Securing Advice form a Pro please

jerrylouise

Hi im really just a newb here but i need help form a pro i did a bit of reading of how to secure my code form all the nasty kinds of attack so i did remove slashes on stuff and mysql_real_escape_string on all posts to the server i hope. Well please tell me if this will provide adequate protection and error handling.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-Transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>New form topic</title>
<?php
	///start session
		include("include/session.php");
	//////constants
$username = $session->username;
$usrname = $session->username;
$numbers = $database->getNumMembers();
///stylesheet
include("stylesheet/stylesheet.php");
///javascripts
?>
<script type="text/javascript" src="tinymce/jscripts/tiny_mce/tiny_mce_gzip.js"></script>
<script type="text/javascript">
tinyMCE_GZ.init({
	plugins : 'style,layer,table,save,advhr,advimage,advlink,emotions,iespell,insertdatetime,preview,media,searchreplace,print,contextmenu,paste,directionality,fullscreen,noneditable,visualchars,nonbreaking,xhtmlxtras',
	themes : 'simple,advanced',
	languages : 'en',
	disk_cache : true,
	debug : false
});
</script>
<!-- Needs to be seperate script tags! -->
<script type="text/javascript">
tinyMCE.init({
	mode : "textareas",
	theme : "advanced",
	plugins : "table,advimage,advlink,emotions,iespell,insertdatetime,preview,zoom,flash,searchreplace,contextmenu",
	theme_advanced_buttons2_add : "separator,insertdate,inserttime,preview,zoom,separator,forecolor,backcolor",
	theme_advanced_buttons2_add_before: "cut,copy,paste,separator,search,replace,separator",
	theme_advanced_buttons3_add_before : "tablecontrols,separator",
	theme_advanced_buttons3_add : "iespell,flash,advhr",
	theme_advanced_toolbar_location : "top",
	theme_advanced_toolbar_align : "left",
	plugin_insertdate_dateFormat : "%Y-%m-%d",
	plugin_insertdate_timeFormat : "%H:%M:%S",
	extended_valid_elements : "a[name|href|target|title|onclick],img[class|src|border=0|alt|title|hspace|vspace|width|height|align|onmouseover|onmouseout|name],hr[class|width|size|noshade],font[face|size|color|style],span[class|align|style]",
	external_link_list_url : "example_data/example_link_list.js",
	external_image_list_url : "example_data/example_image_list.js",
	flash_external_list_url : "example_data/example_flash_list.js"
});
</script>
</head>
<body>
<div id="container">
<?php
///header
include('includes-blocks/header.php');
?>
<div id="Layer_content">
<div id="content_outer">
<div class="pageheader">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
	<tr align="center">
	    <td class="title">New form topic</td>
	</tr>
</table>
</div>
<table width="100%" border="1" cellspacing="2" cellpadding="0">
<tr>
<td width="20%" valign="top">
<?php
include('includes-blocks/whosonline.php');
?>
</td>
<td width="80%" valign="top">
<?php
///logged in
if($session->logged_in)
	{
///get constants
///error filtering
$title = stripslashes($_GET['title']);
if(is_numeric($_GET['category'])) {
	$topic = $_GET['category'];
		} else {
	echo "Category is not numeric, Please return to the forum and try again";
		}
///// if page has errors
if (!isset($_GET['subpage'])) {  

?>
<form name="story" action="new_forum_topic.php?subpage=upload&category=<?php echo $topic ?>&title=<?php echo $title ?>" method="post">
<table width="100%" border="0" cellpadding="3" cellspacing="0" >
<tr class="page_title"><td width="70%">Add new topic</td><td width="15%"></td><td width="15%"></td></tr>
<tr class="page_contrast"><td width="70%"><input type="submit" value="Post Topic"> | <a href="forum_topic.php?id=<?php echo $topic ?>&title=<?php echo $title ?>">Back to forum</a></td><td width="15%"></td><td width="15%"></td></tr>
<tr class="page_contrast"><td width="70%">Title: <input type="text" size="35" name="subject"/></td><td width="15%"></td><td width="15%"></td></tr>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="0" >
<tr class="mail_bcknd">
<td width="10%"></td>
<td width="80%">
<textarea name="post" rows="15" cols="80"></textarea>
</form>
</td>
<td width="10%"></td>
</tr>
</table>
<?php
}
else  if (isset($_GET['subpage']) && $_GET['subpage'] == 'upload') {
////constants////
$subject = stripslashes($_POST['subject']);
$post = stripslashes($_POST['post']);
///set up time
date_default_timezone_set('Europe/London');
$today = date("F j, Y, g:i a");
////error checking
if ($subject == "" or $post == "") {
?>
<form name="story" action="new_forum_topic.php?subpage=upload&category=<?php echo $topic ?>&title=<?php echo $title ?>" method="post">
<table width="100%" border="0" cellpadding="3" cellspacing="0" >
<tr class="page_title"><td width="70%">Add new topic</td><td width="15%"></td><td width="15%"></td></tr>
<tr class="page_contrast"><td width="70%"><input type="submit" value="Post Topic"> | <a href="forum_topic.php?id=<?php echo $topic ?>&title=<?php echo $title ?>">Back to forum</a></td><td width="15%"></td><td width="15%"></td></tr>
<tr class="page_contrast"><td width="70%"><?php
	if ($subject == "") {
		echo "<font class=\"error\">You seem to have forgotten to add the subject of your post</font>";
				}
		?></td><td width="15%"></td><td width="15%"></td></tr>
<tr class="page_contrast"><td width="70%">Title: <input type="text" name="subject" value="<?php echo htmlentities($subject); ?>"/></td><td width="15%"></td><td width="15%"></td></tr>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="0" >
<tr class="mail_bcknd">
<td width="10%"></td>
<td width="80%">
	<?php
	if ($post == "") {
		echo "<font class=\"error\">You seem to have forgotten to add the content of your post</font>";
				}
		?>
</td>
<td width="10%"></td>
</tr>
<tr class="mail_bcknd">
<td width="10%"></td>
<td width="80%">
<textarea name="post" rows="15" cols="80"><?php echo htmlentities($post); ?></textarea>
</form>
</td>
<td width="10%"></td>
</tr>
</table>
<?php
////end the error checking
}
/////uploader component////
else {
////error handling
$topic_subject = stripslashes($_POST['subject']);
$bodytext = stripslashes($_POST['post']);
if(is_numeric($_GET['category'])) {
	$category = $_GET['category'];
		} else {
	echo "Category is not numeric, Please return to the forum and try again";
		}
////the uploading process/////
$sql = sprintf("INSERT INTO `forum-posts` (`post-id`, `username`, `date`, `subject`, `post`, `lastpost`, `lastposttime`) VALUES ('%d', '%s', '%s', '%s', '%s', '%s', '%s')",
			mysql_real_escape_string($category),
			mysql_real_escape_string($username),
			mysql_real_escape_string($today),
			mysql_real_escape_string($topic_subject),
			mysql_real_escape_string($bodytext),
			mysql_real_escape_string($username),
			mysql_real_escape_string($today));
$query = mysql_query($sql);
if(!$query) {
///// error out /////
echo "There was an error, please try again.";
} 
else 
?>
<table width="100%" border="0" cellpadding="3" cellspacing="0" >
<tr class="page_title"><td width="70%">Uploaded</td><td width="15%"></td><td width="15%"></td></tr>
</table>
<table width="100%" border="0" cellpadding="3" cellspacing="0" >
<tr>
<td width="15%" class="mail_bcknd"></td>
<td width="70%">
<p style="margin-bottom: 13pt" class="MsoNormal"><span style="color: #242424; font-family: ArialMT" class="Apple-style-span">Thank you very much for contributing.</span></p><p style="margin-bottom: 13pt" class="MsoNormal"><span style="color: #242424; font-family: ArialMT" class="Apple-style-span">You may now go back to the forum page. Or any other page ^_^</span></p>
</td>
<td width="15%" class="mail_bcknd"></td>
</tr>
<tr class="mail_bcknd">
<td width="15%" class="mail_bcknd"></td>
<td width="70%" align="center">
<p style="margin-bottom: 13pt" class="MsoNormal"><span style="color: #242424; font-family: ArialMT" class="Apple-style-span"><a href="forum.php">Back to forum</a> | <a href="forum_topic.php?id=<?php echo $topic ?>&title=<?php echo $title ?>">Back to <?php echo $title; ?></a></span></p>
</td>
<td width="15%" class="mail_bcknd"></td>
</tr>
</table>
<?php
/////////////////update forum lastpost/////////////
	///// removed slashes form the category
	$post_subject = stripslashes($_POST['subject']);
		if(is_numeric($_GET['category'])) {
			$category = $_GET['category'];
		} else {
			echo "Category is not numeric, Please return to the forum and try again";
		}
			////error handling/////
			$find_subject = stripslashes($_POST['subject']);
			////load the last record for update//////
				$sql = sprintf("SELECT * FROM `forum-posts` WHERE `subject` = '%s'",
				mysql_real_escape_string($find_subject));
					$query = mysql_query($sql);
						$row = mysql_fetch_row($query);
							$number = "$row[0]";
			/////update the topic headings with the new data///
			$sql = sprintf("UPDATE `forum-topics` SET `lastpost`='%s', `lastposttime`='%s', `lasttopic`='%s', `lastid`='%s' WHERE `id` = '%s'", 
            mysql_real_escape_string($username), 
            mysql_real_escape_string($today), 
            mysql_real_escape_string($post_subject), 
            mysql_real_escape_string($number), 
            mysql_real_escape_string($category)); 
				$query = mysql_query($sql);
					if(!$query) {
					///// error out /////
						echo "There was an error, please try again.";
					} 
}
}
}
else {
readfile("includes-blocks/frontpage.html");
}
?>
</td>
</tr>
</table>
</div>
<div id="footer">
<img src="images/header/page_footer.png" alt="footer" />
</div>
</div></div>
</body>
</html>

updated with latest code.
updated 2, added htmlentities to the displayed post.

halojoy

hi!

Did you debug this script, jerry?
And it is working now?

mysql escaping will make your code more secure

but we should know one thing:
there are only degrees of how secure any website is
Not even Pentagon site or us.gov,
who have billions and billions to spend on security,
are 100% safe.

It is almost laughable to read, some young boys are getting into
secret information at big, big websites.
Evenso military sites.

Regards

jerrylouise

yes its all debugged and i would like well someone smarter than me and not dyslexic like me to read over the code and give it a thumbs up for a production environment on my site.

This way i can finish my site and use this page as a template for securing the existing pages and all new pages.

halojoy

🙂

If there was such thing as a thumbs up smilie at this board
I would give it to you.
Because I have no doubt your site is above average
when comes to degree of security.

how much security one needs depends

how secure does a little guestbook need to be?
it is not end of world, if I do make it 87.5% secure

how much security does the online bank website need?
where I have my money
of course it needs to be as secure as possible or people
wouldnt want to use it
so here we try to make it 99.4% secure

my effort to secure something
must be put into relation of the consequencies if something happens
if consequencies are not very large
... I might have wasted my effort and work, onto trying make it 97.7% secure
... It may even be foolish of me complicating my scripts too much
... instead of keeping it simple, clean and lightweight
... There is always a price you pay
Your website may be slower, if you have to run all your code
through numbers of security tests.
🙂

May be a waste of time,
Especially since we know,
that even those spending 1000 and 1000 of money
to pay clever people to make their websites 'secure',
would fail into achieving any 'total security'

Regards

bradgrafelman

Since you're talking about a production environment, guess it's time to get picky...

$topic = $_GET['catagory'];
$title = $_GET['title'];

What happens if either of those aren't defined?

You later incorporate $topic/$title directly into some HTML. What if some non-safe HTML characters were given? What if a slash, quote, etc. character was given? Would your HTML still be compliant?
```
$subject = stripslashes($_POST['subject']);
$post = stripslashes($_POST['post']); 
```
What is the purpose of stripslashes() here? Also, what happens if one or both of those aren't POST'ed?
Again, you incorporate $subject and $post directly into your HTML. What if they had posted brackets, quotes, slashes, line breaks, etc. etc. ?

$topic_subject = stripslashes($_POST['subject']);
$bodytext = stripslashes($_POST['post']);

Again I'm not sure why the stripslashes() are used...?

```
$_GET['catagory']
```
Is that similar to "category" ? :p
Your DB structure seems extremely non-normalized. You need to read up on DB normalization!
"date" and "lastposttime" should probably be DATETIME fields in your SQL database, though they clearly aren't. Why not? If you're storing a date, doesn't it make sense to use a DATE type column? This will also force you to store dates in a standard, usable format (you won't even need to calculate the date - just use one of MySQL's DATE functions... ex. NOW(), assuming you're using MySQL).
```
print mysql_error();
```
Never, ever, EVER print MySQL (or even PHP) error messages directly to the screen. This allows attackers to learn more about the vulnerabilities/schema of your application.

In a production server, you should be utilizing at least PHP's log_errors directive (and display_errors should be Off, by the way). Better solutions entail using PHP's [man]set_error_handler/man to redirect errors to their own custom-made set of functions that properly log (and alert related personnel if needed) and gracefully inform the user of any errors that occur.
The ending portion of your script clearly shows the dire need for you to normalize your database. As such, I won't even critique the SQL mistakes here.
```
else
{
}
```
What's the point of this?
```
include("includes-blocks/frontpage.html");
```
Why are you include()'ing a .html page? Does it really have PHP code you need to parse? I'm guessing not, which means you should probably use a function such as [man]readfile/man that simply outputs a file rather than loading it and looking for PHP code to parse.
Towards the end of your script, you have this:
```
if(!$query) {
///// error out /////
echo "There was an error, please try again.";
print mysql_error();
}
else
{
}
}
}
}
else {
include("includes-blocks/frontpage.html");
}
```
Could you immediately point out which opening { is paired to each } if I asked you? Probably not. This is why properly indented code is so much easier to read.
Finally, have you run this page through an HTML validator (such as this one)? I see you included the XHTML 1.0 Transitional doctype. Did it say there were no errors found and that this is indeed valid XHTML 1.0 Transitional code?

jerrylouise

okies to number 1, i have changed that before this post.

to the other ones well i don't know what would happen if something like a ( was added but it has been set with the slashes thing and tested so that / and \ are removed form the post.

I use strip slashes mainly for if someone posted something like name's it would come up as name/'s witch isn't very good and i read up that they were a easy way to attack my database.

how do i test for these things and what imprecations do they have.
im the only one that uses the database, it doesn't need to follow any standards just work. And the date things are varchars because at the time i didn't yet know how to post dates to my database.
i didn't know readfile() existed until now
the else is going to have a error message in it, and i know how they pair up but will be working on more indenting of the code.
yes i passed the page though the w3c validation before i added the error checking and it came out with 3 errors in the javascript.

Further i will be removing the php errors but i kept them in for now for my use. And the page is tested that if any data is missing it returns the user to the error forum.

Thank you for your assistance ^_

bradgrafelman

jerrylouise wrote:
to the other ones well i don't know what would happen if something like a ( was added but it has been set with the slashes thing and tested so that / and \ are removed form the post.

But why remove these? Basically, there's two things you don't want users' data to do: break your HTML, or break your DB. As for the HTML, all you need to do is use a function such as [man]htmlentities/man - that way things like < and > and " and convert them to HTML-safe equivalents.

jerrylouise wrote:
I use strip slashes mainly for if someone posted something like name's it would come up as name/'s witch isn't very good and i read up that they were a easy way to attack my database.

If this is happening, then your server must have magic_quotes_gpc() enabled, in which case you should contact your server administrator and have it disabled. A common way to reverse magic_quotes_gpc's effects is this:

if(get_magic_quotes_gpc()) {
    foreach($_REQUEST as $key => $name)
        $_REQUEST[$key] = stripslashes($name);
}

When you insert data into your SQL DB, you already use mysql_real_escape_string(), so you don't need to worry about slashes and quotes and whatnot - the function will escape them as necessary for you.

jerrylouise wrote:
4. how do i test for these things and what imprecations do they have.

See my comment above on using htmlentities().

jerrylouise wrote:
im the only one that uses the database, it doesn't need to follow any standards just work.

Always a common pitfall behavior. What ever happened to "If something is worth doing, it's worth doing well" ? :p Practicing concepts such as DB normalization - no matter what the application, it's setting, what you think is the bare minimum need, etc. - can only help improve your skills as knowledge as a programmer. Not only does it bring order to your DB and increase efficiency, but I personally think it's easier to manage an application once I've normalized the DB schema.

jerrylouise wrote:
12. i didn't know readfile() existed until now

Learn something new everyday, eh? 😉 That's what this forum's all about!

jerrylouise wrote:
14. yes i passed the page though the w3c validation before i added the error checking and it came out with 3 errors in the javascript.

That's definitely a good start. If you need help with interpreting the validator's response and how to fix the errors, feel free to post the results and attach the HTML code in a thread down in the ClientSide Technologies forum.

jerrylouise wrote:
Further i will be removing the php errors but i kept them in for now for my use.

Quite alright, I just wanted to make sure you were aware of these concepts since you talked about moving the script to a production environment.

Weedpacket

Okay, we're supposed to be looking at security, but I'm willing to bet that a fair chunk of that HTML could be discarded if CSS was used to lay out the form instead of multiple tables - remember, forms can have fieldsets, legends, and labels, too - but I'm guessing this HTML was made with something in Microsoft Office, yes?

            mysql_real_escape_string($username),
            mysql_real_escape_string($today),
            mysql_real_escape_string($post_subject),
            mysql_real_escape_string($number),
            mysql_real_escape_string($_GET['catagory']));

Is the reason $_GET['catagory'] is used here because a few lines earlier you typed

    $catagoy = $_GET['catagory'];

and then found that $catagory didn't work? (Incidentally, that isn't the only word that's misspelled - saying "numberic" in public isn't a good look).

jerrylouise

Weedpacket wrote:
Okay, we're supposed to be looking at security, but I'm willing to bet that a fair chunk of that HTML could be discarded if CSS was used to lay out the form instead of multiple tables - remember, forms can have fieldsets, legends, and labels, too - but I'm guessing this HTML was made with something in Microsoft Office, yes?
            mysql_real_escape_string($username),
            mysql_real_escape_string($today),
            mysql_real_escape_string($post_subject),
            mysql_real_escape_string($number),
            mysql_real_escape_string($_GET['catagory']));
Is the reason $_GET['catagory'] is used here because a few lines earlier you typed
    $catagoy = $_GET['catagory']; 
and then found that $catagory didn't work? (Incidentally, that isn't the only word that's misspelled - saying "numberic" in public isn't a good look).

mmm im sure once i learn a lot more css i could build the pages without tables witch i would love to do and no its not made in Microsoft Office there is no Microsoft application suitable for web design. I use Taco HTML edit witch i like because it makes all my code coloured so i can see it easier.

For spelling i have to wait for my friend to check it all for me it just mingles up all the time for me anyway. I think the $category need to be condensed a little and im working on that.

Once i can make the entire site in css without tables i will be happier.

jerrylouise

bradgrafelman wrote:
But why remove these? Basically, there's two things you don't want users' data to do: break your HTML, or break your DB. As for the HTML, all you need to do is use a function such as [man]htmlentities/man - that way things like < and > and " and convert them to HTML-safe equivalents.

okay i will look into this htmlentitles()

If this is happening, then your server must have magic_quotes_gpc() enabled, in which case you should contact your server administrator and have it disabled. A common way to reverse magic_quotes_gpc's effects is this:
if(get_magic_quotes_gpc()) {
    foreach($_REQUEST as $key => $name)
        $_REQUEST[$key] = stripslashes($name);
}
When you insert data into your SQL DB, you already use mysql_real_escape_string(), so you don't need to worry about slashes and quotes and whatnot - the function will escape them as necessary for you.

unfortunately my host will not disable this, so i strip slashes manually.

Always a common pitfall behavior. What ever happened to "If something is worth doing, it's worth doing well" ? :p Practicing concepts such as DB normalization - no matter what the application, it's setting, what you think is the bare minimum need, etc. - can only help improve your skills as knowledge as a programmer. Not only does it bring order to your DB and increase efficiency, but I personally think it's easier to manage an application once I've normalized the DB schema.

i will look into this but not till further revisions of the site.

Learn something new everyday, eh? 😉 That's what this forum's all about!

Yes thank you i tried this out it works well.

That's definitely a good start. If you need help with interpreting the validator's response and how to fix the errors, feel free to post the results and attach the HTML code in a thread down in the ClientSide Technologies forum.

trying to correct the javascript errors causes the script to fail completely.

Quite alright, I just wanted to make sure you were aware of these concepts since you talked about moving the script to a production environment.

When i say production environment i mean a live site with 1000 registered members.

jerrylouise

okie i read about htmlentities, Q? will it be a secure drop in replace ment for mysql_real_escape_string.

bradgrafelman

No, you would want to use htmlentities() when displaying the data (ex. when you echo out the values back into the form if an error occurs), and use mysql_real_escape_string() when storing data in the DB.

jerrylouise

bradgrafelman wrote:
No, you would want to use htmlentities() when displaying the data (ex. when you echo out the values back into the form if an error occurs), and use mysql_real_escape_string() when storing data in the DB.

oh okies i see.

Weedpacket

jerrylouise wrote:
and no its not made in Microsoft Office there is no Microsoft application suitable for web design.

Oh, okay; it's just the heavy use of "MsoNormal" that makes it look Office-generated. The single-font style declaration (what if the user doesn't have Arial MT installed?) and specifying margins in terms of points instead of pixels also makes it look like it was intended for paper rather than the screen.

jerrylouise

ah some of the text font, that was generated with tinymce. What i do for any large blocks of text is i right it in word then put it into my tinymce witch is a rich text editor i built into my site, and i get the font and stuff for the site until i sort out my stylesheet.

My stylesheet needs completely rewritten it was designed for a very early version of this site has has so many redundant and conflicting items in it i needs a major over hall.

The text i was going for is verdana(spelling?)

jerrylouise

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-Transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
		<title>New form topic</title>
<?php
	///start session
		include("include/session.php");
	//////constants
$username = $session->username;
$usrname = $session->username;
$numbers = $database->getNumMembers();
///stylesheet
include("stylesheet/stylesheet.php");
///javascripts go here, post limit
?>
	</head>
	<body>
		<div id="container">
<?php
///header
include('includes-blocks/header.php');
?>
			<div id="Layer_content">
				<div id="content_outer">
					<div class="pageheader">
						<table width="100%" border="0" cellspacing="0" cellpadding="0">
							<tr align="center">
								<td class="title">New form topic</td>
							</tr>
						</table>
					</div>
					<table width="100%" border="1" cellspacing="2" cellpadding="0">
						<tr>
							<td width="20%" valign="top">
<?php
include('includes-blocks/whosonline.php');
?>
							</td>
							<td width="80%" valign="top">
<?php
///logged in
if($session->logged_in)
	{
///get constants
///error filtering
$title = stripslashes($_GET['title']);
if(is_numeric($_GET['category'])) {
	$topic = $_GET['category'];
		} else {
	echo "Category is not numeric, Please return to the forum and try again";
		}
///// if page has errors
if (!isset($_GET['subpage'])) {  

?>
								<form name="story" action="new_forum_topic.php?subpage=upload&category=<?php echo $topic ?>&title=<?php echo $title ?>" method="post">
									<table width="100%" border="0" cellpadding="3" cellspacing="0" >
										<tr class="page_title"><td width="70%">Add new topic</td><td width="15%"></td><td width="15%"></td></tr>
										<tr class="page_contrast">
											<td width="70%">
												<input type="submit" value="Post Topic"> | <a href="forum_topic.php?id=<?php echo $topic ?>&title=<?php echo $title ?>">Back to forum</a>
											</td>
											<td width="15%"></td>
											<td width="15%"></td>
										</tr>
										<tr class="page_contrast">
											<td width="70%">Title: <input type="text" size="35" name="subject"/></td>
											<td width="15%"></td>
											<td width="15%"></td>
										</tr>
									</table>
									<table width="100%" border="0" cellpadding="0" cellspacing="0" >
										<tr class="mail_bcknd">
											<td width="10%"></td>
											<td width="80%">
												<textarea name="post" rows="15" cols="80"></textarea>
								</form>
							</td>
							<td width="10%"></td>
						</tr>
					</table>
<?php
}
else  if (isset($_GET['subpage']) && $_GET['subpage'] == 'upload') {
////constants////
$subject = stripslashes($_POST['subject']);
$post = stripslashes($_POST['post']);
///set up time
date_default_timezone_set('Europe/London');
$today = date("F j, Y, g:i a");
////error checking
if ($subject == "" or $post == "") {
?>
					<form name="story" action="new_forum_topic.php?subpage=upload&category=<?php echo $topic ?>&title=<?php echo $title ?>" method="post">
						<table width="100%" border="0" cellpadding="3" cellspacing="0" >
							<tr class="page_title"><td width="70%">Add new topic</td><td width="15%"></td><td width="15%"></td></tr>
							<tr class="page_contrast">
								<td width="70%">
									<input type="submit" value="Post Topic"> | <a href="forum_topic.php?id=<?php echo $topic ?>&title=<?php echo $title ?>">Back to forum</a>
								</td>
								<td width="15%"></td>
								<td width="15%"></td>
							</tr>
							<tr class="page_contrast">
								<td width="70%"><?php
	if ($subject == "") {
		echo "<font class=\"error\">You seem to have forgotten to add the subject of your post</font>";
				}
		?>
								</td>
								<td width="15%"></td>
								<td width="15%"></td>
							</tr>
							<tr class="page_contrast">
								<td width="70%">Title: <input type="text" name="subject" value="<?php echo htmlentities($subject); ?>"/></td>
								<td width="15%"></td>
								<td width="15%"></td>
							</tr>
						</table>
						<table width="100%" border="0" cellpadding="0" cellspacing="0" >
							<tr class="mail_bcknd">
								<td width="10%"></td>
								<td width="80%">
	<?php
	if ($post == "") {
		echo "<font class=\"error\">You seem to have forgotten to add the content of your post</font>";
				}
		?>
								</td>
								<td width="10%"></td>
							</tr>
							<tr class="mail_bcknd">
								<td width="10%"></td>
								<td width="80%">
									<textarea name="post" rows="15" cols="80"><?php echo htmlentities($post); ?></textarea>
					</form>
					</td>
					<td width="10%"></td>
					</tr>
					</table>
<?php
////end the error checking
}
/////uploader component////
else {
////error handling
$topic_subject = stripslashes($_POST['subject']);
$bodytext = stripslashes($_POST['post']);
if(is_numeric($_GET['category'])) {
	$category = $_GET['category'];
		} else {
	echo "Category is not numeric, Please return to the forum and try again";
		}
////the uploading process/////
$sql = sprintf("INSERT INTO `forum-posts` (`post-id`, `username`, `date`, `subject`, `post`, `lastpost`, `lastposttime`) VALUES ('%d', '%s', '%s', '%s', '%s', '%s', '%s')",
			mysql_real_escape_string($category),
			mysql_real_escape_string($username),
			mysql_real_escape_string($today),
			mysql_real_escape_string($topic_subject),
			mysql_real_escape_string($bodytext),
			mysql_real_escape_string($username),
			mysql_real_escape_string($today));
$query = mysql_query($sql);
if(!$query) {
///// error out /////
echo "There was an error, please try again.";
} 
else 
?>
					<table width="100%" border="0" cellpadding="3" cellspacing="0" >
						<tr class="page_title"><td width="70%">Uploaded</td><td width="15%"></td><td width="15%"></td></tr>
					</table>
					<table width="100%" border="0" cellpadding="3" cellspacing="0" >
						<tr>
							<td width="15%" class="mail_bcknd"></td>
							<td width="70%">
								<p style="margin-bottom: 13pt" class="MsoNormal"><span style="color: #242424; font-family: ArialMT" class="Apple-style-span">Thank you very much for contributing.</span>
								</p>
								<p style="margin-bottom: 13pt" class="MsoNormal"><span style="color: #242424; font-family: ArialMT" class="Apple-style-span">You may now go back to the forum page. Or any other page ^_^</span>
								</p>
							</td>
							<td width="15%" class="mail_bcknd"></td>
						</tr>
						<tr class="mail_bcknd">
							<td width="15%" class="mail_bcknd"></td>
							<td width="70%" align="center">
								<p style="margin-bottom: 13pt" class="MsoNormal"><span style="color: #242424; font-family: ArialMT" class="Apple-style-span"><a href="forum.php">Back to forum</a> | <a href="forum_topic.php?id=<?php echo $topic ?>&title=<?php echo $title ?>">Back to <?php echo $title; ?></a>
									</span>
								</p>
							</td>
							<td width="15%" class="mail_bcknd"></td>
						</tr>
					</table>
<?php
/////////////////update forum lastpost/////////////
	///// removed slashes form the category
	$post_subject = stripslashes($_POST['subject']);
		if(is_numeric($_GET['category'])) {
			$category = $_GET['category'];
		} else {
			echo "Category is not numeric, Please return to the forum and try again";
		}
			////error handling/////
			$find_subject = stripslashes($_POST['subject']);
			////load the last record for update//////
				$sql = sprintf("SELECT * FROM `forum-posts` WHERE `subject` = '%s'",
				mysql_real_escape_string($find_subject));
					$query = mysql_query($sql);
						$row = mysql_fetch_row($query);
							$number = "$row[0]";
			/////update the topic headings with the new data///
			$sql = sprintf("UPDATE `forum-topics` SET `lastpost`='%s', `lastposttime`='%s', `lasttopic`='%s', `lastid`='%s' WHERE `id` = '%s'", 
            mysql_real_escape_string($username), 
            mysql_real_escape_string($today), 
            mysql_real_escape_string($post_subject), 
            mysql_real_escape_string($number), 
            mysql_real_escape_string($category)); 
				$query = mysql_query($sql);
					if(!$query) {
					///// error out /////
						echo "There was an error, please try again.";
					} 
}
}
}
else {
readfile("includes-blocks/frontpage.html");
}
?>
					</td>
					</tr>
					</table>
				</div>
				<div id="footer">
					<img src="images/header/page_footer.png" alt="footer" />
				</div>
			</div>
		</div>
	</body>
</html>