Why does my form get replaced with echo "0"? - php

I got an error on my page that I can't identify, and when I view the site online it replaces all my site content with the value "0".
How come I can't see the forms, and is it communicating with the SQL server properly?
PS: Login works and session is created, so the connect.php does work properly.
Here is the code for members.php:
<?php
// starting session
session_start();
// check if user is logged in
if (!isset($_SESSION['username']))
{
header('Location: http://wwww.gjertgjersund.com/');
exit();
}
else
{
// database connection
require ('connect.php');
//post record count
$post_count = mysql_query("SELECT * FROM posts");
$post_count_result = mysql_num_rows($post_count);
//comment count
$comment_count = mysql_query("SELECT * FROM comments");
$comment_count_result = mysql_num_rows($comment_count);
if(isset($_POST['submit']))
{
$newcategory = $_POST['newcategory'];
if(!empty($newcategory))
{
$query = mysql_query("INSERT * INTO categories (category) VALUES ('$newcategory')";
if($query)
{
echo 'New category added';
}
}
else
{
echo 'Error';
}
}
else
{
echo 'Missing newcategory';
}
}
?>
<!DOCTYPE HTML>
<html>
<head>
<title> Folder </title>
<body>
<div class="wrap">
<div id="menu">
<ul>
<li><a href='#'>Home</a></li>
<li><a href='#'>Create New Post</a></li>
<li><a href='#'>Delete Post</a></li>
<li><a href='logout.php'>Log Out</a></li>
<li><a href='#'>Blog Home Page</a></li>
</ul>
</div>
<div id="maincontent">
<table>
<tr>
<td>Total Blog Post</td>
<td><?php echo $post_count_result ?></td>
</tr>
<tr>
<td>Total Comments</td>
<td><?php echo $comment_count_result ?></td>
</tr>
</table>
<div id="categoryform">
<form action="members.php" method="post">
<label for="category">Add New Category</label>
<input type="text" name="newcategory"/>
<input type="submit" name="submit" value="Create"/>
</form>
</div>
</div>
</div>
</body>
</html>


$query = mysql_query("INSERT * INTO categories (category) VALUES ('$newcategory')";
should be
$query = mysql_query("INSERT INTO categories (category) VALUES ('$newcategory')";

Related

How to allow only session user to modify review php sql?

This is code for user review system, Everything is working fine with this code but i want to allow only those user to modify their reviews who are on session (logged in) so i just want to add if($_SESSION['id']==$row['user_id']) then open modify page or else echo"Access Denied"; i have tried this code but its not fetching session_id & also i am not sure where should i place this code because i will also block edit page please help anyone..i m stucked
edit page is that page where user can add review
modify page is that page where user can update edit already added review
reviews.php
<?php
session_start();
include('server3.php');
include('config.php');
if (isset($_GET['edit'])) {
$id = $_GET['edit'];
$record = mysqli_query($db, "SELECT * FROM info WHERE user_id=$id");
if (count($record) == 1 ) {
$nm = mysqli_fetch_array($record);
$name = $nm['name'];
$address = $nm['address'];
$yid= $nm['id'];
}
}
if (isset($_GET['modify'])) {
$update = true;
$id = $_GET['modify'];
$record2 = mysqli_query($db, "SELECT * FROM info WHERE id=$id");
if (count($record2) == 1 ) {
$n = mysqli_fetch_array($record2);
$name = $n['name'];
$address = $n['address'];
}
}
?>
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="style.css">
<link rel="stylesheet" type="text/css" href="somecss.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
<script src="NAV/jquery.min.js"></script>
<script src="NAV/bootstrap.min.js"></script>
</head>
<body>
<header id="fixed-header">
<center><img id="logo" src="logo.png" height="82" width="350" style="border-radius:8px; margin-top:-100px;"/></center>
</header>
<nav class="navbar navbar-inverse" style="margin-bottom:0px;" >
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#myNavbar">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">NearestMentor.Com</a>
</div>
<div class="collapse navbar-collapse" id="myNavbar">
<ul class="nav navbar-nav">
<li class="active">Home</li>
<li>What's This</li>
<li>How to Use</li>
<li>Contribute & Win</li>
<li>Winner Mentors Leatherboard</li>
<li>Terms</li>
<li>About Us</li>
<li>Donate Us</li>
</ul>
<ul class="nav navbar-nav navbar-right">
<?php
$loggedin = isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true;
if($loggedin) : ?>
<li><span class="glyphicon glyphicon-pencil"> </span>My Q & A</li>
<li><span class="glyphicon glyphicon-user"> </span>Edit Profile</li>
<li><span class="glyphicon glyphicon-log-in"> </span>Logout</li>
<?php else : ?>
<li><span class="glyphicon glyphicon-user"></span> Sign Up</li>
<li><span class="glyphicon glyphicon-log-in"></span> Login</li>
<?php endif; ?>
</ul>
</div>
</div>
</nav>
<?php if (isset($_SESSION['message'])): ?>
<div class="msg">
<?php
echo $_SESSION['message'];
unset($_SESSION['message']);
?>
</div>
<?php endif ?>
<?php $results = mysqli_query($db, "SELECT * FROM info WHERE user_id=$id"); ?>
<table>
<thead>
<tr>
<th>Name</th>
<th>Review</th>
<th colspan="2">Action</th>
</tr>
</thead>
<?php while ($row = mysqli_fetch_array($results)) { ?>
<tr>
<td><?php echo $row['name']; ?></td>
<td><?php echo $row['address']; ?></td>
<td>
<?php
if($row['user_id']==$_SESSION['id'])
{
echo "<a href='review.php?modify=".$row['id'];"class='edit_btn' >Edit</a>";
}
else
{
echo "";
}
?>
</td>
<td>
Delete
</td>
</tr>
<?php } ?>
</table>
<form method="post" action="server3.php" >
<input type="hidden" name="id" value="<?php echo $id; ?>">
<div class="input-group">
<label>USERID</label>
<input type="text" name="user_id" style="width:670px; height:40px;" value=
"<?php echo $id;?>"
</div>
<div class="input-group">
<label>Name</label>
<input type="text" name="name" style="width:670px; height:40px;" value='<?php echo $_SESSION['username'] ?>' readonly="readonly">
</div>
<div class="input-group">
<label>Give Your Review</label>
<input type="text" name="address" style="width:670px;" value="<?php echo $address; ?>">
</div>
<div class="input-group">
<?php if($update=='true')
{
echo '<button class="btn" type="submit" name="update" style="background: #556B2F;" >update</button>';
}
else
{
echo '<button class="btn" type="submit" name="save" >Save</button>';
} ?>
</div>
</form>
</body>
</html>
server3.php
<?php
session_start();
$db = mysqli_connect('localhost', 'root', '', 'mydatabase');
// initialize variables
$name = "";
$address = "";
$id = 0;
$update = false;
if (isset($_POST['save'])) {
$user_id = $_POST['user_id'];
$name = $_POST['name'];
$address = $_POST['address'];
mysqli_query($db, "INSERT INTO info (user_id, name, address) VALUES ('$user_id','$name', '$address')");
$_SESSION['message'] = "Review Saved, Thankyou!";
header('location: review.php?edit='.$user_id);
}
if (isset($_POST['update'])) {
$id = $_POST['id'];
$name = $_POST['name'];
$address = $_POST['address'];
mysqli_query($db, "UPDATE info SET name='$name', address='$address' WHERE id=$id");
$_SESSION['message'] = "Review Updated, Thankyou!";
echo("<script>alert('Review Successfully Updated!')</script>");
echo("<script>window.location = 'index.php';</script>");
}
if (isset($_GET['del'])) {
$id = $_GET['del'];
mysqli_query($db, "DELETE FROM info WHERE id=$id");
$_SESSION['message'] = "Review Deleted, Thankyou!";
echo("<script>alert('Review Successfully Deleted!')</script>");
echo("<script>window.location = 'index.php';</script>");
}
$results = mysqli_query($db, "SELECT * FROM info");
?>

Why not just use an OAuth login like google to create the user and then use that login to authenticate whether the user can edit a review? It makes it easier for users to create an account, which means you are more likely to get those reviews AND you can check if they are actual customers by implementing a system where they can order online and then do a check if they actually buy from you and verify them as a purchaser. Possibly hide reviews that are spam or non-customer reviews.
I was looking at server3.php and you need to do a lot of checks. This code is vulnerable to MySQL Injections and can easily store garbage data into your database server. I recommend using PDO and prepared queries. I also recommend you check for valid email and escape all data input from the user. Right now I hope this is not on a single live website.

DIsplaying posts only created by specific user on his own dashboard

Displaying posts by specific user? this i saw is for ruby on rails and it couldn't help me..
I have two tables, users and posts.
If a user posts anything, it displays on his dashboard which works fine for now. But what i need is for the user to view only his posts.
Please help...
Below is my code:
server.php
<?php
// connect to database
require_once 'database.php';
// initialize variables
$note = "";
$id = 0;
$edit_state = false;
// if save button is clicked
if (isset($_POST['save'])) {
$note = addslashes($_POST['note']);
$created_at = date("Y-m-d H:i:s");
// basic first name validation
if (empty($note)) {
$error = true;
$noteError = "Field cannot be empty.";
}else {
// insert records if no error
$query = "INSERT INTO posts (note, created_at, updated_at) VALUES ('$note', '$created_at', NOW())";
mysqli_query($dbconn, $query);
$_SESSION['msg'] = "Saved";
header('location: ../home.php'); // redirect to home page after inserting
}
}
?>
and this is home.php where results are displayed
<?php
ob_start();
session_start();
error_reporting(E_ALL);
require_once 'config/database.php';
include 'config/server.php';
// if session is not set this will redirect to login page
if( !isset($_SESSION['user']) ) {
header("Location: index.php");
exit;
}
// select loggedin users detail
$res=mysqli_query($dbconn, "SELECT * FROM users WHERE Id=".$_SESSION['user']);
$userRow=mysqli_fetch_array($res);
?>
<div class="container" style="margin-top: 100px;">
<div class="row">
<div class="col-sm-6">
<div class="wrap-status100">
<form method="post" class="login100-form validate-form" action="config/server.php" autocomplete="off">
<span class="login100-form-title p-b-26">
<?php if (isset($_SESSION['msg'])): ?>
<div class="form-group">
<div class="alert alert-<?php echo $_SESSION['msg']; unset($_SESSION['msg']); ?>">
<span class="glyphicon glypicon-info-sign"></span>
</div>
</div>
<?php endif ?>
What's up <?php echo $userRow['fname']; ?>?
</span>
<div class="wrap-input100 validate-input">
<textarea name="note" class="input100" value="<?php echo $note; ?>"></textarea>
<span class="focus-input100" data-placeholder="Write note here."></span>
</div>
<div class="container-login100-form-btn">
<div class="wrap-login100-form-btn">
<div class="login100-form-bgbtn"></div>
<?php if ($edit_state == false): ?>
<button name="save" class="login100-form-btn">
Save
</button>
<?php else: ?>
<button name="update" class="login100-form-btn">
Update
</button>
<?php endif ?>
</div>
</div>
</div>
</form>
</div>
<div class="col-sm-6">
<?php if (isset($_SESSION['msg'])): ?>
<div class="msg">
<?php
echo $_SESSION['msg'];
unset($_SESSION['msg']);
?>
</div>
<?php endif ?>
<table>
<thead>
<tr>
<th>Note</th>
<th>created</th>
<th>Updated</th>
<th colspan="2">Action</th>
</tr>
</thead>
<tbody>
<?php while ($row = mysqli_fetch_array($results)) { ?>
<tr>
<td><?php echo $row['note']; ?></td>
<td><?php echo $row['created_at']; ?></td>
<td><?php echo $row['updated_at']; ?></td>
<td><a class="edit_btn" href="home.php?update=<?php echo $row['id']; ?>">Update</a>
</td>
<td>
<a class="del_btn" href="config/server.php?del=<?php echo $row['id']; ?>">Delete</a>
</td>
</tr>
<?php } ?>
</tbody>
</table>
</div>
</div>
</div>

You need to take one more column in posts table i.e user_id. You have to store the id of user who create the Post.
While fetching the result, you can take logged in user's id. And create a query like
"Select * from posts where user_id=".$_SESSION['user'];
by this you have get all the posts created by that particular user.
Hope this helps.
Thanks.

You need to do this in this way:
First while adding a post you have to insert the user id of the user who is posting the post. Be sure to add a field named user_id in the posts table in db. PLease try this query:
$user_id=trim($_SESSION['user']);
$query = "INSERT INTO posts (note,user_id, created_at, updated_at) VALUES ('$note', '".$user_id."' , '$created_at', NOW())";
Now in the dashboard of the user you need to fetch the posts based on the user_id and then loop the tr in the results array:
"Select * from posts where user_id=".$_SESSION['user'];

PHP Displaying data from database into a table when a link is clicked

Just to start off, I am new to php so i might have missed something obvious so please bear with me.
I have hyperlinks (planes, ships trains etc) and when I click the hyperlink "planes" i want all of the planes records to be displayed in a table. When I click a different vehicle i want it to refresh the table with new data.
The problem is, when i click the link "trains" it does not refresh the table and display relevant data, it keeps the same data. How do i tell php when i click the link "planes" i want to display all the records with that productLine.
Thanks for any help
As you can see in the pic, i clicked train but it still displays vintage cars
Here is my code:
<?php
require_once('dbconfig.php');
//get productLine
if (!isset($productLine)) {
$productLine = filter_input(INPUT_GET, 'productLine', FILTER_VALIDATE_INT);
if ($productLine == null || $productLine == FALSE) {
$productLine = 'Trains';
}
}
//get all product lines
$query = 'SELECT * FROM productlines';
$statement = $db->prepare($query);
$statement->execute();
$productLines = $statement->fetchAll();
$statement->closeCursor();
//Get products for product line
$queryProducts = 'SELECT * FROM products WHERE productLine = :productLine ORDER BY productCode';
$statement1 = $db->prepare($queryProducts);
$statement1->bindValue(':productLine', $productLine);
$statement1->execute();
$products = $statement1->fetchAll();
$statement1->closeCursor();
?>
<!DOCTYPE html>
<html>
<head>
<title>Classic Models Online</title>
<link rel="stylesheet" type="text/css" href="main.css" />
</head>
<body>
<header><h1>ClassicModels Online</h1>
<p>Classic models for all automobile enthusiasts</p>
</header>
<main>
<h1>Classic Models Product List</h1>
<aside>
<!--Display list of product lines-->
<h2>Product Lines</h2>
<nav>
<ul>
<?php foreach ($productLines as $productLine) : ?>
<li>
<a href=".?productLine=<?php echo $productLine['productLine']; ?>">
<?php echo $productLine['productLine']; ?>
</a>
</li>
<?php endforeach; ?>
</ul>
</nav>
</aside>
<br>
<section>
<!--Display a table of products for product line-->
<h2><?php echo $productLine['productLine']; ?></h2>
<table>
<tr>
<th>Code</th>
<th>Name</th>
<th>Scale</th>
<th>Price</th>
<th>Total Sold</th>
<th> </th>
</tr>
<?php foreach ($products as $product) :?>
<tr>
<td> <?php echo $product['productCode']; ?> </td>
<td> <?php echo $product['productName']; ?> </td>
<td> <?php echo $product['productScale']; ?> </td>
<td> <?php echo $product['MSRP']; ?> </td>
<td> <?php echo $product['quantityInStock']; ?> </td>
<td> <form action="update_product.php" method="post">
<input type="hidden" name="productCode" value="<?php echo $product['productCode']; ?>">
<input type ="hidden" name="productLine" value="<?php echo $product['productLine']; ?>">
<input type="submit" value="Update">
</form> </td>
</tr>
<?php endforeach; ?>
</table>
<p>Add Product</p>
</section>
</main>
<footer>
<p>© <?php echo date("Y"); ?> Classic Models Online.</p>
</footer>
</body>
</html>

You need to get the productLine variable from the query string you have in the url. You need to add something like
if(isset($_GET['productLine'])){
$productLine = $_GET['productLine'];
}

Just do if(isset($_GET["productLine"])){//do your stuff}

PHP error on live website

I am having a difficult time displaying a database table on my website. I can't execute the queries that I have on my index.php file, but I can show the table on localhost with XAMPP. I can't even execute the MySQL statement codes that I have in the file. Please help!
This is when I have the statement codes not commented out:
This is when I do have the codes commented out:
I even have data in the tables that I am trying to connect to. Here is the code for index.php:
<?php
require_once('database.php');
//Get Category Id
$category_id = filter_input(INPUT_GET, 'category_id', FILTER_VALIDATE_INT);
if ($category_id == NULL || $category_id == false) {
$category_id = 1;
}
// Get name for selected category
$queryCategory = 'SELECT * FROM categories WHERE categoryID = :category_id';
$statement1 = $link->prepare($queryCategory);
$statement1->bindValue(':category_id', $category_id);
$statement1->execute();
$category = $statement1->fetch();
$category_name = $category['categoryName'];
$statement1->closeCursor();
//Get all categories
$queryAllCategories = 'SELECT * FROM categories ORDER BY categoryID';
$statement2 = $link->prepare($queryAllCategories);
$statement2->execute();
$categories = $statement2->fetchAll();
//Get products fpr selected category
$queryProducts = 'SELECT * FROM products WHERE categoryID = :category_id ORDER BY productID';
$statement3 = $link->prepare($queryProducts);
$statement3->bindValue(':category_id', $category_id);
$statement3->execute();
$products = $statement3->fetchAll();
$statement3->closeCursor();
?>
<!DOCTYPE html>
<HTML>
<head>
<title>My Guitar Shop</title>
<link rel="stylesheet" type="text/css" href="style.css"/>
</head>
<body>
<header><h1>Product Manager</h1></header>
<main>
<hr>
<h1>Product List</h1>
<aside>
<h2>Categories</h2>
<nav>
<ul>
<?php foreach ($categories as $category) : ?>
<li>
<a href=".?category_id=<?php echo $category['categoryID']; ?>">
<?php echo $category['categoryName']; ?>
</a>
</li>
<?php endforeach; ?>
</ul>
</nav>
</aside>
<section>
<!-- display a table of products -->
<h2><?php echo $category_name; ?></h2>
<table>
<tr>
<th>Code</th>
<th>Name</th>
<th class="right">Price</th>
<th> </th>
</tr>
<?php foreach ($products as $product) : ?>
<tr>
<td><?php echo $product['productCode']; ?></td>
<td><?php echo $product['productName']; ?></td>
<td><?php echo $product['listPrice']; ?></td>
<td><form action="delete_product.php" method="post">
<!-- Delete Product -->
<input type="hidden" name="product_id" value="<?php echo $product['productID']; ?>">
<input type="hidden" name="category_id" value="<?php echo $product['categoryID']; ?>">
<input type="submit" value="Delete">
</form>
</td>
<!-- Edit Product -->
<td><form action="edit_product_form.php" method="post">
<input type="hidden" name="product_id" value="<?php echo $product['productID']; ?>">
<input type="hidden" name="category_id" value="<?php echo $product['categoryID']; ?>">
<input type="submit" value="Edit">
</form>
</td>
</tr>
<?php endforeach; ?>
</table>
<p>Add Product</p>
<p>List Product</p>
</section>
</main>
<hr>
<footer><p>© <?php echo date("Y"); ?> My Guitar Shop Inc</p></footer>
</body>
</html>
Removed php of my username and password in database.php for security purposes:
<?php
$dsn = 'mysql:host=mysql.cit336.fullerview.net;dbname=cit336my_guitar_shop1';
try {
$db = new PDO($dsn, $username, $password);
} catch (PDOException $e) {
$error_message = $e->getMessage();
include('database_error.php');
exit();
}
?>
UPDATE:
A kind soul helped me with my first problem, but as I have edited the file, the problem is still within the statements. Its almost like the site wants me to remove the SQL statements but I don't want to remove them. They are vital to the site.
UPDATE 2:
I have edited the database.php file to get the PDO exceptions working. But now, as I am getting closer to my goal, I get an access denied error.
UPDATE 3:
I was able to access the database. Thank you all for your help, it is much appreciated. I just made a password typo and a database typo, again thanks for all of your help!

Since you are using the procedural function of mysqli to connect shouldn't ->prepare be mysqli_prepare?.
Also the bindValue is for PDO your code could be
$statement1 = mysqli_prepare($link, "SELECT * FROM categories WHERE categoryID =?");
mysqli_stmt_bind_param($statement1, "s", $category_id);
mysqli_stmt_execute($statement1);
mysqli_stmt_bind_result($statement1, $category);
mysqli_stmt_fetch($statement1);

php form submitting info twice

I have a form that's supposed to enter a reply to a forum topic into the database and redirect the user back to the same topic. After much trial and error I have finally got the form to work, only it is putting two identical entries into the db every time. I cannot figure out why. I have looked up this same problem and most of the other people were not redirecting after the form submission or they were using AJAX or jquery or something. Here is my page info:
<?php
session_start();
include_once('includes/config.php');
include_once('classes/topic.php');
include_once('classes/post.php');
include('includes/header.php');
?>
<link rel="stylesheet" href="css/dd.css">
<?php
$topic = new Topic;
if (isset($_GET['id']))
{
$topic_id = $_GET['id'];
$data = $topic->fetch_data($topic_id);
if (isset($_POST['content']))
{
// someone posted a reply
$date = date('Y-m-d H:i:s');
$by = $_SESSION['user_id'];
$query = $pdo->prepare("INSERT INTO dd_posts (post_content, post_date, post_by, post_topic) VALUES (? ,? ,?, ?)");
$query->bindParam(1, $_POST['content']);
$query->bindParam(2, $date);
$query->bindParam(3, $by);
$query->bindParam(4, $_GET['id']);
$query->execute();
$result = $query->execute();
header("location:topic.php?id=".$_GET['id']);
exit;
}
?>
<div id ="wrapper">
<div class="drop-section">
<div id="menu">
<a class="item" href="drop_index.php">Dead Drop</a>
<a class="item" href="add_topic.php">New Post</a>
<a class="item" href="admin/add_cat.php">New Category</a>
<div id="userbar">
<?php
if( $user->is_logged_in() ) {
echo 'Hello ' . $_SESSION['user_name'] . '. How are you?';
} else {
echo '<a class="item" href="login.php">Sign in</a> or <a class="item" href="index.php">Create an account</a>';
}
?>
</div>
</div>
<table>
<tr class = "header-row">
<div id = "sans">
<?php echo $data['topic_subject']; ?>
- <small>started by <?php echo $data['user_name']; ?> </small><br />
<?php echo $data['topic_content']; ?>
</div>
</tr>
<?php
// retrieve all the replies to the original topic
$post = new Post;
$topic_id = $_GET['id'];
$posts = $post->fetch_all_posts_by_topic($topic_id);
?>
<tr>
<td class="first-column">
<?php foreach ($posts as $post) { ?>
<div class="drop-content-box">
<li><?php echo $post['post_content']; ?><br />
<div class = "forum-user-info">
<a href="player.php?id=<?php echo $post['user_id']; ?>">
<?php echo $post['user_name']; ?></a> - level:
<?php echo $post['user_level']; ?>
</div>
</li>
</div>
<?php } ?>
</td>
</tr>
</table>
<?php
if( $user->is_logged_in() )
{
?>
<div id = "header-section">Reply</div>
<?php if (isset($error)) { ?>
<small><?php echo $error; ?></small>
<?php } ?>
<form action="<?php echo "topic.php?id=".$_GET['id']?>" method="post" autocomplete="off">
<small><i>Do not post the actual answer to any level.</i></small><br />
<textarea rows="15" cols="50" name="content" placeholder="Give us your thoughts..."></textarea><br />
<input type="submit" value="Post" />
</form>
</div>
</div>
<?php
} else {
echo '<div id = "errors"><small>You must be signed in to reply.</div></small>';
}
}
include_once('includes/footer.php');
?>

You're executing the query twice.
$query->execute();
$result = $query->execute();

Categories