Need help with this CMS i was making

cyber_alchemist

I was making a simple CMS for a site, although my programme seems okay , and i have checked it with phpcodecheker.com also I have revised the code , the cms doesn't seem to post or store any data in the CMS :

cms_compose.php:

<?php
require 'db.inc.php';
include 'cms_header.inc.php';

$db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD) or
    die ('Unable to connect. Check your connection parameters.');

mysql_select_db(MYSQL_DB, $db) or die(mysql_error($db));

$action = (isset($_GET['action'])) ? $_GET['action'] : '';
$article_id = (isset($_GET['article_id']) && ctype_digit($_GET['article_id'])) ?
    $_GET['article_id'] : '' ;

$title = (isset($_POST['title'])) ? $_POST['title'] : '' ;
$article_text = (isset($_POST['article_text'])) ? $_POST['article_text'] : '' ;
$user_id = (isset($_POST['user_id'])) ? $_POST['user_id'] : '' ;

if ($action == 'edit' && !empty($article_id)) {
    $sql = 'SELECT
            title, article_text, user_id
        FROM
            cms_articles
        WHERE
            article_id = ' . $article_id;
    $result = mysql_query($sql, $db) or die(mysql_error($db));

$row = mysql_fetch_array($result);
extract($row);
mysql_free_result($result);
}
?>
<h2>Compose Article</h2>
<form method="post" action="cms_transact_article.php">
 <table>
  <tr>
   <td><label for="title">Title:</label></td>
   <td><input type="text" name="title" id="title" maxlength="255"
     value="<?php echo htmlspecialchars($title); ?>"/></td>
  </tr><tr>
   <td><label for="article_text">Text:</label></td>
   <td><textarea name="article_text" name="article_text" rows="10"
     cols="60"><?php echo htmlspecialchars($article_text); ?></textarea></td>
  </tr><tr>
   <td> </td>
   <td>
<?php
if ($_SESSION['access_level'] < 2) {
    echo '<input type="hidden" name="user_id" value="' . $user_id . '"/>';
}

if (empty($article_id)) {
    echo '<input type="submit" name="action" "value="Submit New Article"/>';
} else {
    echo '<input type="hidden" name="article_id" value="' . $article_id . '"/>';
    echo '<input type="submit" name="action" "value="Save Changes"/>';
}
?>
   </td>
  </tr>
 </table>
</form>
<?php
require_once 'cms_footer.inc.php';
?>

cms_transact_article.php

<?php
require_once 'db.inc.php';
require_once 'cms_http_functions.inc.php';

$db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD) or
    die ('Unable to connect. Check your connection parameters.');

mysql_select_db(MYSQL_DB, $db) or die(mysql_error($db));

if (isset($_REQUEST['action'])) {

switch ($_REQUEST['action']) {
case 'Submit New Article':
    $title = (isset($_POST['title'])) ? $_POST['title'] : '';
    $article_text = (isset($_POST['article_text'])) ? $_POST['article_text']
        : '';
    if (isset($_SESSION['user_id']) && !empty($title) &&
        !empty($article_text)) {
        $sql = 'INSERT INTO cms_articles
                (user_id, submit_date, title, article_text)
            VALUES
                (' . $_SESSION['user_id'] . ', 
                "' . date('Y-m-d H:i:s') . '",
                "' . mysql_real_escape_string($title, $db) . '",
                "' . mysql_real_escape_string($article_text, $db) . '")';
        mysql_query($sql, $db) or die(mysql_error($db));
    }
    redirect('cms_index.php');
    break;

case 'Edit':
    redirect('cms_compose.php?action=edit&article_id=' . $_POST['article_id']);
    break;

case 'Save Changes':
    $article_id = (isset($_POST['article_id'])) ? $_POST['article_id'] : '';
    $user_id = (isset($_POST['user_id'])) ? $_POST['user_id'] : '';
    $title = (isset($_POST['title'])) ? $_POST['title'] : '';
    $article_text = (isset($_POST['article_text'])) ? $_POST['article_text']
        : '';
    if (!empty($article_id) && !empty($title) && !empty($article_text)) {
        $sql = 'UPDATE cms_articles SET 
                title = "' . mysql_real_escape_string($title, $db) . '",
                article_text = "' . mysql_real_escape_string($article_text,
                    $db) . '",
                submit_date = "' . date('Y-m-d H:i:s') . '"
            WHERE
                article_id = ' . $article_id;
        if (!empty($user_id)) {
            $sql .= ' AND user_id = ' . $user_id;
        }
        mysql_query($sql, $db) or die(mysql_error($db));
    }
    if (empty($user_id)) {
        redirect('cms_pending.php');
    } else {
        redirect('cms_cpanel.php');
    }
    break;

case 'Publish':
    $article_id = (isset($_POST['article_id'])) ? $_POST['article_id'] : '';
    if (!empty($article_id)) {
        $sql = 'UPDATE cms_articles SET 
                is_published = TRUE,
                publish_date = "' . date('Y-m-d H:i:s') . '"
            WHERE
                article_id = ' . $article_id;
        mysql_query($sql, $db) or die(mysql_error($db));
    }
    redirect('cms_pending.php');
    break;

case 'Retract':
    $article_id = (isset($_POST['article_id'])) ? $_POST['article_id'] : '';
    if (!empty($article_id)) {
        $sql = 'UPDATE cms_articles SET 
                is_published = FALSE,
                publish_date = "0000-00-00 00:00:00"
            WHERE
                article_id = ' . $article_id;
        mysql_query($sql, $db) or die(mysql_error($db));
    }
    redirect('cms_pending.php');
    break;

case 'Delete':
    $article_id = (isset($_POST['article_id'])) ? $_POST['article_id'] : '';
    if (!empty($article_id)) {
        $sql = 'DELETE a, c FROM
                cms_articles a LEFT JOIN cms_comments c ON
                a.article_id = c.article_id
            WHERE
                a.article_id = ' . $article_id . ' AND
                is_published = FALSE';
        mysql_query($sql, $db) or die(mysql_error($db));
    }
    redirect('cms_pending.php');
    break;

case 'Submit Comment':
    $article_id = (isset($_POST['article_id'])) ? $_POST['article_id'] : '';
    $comment_text = (isset($_POST['comment_text'])) ?
        $_POST['comment_text'] : '';
    if (isset($_SESSION['user_id']) && !empty($article_id) &&
        !empty($comment_text)) {
        $sql = 'INSERT INTO cms_comments 
                (article_id, user_id, comment_date, comment_text)
            VALUES
                (' . $article_id . ',
                ' . $_SESSION['user_id'] . ',
                "' . date('Y-m-d H:i:s') . '",
                "' . mysql_real_escape_string($comment_text, $db) . '")';
        mysql_query($sql, $db) or die(mysql_error($db));
    }
    redirect('cms_view_article.php?article_id=' . $article_id);
    break;

default:
    redirect('cms_index.php');
}
} else {
    redirect('cms_index.php');
}
?>

cretaceous

Comment out all the redirects in transact file - then when you next try an update or insert you will stay on your transact script and can see what is happening.
Echo out the sql or as a first step just put
echo 'a';
at a strategic point to see where your script gets to..

Maybe first you should upgrade to mysqli or PDO

cyber_alchemist

okay , i will comment out all the redirects in the transact file :queasy: but i haven't learnt the PDO yet, and I know the method I am using here is prone to My Sql injection. I am reading the manual for PDO and how to use it 😃 although my boss wants results 🙁 he doesnt even care how I make it work. :x

cretaceous

your'e only commenting out redirects as a temp solution to figure out why it's not working...
you'd need to put them back afterwards

traq

cyber_alchemist;11033463 wrote:
he doesnt even care how I make it work. :x

he will, once it breaks.