I'm trying to show badges on our system, badges are rewards/achievement to users. They show on their profile, the thing that works is the image/badge shows, but the badge reason doesn't.
I tried to do it like this
<?
$badgesql = mysql_query("select * from usr_badge where user = '$user'");
$user2 = mysql_query("select * from usr_users where username = '$user'");
$usr2 = mysql_fetch_array($user2);
$vipsql = mysql_query("select * from usr_vip where userid = '$usr2[id]'");
$vipcheck = mysql_num_rows($vipsql);
$badgecheck = mysql_num_rows($badgesql);
$checkit = $badgecheck + $vipcheck;
if($checkit==0)
echo("This user does not have any badges");
else
if($badgecheck!=0)
{
while($badge = mysql_fetch_array($badgesql))
{
echo('<a onclick="TINY.box.show({html:'Reason: '.$badge[reason].',animate:false,close:false,mask:false,boxid:'success',autohide:2,top:-14,left:-17})"><img src="'.$badge[badge].'" </a>');
}
}
//Display VIP Badges
if($vipcheck!=0)
{
$vipbadge = mysql_fetch_array($vipsql);
$vip1 = mysql_query("select * from usr_vipdb where id = '$vipbadge[vipid]'");
$vip2 = mysql_fetch_array($vip1);
echo('<img src="'.$vip2[url].'" alt="This user is a VIP!" />');
}
?>
but that code above doesn't work. It gives me an error when I try to view the page "Parse error: syntax error, unexpected T_STRING in /home/**/public_html/memb.php on line 167"
Can someone please tell me what I'm doing wrong or point me in the right direction?
Thanks in advance
That long line starting with echo is probably at fault -- the syntax highlighting here is broken with it, showing that you've probably mis-matched the quotes or something similar. (Break it apart. Make each small segment on its own line. You won't miss the mistake then.)
Here's your current code broken as I believe the interpreter will parse it:
echo('<a onclick="TINY.box.show({html:'
Reason: '.$badge[reason].'
,animate:false,close:false,mask:false,boxid:
'success'
,autohide:2,top:-14,left:-17})
"><img src="
'.$badge[badge].'
" </a>');
Note the line starting with the bare word Reason:. Since that's not the error you got, perhaps I guessed incorrectly, but there's no doubt that your current code is too messy.
I hope you are sanitizing your inputs ($user, $usr2[id]) and stored data ($badge[reason]) in code that is not shown here to protect against cross-site scripting vulnerabilities and SQL injection vulnerabilities.
Try this (fixed open/close quotes... i think)
<?
$badgesql = mysql_query("select * from usr_badge where user = '$user'");
$user2 = mysql_query("select * from usr_users where username = '$user'");
$usr2 = mysql_fetch_array($user2);
$vipsql = mysql_query("select * from usr_vip where userid = '$usr2[id]'");
$vipcheck = mysql_num_rows($vipsql);
$badgecheck = mysql_num_rows($badgesql);
$checkit = $badgecheck + $vipcheck;
if($checkit==0) {
echo("This user does not have any badges");
} else {
if($badgecheck!=0)
{
while($badge = mysql_fetch_array($badgesql))
{
echo('<a onclick="TINY.box.show({html: "Reason: '.$badge[reason].'",animate:false,close:false,mask:false,boxid:"success",autohide:2,top:-14,left:-17})"><img src="'.$badge[badge].'" /></a>');
}
}
//Display VIP Badges
if($vipcheck!=0)
{
$vipbadge = mysql_fetch_array($vipsql);
$vip1 = mysql_query("select * from usr_vipdb where id = '$vipbadge[vipid]'");
$vip2 = mysql_fetch_array($vip1);
echo('<img src="'.$vip2[url].'" alt="This user is a VIP!" />');
}
}
?>
Related
I'm new to AJAX and jQuery. I'm trying to pass a number from unrate.php to be used as checkVal (as shown below). The file does a bunch of stuff but it only echos the number. When I add a alert(checkVal) it shows a invalid character and than the number I want. (I just want the number)...
ajax handler:
$.get("unrate.php?numb="+ID, function(checkVal){
if (checkVal == 1) {
number.innerHTML = addNumb + 1;
} else {
number.innerHTML = addNumb - 1;
}
});
unrate.php:
<?php
$uNum = $_SESSION['userNum'];
$ider = $_GET['numb'];
$sql = mysql_query("SELECT * FROM ratecheck WHERE ID =".$ider);
$checkRay = mysql_fetch_array($sql);
$checkVal = $checkRay[$uNum];
$sqlZ = mysql_query("UPDATE ratecheck SET `".$uNum."`=0 WHERE ID=".$ider)
or die(mysql_error());
$sqlB = mysql_query("SELECT * FROM sources WHERE ID =".$ider);
$sourceRay = mysql_fetch_array($sqlB);
$newRC = $sourceRay['ratecount'] - 1;
mysql_query("UPDATE sources SET ratecount =".$newRC." WHERE ID =".$ider)
or die(mysql_error());
if ($checkVal > 1)
{
$newpts = $sourceRay['points'] - 1;
$userEmail = $sourceRay['user'];
mysql_query("UPDATE sources SET points =".$newpts." WHERE ID =".$ider)
or die(mysql_error());
if ($_SESSION['userName'])
{
$findUser = mysql_query("SELECT * FROM users WHERE email LIKE '".$userEmail."'") or mysql_error();
$currentRate = mysql_fetch_array($findUser);
$newrating = $currentRate['rating'] - 1;
mysql_query("UPDATE users SET rating =".$newrating." WHERE email LIKE '".$userEmail."'")
or mysql_error();
}
else
{
die('ERROR');
}
}
else
{
$newpts = $sourceRay['points'] + 1;
$userEmail = $sourceRay['user'];
mysql_query("UPDATE sources SET points =".$newpts." WHERE ID =".$ider)
or die(mysql_error());
if ($_SESSION['userName'])
{
$findUser = mysql_query("SELECT * FROM users WHERE email LIKE '".$userEmail."'") or mysql_error();
$currentRate = mysql_fetch_array($findUser);
$newrating = $currentRate['rating'] + 1;
mysql_query("UPDATE users SET rating =".$newrating." WHERE email LIKE '".$userEmail."'")
or mysql_error();
}
else
{
die('ERROR');
}
}
echo $checkVal;
mysql_close();
?>
Extra characters at the beginning or end of your output are something you occasionally run into with php. I greatly endorse the comment that suggests looking at the raw output from the server. You might also want to think about these possibilities:
Invisible characters at the beginning or end of your script file. Use a text editor that will show you hidden characters (even a hex editor) and see if there are any. Also, you don't have to end your php script with ?> if you're not doing anything else past it. You can just leave it open, as that will prevent characters showing up at the end.
Check the character encoding that your script has. This might not be the solution, but some time ago I had a similar situation that went away when I changed the encoding to UTF8 without Byte-Order Mark. Try doing the same thing and see if that fixes it
I have a profile.php page, and when someone views their own profile, it grabs the id of their user and adds profile.php?UserID=* (* being the id number of a user). At the moment, there is no legit way to look at others profiles, but you are able to change the id in the url. Problem is, you can go to the profile of a user who doesn't exist and make it will be the default profile page without anything on it. Is there a way to get the id from a page/url and see if it exists or not, and if not, to redirect to a certain page?
<?php
include('./dbnotseen/global.php');
$profile = mysql_query("SELECT * FROM admin WHERE username='$username'");
$row = mysql_fetch_array($profile);
$username = $row['username'];
if (($session_username)) {
}else {
("location: index.php");
}
//max per page
$per_page = 1;
//get start variable
$start = $_GET['UserID'];
//count records
$record_count = mysql_num_rows(mysql_query("SELECT * FROM admin"));
//count max pages
$mac_pages = $record_count / $per_page;
if (!$start)
$start = 0;
//display data
$get = mysql_query("SELECT * FROM admin WHERE id='$start'");
while ($row = mysql_fetch_array($get)) {
$id = $row['username'];
$picture = $row['picture'];
$admin = $row['admin'];
$status = $row['status'];
$desc = $row['description'];
$twitter = $row['twitter'];
}
?>
That's the main part of the PHP in the profile.php. The rest is just getting a status, description etc.
You can check if the result set of your mysql query is not empty. Doing it with mysql_ functions would look like so:
$get = mysql_query("SELECT * FROM admin WHERE id='$start'");
if (mysql_num_rows($get) > 0) {
while ($row = mysql_fetch_array($get)) {
// rest of your code
}
}
else {
// redirect to another page
header("Location: otherpage.php");
}
This would give you an idea on how you should approach it, but as #Madara Uchiha suggested in the comment to your question, you should stop using mysql_ functions.
A couple important things before solving your problem:
The MySQL_* family of functions has been deprecated and shouldn't be used anymore.
Your code is vulnerable to a huge security hole - SQL Injection. Please make sure you're sanitizing your database queries - if nothing else, with just $start = mysql_real_escape_string($_GET['UserID']); in your current code.
Now, it looks like you want to check and see how many results you get back for your $get query. You could just use the mysql_num_rows function:
if (!mysql_num_rows($get)) {
//no user exists! do something different here
} else {
while ($row = mysql_fetch_array($get)) {
$id = $row['username'];
$picture = $row['picture'];
$admin = $row['admin'];
$status = $row['status'];
$desc = $row['description'];
$twitter = $row['twitter'];
}
}
You can also count the records in the admin table matching criteria id = $start with the following SQL statement:
"SELECT COUNT(*) FROM admin WHERE id='$start'"
If there are no matching records, then the provided UserID doesn't belong to any user and you should probably redirect the user to some page explaining what went wrong.
Okay so I have a PHP script that makes a user an artist if vote is high enough. The first part of the script works (the part that does the voting). However, the second part of the script that makes a user an artist does not. It worked before on localhost but is not working on live server for some reason. Either the script has changed and I didn't notice it or there's something wrong with my server config.
I know I should be using mysqli but please don't mention that I am working on it.
To explain how the system works, a form on the voting page is posted to this script and it all runs from there.
There is no error in the error log. Updating the table for //make an artist if vote high enough just doesn't work.
Here's the script:
<?php
session_start();
include("../database.php");
$username = $_SESSION["username"];
$artistname = htmlspecialchars(mysql_real_escape_string($_POST['artistname']));
$trackname = htmlspecialchars(mysql_real_escape_string($_POST['trackname']));
$trackurl = htmlspecialchars(mysql_real_escape_string($_POST['trackurl']));
$flag = 0; // Safety net, if this gets to 1 at any point in the process, we don't upload.
if(isset($_POST['yes'])){
//code runs if vote is yes
//check if user hasnt already voted on track
$result = mysql_query("SELECT username FROM voted WHERE voted='$artistname' AND trackname='$trackname' AND username='$username'")or die(mysql_error());
$check2 = mysql_num_rows($result);
if ($check2 != 0) {
echo('<t1>Sorry, you have already voted on this track. <b>Click next track.</b> </t1>');
$flag = $flag + 1;
}
//code runs if everything is okay
if($flag == 0){
mysql_query("UPDATE members SET vote = vote+1 WHERE artistname='$artistname'
");
echo '<t1><b>You liked the track "'.$trackname.'" by "'.$artistname.'"</t1></b>';
mysql_query("INSERT INTO voted (username, voted,trackname, yesno)
VALUES ('".$username."','".$artistname."','".$trackname."', 'yes')")
or die(mysql_error());
//make an artist if vote high enough
$vote = mysql_query("SELECT vote FROM members WHERE artistname='$artistname'")or die(mysql_error());
if ($vote > 50) {
$artisturl = htmlspecialchars(mysql_real_escape_string(str_replace(' ', '',$_POST['artistname'])));
mysql_query("UPDATE members SET artist='Y', image1='../files/noprofile.jpg', artisturl='$artisturl' WHERE artistname='$artistname'
")or die(mysql_error());
mysql_query("UPDATE tracks SET artist='Y', artisturl='$artisturl' WHERE artistname='$artistname'
")or die(mysql_error());
//email user that has just been made artist
$result = mysql_query("SELECT * FROM members WHERE artistname= '$artistname'");
while($row = mysql_fetch_array($result)){
function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field=filter_var($row['email'], FILTER_SANITIZE_EMAIL);
//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($row['email'], FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}
{//send email
$to = $row['email'];
$subject = "Congratulations! You're now an NBS artist";
$message = "Hi ".$row['artistname'].",
//message removed for condensed code
$from = "";
$headers = 'From:' . "\r\n" .
'Reply-To: ' . "\r\n";
mail($to,$subject,$message,$headers);
}
}
echo '<br><t1>You just made "'.$artistname.'" an artist! <b>Click here</b> to see their profile.</t1>';
}
}
}
You are missing two lines to convert the resource returned by mysql_query() into an integer for the comparison with 50.
$vote = mysql_query("SELECT vote FROM members WHERE artistname='$artistname'")or die(mysql_error());
// Add these two lines
$vote = mysql_fetch_assoc($vote);
$vote = $vote['vote'];
if ($vote > 50) {
...however, all that section could be re-written to use 2 queries instead of 4:
//make an artist if vote high enough
$artisturl = mysql_real_escape_string(htmlspecialchars(str_replace(' ', '',$_POST['artistname'])));
// This effectively combines the first SELECT and the two UPDATEs into one query
$result = mysql_query("
UPDATE members m
LEFT JOIN tracks t ON m.artistname = t.artistname
SET
m.artist = 'Y',
t.artist = 'Y',
m.image1 = '../files/noprofile.jpg',
m.artisturl = '$artisturl',
t.artisturl = '$artisturl'
WHERE m.artistname = '$artistname' AND m.vote > 50
") or die(mysql_error());
// If this affected more than 0 rows, the user was made an artist
if (mysql_affected_rows($result) > 0) {
//email user that has just been made artist
$result = mysql_query("SELECT * FROM members WHERE artistname= '$artistname'");
// ...and so on
Note also that you should pass data through mysql_real_escape_string() as the last operation. So it should go mysql_real_escape_string(htmlspecialchars($data)) rather than the other way around.
I'll throw a dart at this one.
$vote = mysql_query("SELECT vote FROM members WHERE artistname='$artistname'")or die(mysql_error());
if ($vote > 50) {
I don't believe you are converting your mysql_query result into a useful variable. Maybe you were using mysql_fetch_assoc or mysql_num_rows ? Num rows makes more sense if you have an individual record for each vote. If you are summing them up then you can use something like
$output = mysql_fetch_assoc(mysql_query("SELECT vote FROM members WHERE artistname='$artistname'")or die(mysql_error());
$vote = $output['vote'];
Something else to point out is that you aren't using mysql_real_escape_string on your inputs. This is very dangerous and it is strongly encouraged to use this function if you are facing the public internet.
I'm having trouble with a javascript pop up. I want the pop up to show the image reason/Title.
Anyone know what to do?
The code:
<?
$badgesql = mysql_query("select * from usr_badge where user = '$_SESSION[usr_name]'");
$user = mysql_query("select * from usr_users where username = '$_SESSION[usr_name]'");
$usr = mysql_fetch_array($user);
$vipsql = mysql_query("select * from usr_vip where userid = '$usr[id]'");
$vipcheck = mysql_num_rows($vipsql);
$badgecheck = mysql_num_rows($badgesql);
$checkit = $badgecheck + $vipcheck;
if($checkit==0)
echo("You have 0 Badges");
if($badgecheck!=0)
{
while($badge = mysql_fetch_array($badgesql))
{
echo('<img src="/css/badges/'.$badge[badge].'" onclick="alert('.$badge[reason].');" />'); }
}
//Display VIP Badges
if($vipcheck!=0)
{
$vipbadge = mysql_fetch_array($vipsql);
$vip1 = mysql_query("select * from usr_vipdb where id = '$vipbadge[vipid]'");
$vip2 = mysql_fetch_array($vip1);
echo('<img src="'.$vip2[url].'" alt="This user is a VIP!" />');
}
?>
Thanks in advance!
The problem is you need some quotes within your alert().
echo('<img src="/css/badges/'.$badge['badge'].'" onclick=\'alert("'.htmlentities($badge['reason']).'");\' />');
Also, $badge[reason] is bad practice (unless reason is a constant which I don't think is). Use single quotes like in the example above.
Finally, use htmlentities() when you're printing content to HTML.
The inline JavaScript isn't exactly a proper one. When you echo the string the onclick attribute will contain the value that looks something like:
alert(image reason);
You need to enclose the reason of the image with quotes for it to work properly. Thus, your code should look like this instead:
echo '<img src="/css/badges/'.$badge[badge].'" onclick="alert(\''.$badge[reason].'\');" />'
for ($i=0; $i<$count; $i++) {
$appid = $chk[$i];
include "dbconnect.php";
$selectquery = mysql_query("SELECT * FROM regform_admin WHERE tid = '$appid'");
$fetch = mysql_fetch_array($selectquery);
$tid = $fetch['tid']; $username = $fetch['username']; $c_month = $fetch['month']; $c_day =$fetch['day']; $c_year = $fetch['year'];
$c_month2 = $fetch['month2']; $c_day2 =$fetch['day2']; $c_year2 = $fetch['year2'];
$pickup = "".$c_month."/".$c_day."/".$c_year."";
$return = "".$c_month2."/".$c_day2."/".$c_year2."";
$pickuploc = "".$fetch['pickupret']." "." ".$fetch['speclocation']."";
$desti = "".$fetch['destination']." "." ".$fetch['location']."";
$vehicle1 = $fetch['vehicle1'];
$datesent = date("n j, Y; G:i"); ;
$rand = rand(98765432,23456789);
include "vehicledbconnect.php";
$vquery = mysql_query("SELECT * FROM vehicletbl WHERE vehicle = '$vehicle1'");
$getvquery = mysql_fetch_array($vquery);
$maxcars = $getvquery['maxcars'];
$carsleft = $getvquery['carsleft'];
if ($carsleft == 0) {
echo '
<script language="JavaScript">
alert("Cannot move reservation to Pending for payment status. No available vehicles left for this reservation.");
</script>';
echo "$vehicle1";
}
Hi guys my problem here is that the $vehicle is not returning its values if it is inserted in a database query ($vquery = mysql_query("SELECT * FROM vehicletbl WHERE vehicle = '$vehicle1'");) but if it is echoed, it return its value. The logic here is that it will select all the values from vehicletbl wherein the value of any values in 'vehicle' column will be equal to the $vehicle1. Thanks for the help!
You've got ZERO error handling on your queries. Try adding some debugging to the query calls:
$result = mysql_query(...) or die(mysql_error());
The rest of the code is ugly, but looks "ok", so start looking at WHY you're not getting anything back from the queries.
Never ever assume a query succeeds.
try this to debug :
$sql = "SELECT * FROM vehicletbl WHERE vehicle = '" . $vehicle1 . "'";
$vquery = mysql_query($sql) or die(mysql_error() . "\n<br>$sql");
thats what i do to find errors in my sql.
Noob programmer ? Here are some things to know :
for ($i=0; $i<$count; $i++) {
$appid = $chk[$i];
// Replaced By ...
foreach($chk as $appid){
http://php.net/manual/en/control-structures.foreach.php
// Include the file before the loop ! You're including 20 times your file, but you just need to do it once ! Another thing to know:
include_once("dbconnect.php");
http://php.net/manual/en/function.include-once.php
$desti = "".$fetch['destination']." "." ".$fetch['location']."";
// WHY ?? Isn't that easier to do this ?
$desti = $fetch['destination']." ".$fetch['location'];
And security :
// Don't forget to escape your variables before putting it in mysql queries
$appid = mysql_real_escape_string($appid);
$selectquery = mysql_query("SELECT * FROM regform_admin WHERE tid = '$appid'");
Best way to defend against mysql injection and cross site scripting
There are other remarks, but try to improve those points first !