    }
    else
    {
        echo "<p class=\"notice\">There are no blog entries.</p>";
    }
    dbdisconnect();
}
else {
/************************************************************\
\************************************************************/
$showform = TRUE;
echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">';
echo '<html xmlns="http://www.w3.org/1999/xhtml">';
echo '<head profile="http://gmpg.org/xfn/11">';
echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />';
echo '<style type="text/css">';
echo "body{font-family:verdana,sans-serif;margin:0em 10em 0 10em}h1,h2,h3,h4{margin:0;font-weight:normal}.form{width:40em}.form label{width:6em;float:left}.form input,textarea{border:1px dotted navy;background-color:#fff}#container{width:50em}#header{text-align:center}#navigation{text-align:center}#navigation ul{list-style:none;margin:0;padding:0;border-bottom:1px solid #eee}#navigation li{display:inline;padding:1em}#navigation li a{text-decoration:none;color:blue;font-size:.8em}#content{font-size:1em}.error{color:red}.notice{color:green}#editlist a{text-decoration:none;color:blue;font-size:.8em}";
echo '</style>';
echo '<title></title>';
echo '</head>';
echo '<body>';
echo '<div id="container">';
echo '<div id="header">';
echo '<h2>Blog</h2>';
echo '</div>';
echo '<br />';
echo '<div id="navigation">';
echo '<ul>';
echo '<li><a href="' . $basedirectory . '">Home/Write entry</a></li>';
echo '<li><a href="' . $basedirectory . $mainfile . '?do=edit">Edit/Delete entries</a></li>';
echo '</ul>';
echo '</div>';
echo '<br />';
echo '<div id="content">';

if (isset($_POST['submit']))
{
    $title = trim($_POST['title']);
    $content = trim($_POST['content']);
    $error = '';
    $errors = '';
    $date = date("jS\/F\/Y");
    if($title == '')
    {
        $error[] = "Title";
    }
    if($content == '')
    {
        $error[] = "Content";
    }
    if($error)
    {
        foreach ($error as $error_list)
        {
            $errors .= "<li>" . $error_list . "</li>";
        }
        $message = '<p class="error">Please check your</p><ul>' . $errors . '</ul>';
        $showform = TRUE;
    }
    else
    {
        if($action=="write")
        {
            dbconnect();
            $query = sprintf("INSERT INTO blog (title, content, date) VALUES (%s, %s, '$date')",
            quote_smart($_POST['title']),
            quote_smart($_POST['content']));
            $result = mysql_query($query);
            $message = '<p class="notice">Posted.</p>';
            dbdisconnect();
            $showform = FALSE;
        }
        if($action=="edit")
        {
            dbconnect();
            $query = sprintf("UPDATE blog SET title = %s, content = %s, date = '$date' WHERE id=$id",
            quote_smart($_POST['title']),
            quote_smart($_POST['content']));
            $result = mysql_query($query);
            dbdisconnect();
            $message = '<p class="notice">Entry edited.</p>';
            $showform = FALSE;
        }
    }
}
switch($act)
{
    case "change":
    dbconnect();
    $query = "SELECT id, title, content, date FROM blog WHERE id=$id";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    $row = mysql_fetch_row($result);
    echo $message;
    if($showform)
    {
        showeditform($row);
    }
    dbdisconnect();
    break;
    case "delete":
    dbconnect();
    $id = intval($_GET["id"]);
    $query = "DELETE FROM blog WHERE id=$id";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    dbdisconnect();
    break;
}
switch($do)
{
    case "edit":
    echo "<h3>Edit/Delete entries</h3>";
    dbconnect();
    $query = "SELECT id, title, content, date FROM blog";
    $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
    if (mysql_num_rows($result) > 0)
    {
        echo "<ul id=\"editlist\">";
        while($row = mysql_fetch_row($result))
        {
            echo "<li>";
            echo $row[1];
            echo "&nbsp;::&nbsp;";
            echo "<a href=" . $mainfile . "?do=edit&amp;act=change&amp;id=" . $row[0] .">Edit</a>";
            echo "&nbsp;|&nbsp;";
            echo "<a href=\"" . $mainfile . "?do=edit&amp;act=delete&amp;id=" . $row[0] ."\" onclick=\"this.innerHTML = 'Deleting...';\">Delete</a>";
        }
        echo "</ul>";
    }
    else
    {
        echo "<p class=\"error\">You have published no entries</p>";
    }
    dbdisconnect();
    break;
    default:
    echo "<h3>Write entry</h3>";
    echo $message;
    if($showform)
    {
        showwriteform($title, $content);
    }
}

echo '</div>';
echo '</div>';
echo '</body>';
echo '</html>';
}
?>

I have another page that calls the blog:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title></title>
    <body>
      <?php  $calltopage = TRUE;
            include("admin/index.php");?>
    </body>
</html>

How should I go about the date format? If I have it UNIX timestamped could I have php interpret that? That way I can change the interpreter, rather than having set date text in the column.

Also for logging in, I was thinking .htaccess the /admin directory. I could hardcode a password into the script maybe.

Weedpacket

music_man wrote:
How should I go about the date format? If I have it UNIX timestamped could I have php interpret that?

Yes, that is what [man]date[/man] is for.

music_man

I have used date

$date = date("jS\/F\/Y");

But when I post that into mysql it just saves it as text... I then can't change the date format?

I was thinking something like

Getting the timestamp
Intepreting it with php
Echoing that interpretation

The interpretation can be modified.

NogDog

The usual date format for inserting into the DB is:

$date = date('Y-m-d');
// or if it's a datetime field:
$date = date('Y-m-d H:i:s');

However, if you just want the current date, you can let MySQL do it with its CURDATE() and NOW() functions.

halojoy

music_man wrote:
Also, the header displays under the editing form...
Any ideas on how to bring that up?

This is something a good CSS style sheet can do.
By using CSS classes for positioning
and maybe use css FLOAT and CLEAR in a proper way.

It is not easy to get boxes and classes to get the postion you want.
But I am sure, many other here can help you with this.
If you post the code of your style sheet for this script.

For example <form> refers to the class 'form'

echo "<form method=\"POST\" action=\"$mainfile\">";

echo "<div class=\"form\">";

and in style:
div.form {
background:cyan; color:black;
}

music_man

If I add $date = date('Y-m-d H:i:s'); to the database as text, then it is stored as such. What if on the page I am displaying it I want to change the date format?

I think the header problem is its position in the code...

halojoy

music_man wrote:
I think the header problem is its position in the code...

Yes, position in code will effect position in HTML page.
Unless you use absolute positioning for every item in CSS.

But normally:
The final position is a combination of
in which order it is added to HTML output
and the CSS style sheet parameters for each class.