PDA

View Full Version : Error in code somewhere :(



magik
02-24-2008, 05:35 AM
I have gone through this for hours and I can't find my error, the page goes out of place when i submit the form and the query does nothing.



<?php
//variables
include ("../includes/variables.php");
$table_name = "admin";

// Connects to your Database
mysql_connect("x", "x", "x") or die(mysql_error());
mysql_select_db("$db_name") or die(mysql_error());

//checks cookies to make sure they are logged in
if(isset($_COOKIE['ID_my_site']))
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM $table_name WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{

//if the cookie has the wrong password, they are taken to the login page
if ($pass != $info['password'])
{ header("Location: ./login.php");
}

//otherwise they are shown the admin area
else
{
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Dark Motives</title>
<script type="text/javascript" src="../equality.js"></script>
<link rel="stylesheet" type="text/css" href="../equality.css" />
</head>

<body>
<div id="container">

<?php
include ("../includes/banner2.php");
include ("../includes/left2.php");
include ("../includes/navigation2.php");
//form not submitted yet - display form
if (!$_POST["submit"])
{
//check for record id
if ((!isset($_GET['id']) || trim($_GET['id']) == ""))
{
die('Missing record id!');
}
//open db connection
mysql_select_db("$db_name") or die(mysql_error());

$table_name = "matches";
//generate and execute query
$id = $_GET['id'];
$query = "SELECT * FROM $table_name WHERE id = '$id'";
$result = mysql_query($query)
or die ("Error in query: $query. " . mysql_error());

//if a result is returned
if (mysql_num_rows($result) > 0)
{
//turn it to an object
$row = mysql_fetch_object($result);
//print forms with values prefilled
?>
<div id="main">
<!-- START MAIN CONTENT -->
<h1>Administration - Edit Match </h1>
<form action="<?php $_SERVER['PHP_SELF']; ?>" method="post" name="form" id="form">
<label for="day">Day: </label>
<input name="day" class="form" size="2" id="day" maxlength="2" value="<?php echo $row->day; ?>"/>
<label for="month">Month: </label>
<input name="month" type="text" class="form" id="month" size="2" maxlength="2" value="<?php echo $row->month; ?>"/>
<label for="year">Year: </label>
<input name="year" type="text" class="form" id="year" size="4" maxlength="4" value="<?php echo $row->year; ?>"/>
<br />
<label for="opponent">Opponent: </label>
<input name="opponent" type="text" class="form" id="opponent" size="50" maxlength="60" value="<?php echo $row->opponent; ?>"/>
<br />
<label for="ladder">Ladder/Competition Name: </label>
<input name="ladder" type="text" class="form" id="ladder" size="50" value="<?php echo $row->ladder; ?>"/>
<br />
<label for="game">Game: </label>
<select name="game" class="form" id="game">
<option value="Company of Heroes">Company of Heroes</option>
<option value="Call of Duty 4">Call of Duty 4</option>
</select>
<br />
<label for="result">Result: </label>
<select name="result" class="form">
<option value="Win">Win</option>
<option value="Loss">Loss</option>
<option value="Draw">Draw</option>
</select>
<label for="score1">Higher Score:</label>
<input name="score1" type="text" class="form" id="score1" size="4" maxlength="4" value="<?php echo $row->score1; ?>"/>
<label for="score1">Lower Score:</label>
<input name="score2" type="text" class="form" id="score2" size="4" maxlength="4" value="<?php echo $row->score2; ?>"/>
<label for="map">Map: </label>
<select name="map" class="form" id="map">
<option value="Map Unavailable">Map Unavailable</option>
<option value="mp_backlot">mp_backlot</option>
<option value="mp_bloc">mp_bloc</option>
<option value="mp_bog">mp_bog</option>
<option value="mp_cargoship">mp_cargoship</option>
<option value="mp_citystreet">mp_citystreet</option>
<option value="mp_convoy">mp_convoy</option>
<option value="mp_countdown">mp_countdown</option>
<option value="mp_crossfire">mp_crossfire</option>
<option value="mp_crash">mp_crash</option>
<option value="mp_farm">mp_farm</option>
<option value="mp_overgrown">mp_overgrown</option>
<option value="mp_pipeline">mp_pipeline</option>
<option value="mp_shipment">mp_shipment</option>
<option value="mp_strike">mp_strike</option>
<option value="Angoville">Angoville</option>
<option value="Beaux Lowlands">Beaux Lowlands</option>
<option value="Bedum">Bedum</option>
<option value="Berneries Sur Mer">Berneries Sur Mer</option>
<option value="Best">Best</option>
<option value="Drekplaats">Drekplaats</option>
<option value="Etavaux">Etavaux</option>
<option value="Gilroys Harbor">Gilroys Harbor</option>
<option value="Hedgerow Siege">Hedgerow Siege</option>
<option value="Hill 331">Hill 331</option>
<option value="Hinderdam">Hinderdam</option>
<option value="Hochwald Gap">Hochwald Gap</option>
<option value="Langres">Langres</option>
<option value="Linden">Linden</option>
<option value="Lorraine">Lorraine</option>
<option value="Lyon">Lyon</option>
<option value="McGechaens War">McGechaen's War</option>
<option value="Montargis Region">Montargis Region</option>
<option value="Montherme">Montherme</option>
<option value="Point du Hoc">Point du Hoc</option>
<option value="Rails and Metal">Rails and Metal</option>
<option value="Route N13">Route N13</option>
<option value="Sesmois">Sesmois</option>
<option value="St. Hilaire">St. Hilaire</option>
<option value="St. Mere Dunmont">St. Mere Dunmont</option>
<option value="Sturzdorf">Sturzdorf</option>
<option value="The Scheldt">The Scheldt</option>
<option value="Verrieres Ridge">Verrieres Ridge</option>
<option value="Vire River Valley">Vire River Valley</option>
<option value="Wolfheze">Wolfheze</option>
<option value="Wrecked Train">Wrecked Train</option>
</select>
<br />
<label for="screenshot">Screenshot URL:</label>
<input name="screenshot" type="text" class="form" id="screenshot" size="60" maxlength="255" value="<?php echo $row->screenshot; ?>"/>
<br />
<p>Extra Comment/Match Details:
<textarea name="comment" cols="50" rows="5" class="form" id="comment"><?php echo $row->comment; ?></textarea>
<br />
<input name="submit" type="submit" class="form" id="submit" value="Edit Match" />
</p>
</form>
<?php
}
else

{
echo "That match could not be located in our database.<br />";
}
}
else
{
//set up error array list
$errorList = array();

//addslashes
if (!get_magic_quotes_gpc()) {
$_POST['opponent'] = addslashes($_POST['opponent']);
$_POST['ladder'] = addslashes($_POST['ladder']);
$_POST['comment'] = addslashes($_POST['comment']);
$_POST['screenshot'] = addslashes($_POST['screenshot']);
}

$day = $_POST['day'];
$month = $_POST['month'];
$year = $_POST['year'];
$opponent = $_POST['opponent'];
$ladder = $_POST['ladder'];
$result = $_POST['result'];
$score1 = $_POST['score1'];
$score2 = $_POST['score2'];
$map = $_POST['map'];
$comment = $_POST['comment'];
$screenshot = $_POST['screenshot'];
$game = $_POST['game'];

//check for record id
if ((!isset($_GET['id']) || trim($_GET['id']) == ""))
{
die('Missing record id!');
}
//validate text input fields
if (trim($_POST['day']) == "")
{
$errorList[] = "Invalid entry: Day";
}
if (trim($_POST['month']) == "")
{
$errorList[] = "Invalid entry: Month";
}
if (trim($_POST['year']) == "")
{
$errorList[] = "Invalid entry: Year";
}
if (trim($_POST['opponent']) == "")
{
$errorList[] = "Invalid entry: Opponent";
}
if (trim($_POST['ladder']) == "")
{
$errorList[] = "Invalid entry: Ladder";
}
if (trim($_POST['result']) == "")
{
$errorList[] = "Invalid entry: Result";
}
if (trim($_POST['score1']) == "")
{
$errorList[] = "Invalid entry: Higher score";
}
if (trim($_POST['score2']) == "")
{
$errorList[] = "Invalid entry: Lower Score";
}
if (trim($_POST['map']) == "")
{
$errorList[] = "Invalid entry: Map";
}
if (trim($_POST['comment']) == "")
{
$errorList[] = "Invalid entry: comment";
}
if (trim($_POST['screenshot']) == "")
{
$errorList[] = "Invalid entry: Screenshot";
}
if (trim($_POST['game']) == "")
{
$errorList[] = "Invalid entry: Game";
}

//check for errors + if none found...
if (sizeof($errorList) == 0)
{
//select db
mysql_select_db("$db_name") or die(mysql_error());

//generate and execute query
$query = "UPDATE $table_name SET day = '$day', month = '$month', year = '$year', opponent = '$opponent', ladder = '$ladder', result = '$result', score1 = '$score1', score2 = '$score2', map = '$map', comment = '$comment', screenshot = '$screenshot', game = '$game' WHERE id = '$id'";
$result = mysql_query($query) or die("Error in query: $query. " . mysql_error());
//print result
header("location:show_editmatch.php");

//close database connection
mysql_close($connection);
}
else
{
//errors found - print list
echo "The following errors were encountered:";
echo "<br>";
echo "<ul>";
for ($x=0; $x<sizeof($errorList); $x++)
{
echo "<li>$errorList[$x]";
}
echo "</ul><br />";
}
}
include ("../includes/logout.php");
?>
<!-- STOP MAIN CONTENT -->
</div>
<?php
include ("../includes/right2.php");
include ("../includes/footer2.php");
?>
</div>
</body>
</html>
<?php
}
}
}
else

//if the cookie does not exist, they are taken to the login screen
{
header("Location: ./login.php");
}
?>

Master_script_maker
02-24-2008, 02:17 PM
everything is contained in a while loop:

<?php
include ("../includes/variables.php");
$table_name = "admin";

mysql_connect("x", "x", "x") or die(mysql_error());
mysql_select_db("$db_name") or die(mysql_error());

if(isset($_COOKIE['ID_my_site'])) {
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM $table_name WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check )) {
if ($pass != $info['password']) {
header("Location: ./login.php");
} else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Dark Motives</title>
<script type="text/javascript" src="../equality.js"></script>
<link rel="stylesheet" type="text/css" href="../equality.css" />
</head>

<body>
<div id="container">

<?php
include ("../includes/banner2.php");
include ("../includes/left2.php");
include ("../includes/navigation2.php");
if (!$_POST["submit"]) {
if ((!isset($_GET['id']) || trim($_GET['id']) == "")) {
die('Missing record id!');
}
mysql_select_db("$db_name") or die(mysql_error());

$table_name = "matches";
$id = $_GET['id'];
$query = "SELECT * FROM $table_name WHERE id = '$id'";
$result = mysql_query($query)
or die ("Error in query: $query. " . mysql_error());

if (mysql_num_rows($result) > 0) {
$row = mysql_fetch_object($result);
?>
<div id="main">
<h1>Administration - Edit Match </h1>
<form action="<?php $_SERVER['PHP_SELF']; ?>" method="post" name="form" id="form">
<label for="day">Day: </label>
<input name="day" class="form" size="2" id="day" maxlength="2" value="<?php echo $row->day; ?>"/>
<label for="month">Month: </label>
<input name="month" type="text" class="form" id="month" size="2" maxlength="2" value="<?php echo $row->month; ?>"/>
<label for="year">Year: </label>
<input name="year" type="text" class="form" id="year" size="4" maxlength="4" value="<?php echo $row->year; ?>"/>
<br />
<label for="opponent">Opponent: </label>
<input name="opponent" type="text" class="form" id="opponent" size="50" maxlength="60" value="<?php echo $row->opponent; ?>"/>
<br />
<label for="ladder">Ladder/Competition Name: </label>
<input name="ladder" type="text" class="form" id="ladder" size="50" value="<?php echo $row->ladder; ?>"/>
<br />
<label for="game">Game: </label>
<select name="game" class="form" id="game">
<option value="Company of Heroes">Company of Heroes</option>
<option value="Call of Duty 4">Call of Duty 4</option>
</select>
<br />
<label for="result">Result: </label>
<select name="result" class="form">
<option value="Win">Win</option>
<option value="Loss">Loss</option>
<option value="Draw">Draw</option>
</select>
<label for="score1">Higher Score:</label>
<input name="score1" type="text" class="form" id="score1" size="4" maxlength="4" value="<?php echo $row->score1; ?>"/>
<label for="score1">Lower Score:</label>
<input name="score2" type="text" class="form" id="score2" size="4" maxlength="4" value="<?php echo $row->score2; ?>"/>
<label for="map">Map: </label>
<select name="map" class="form" id="map">
<option value="Map Unavailable">Map Unavailable</option>
<option value="mp_backlot">mp_backlot</option>
<option value="mp_bloc">mp_bloc</option>
<option value="mp_bog">mp_bog</option>
<option value="mp_cargoship">mp_cargoship</option>
<option value="mp_citystreet">mp_citystreet</option>
<option value="mp_convoy">mp_convoy</option>
<option value="mp_countdown">mp_countdown</option>
<option value="mp_crossfire">mp_crossfire</option>
<option value="mp_crash">mp_crash</option>
<option value="mp_farm">mp_farm</option>
<option value="mp_overgrown">mp_overgrown</option>
<option value="mp_pipeline">mp_pipeline</option>
<option value="mp_shipment">mp_shipment</option>
<option value="mp_strike">mp_strike</option>
<option value="Angoville">Angoville</option>
<option value="Beaux Lowlands">Beaux Lowlands</option>
<option value="Bedum">Bedum</option>
<option value="Berneries Sur Mer">Berneries Sur Mer</option>
<option value="Best">Best</option>
<option value="Etavaux">Etavaux</option>
<option value="Gilroys Harbor">Gilroys Harbor</option>
<option value="Hedgerow Siege">Hedgerow Siege</option>
<option value="Hill 331">Hill 331</option>
<option value="Hinderdam">Hinderdam</option>
<option value="Hochwald Gap">Hochwald Gap</option>
<option value="Langres">Langres</option>
<option value="Linden">Linden</option>
<option value="Lorraine">Lorraine</option>
<option value="Lyon">Lyon</option>
<option value="McGechaens War">McGechaen's War</option>
<option value="Montargis Region">Montargis Region</option>
<option value="Montherme">Montherme</option>
<option value="Point du Hoc">Point du Hoc</option>
<option value="Rails and Metal">Rails and Metal</option>
<option value="Route N13">Route N13</option>
<option value="Sesmois">Sesmois</option>
<option value="St. Hilaire">St. Hilaire</option>
<option value="St. Mere Dunmont">St. Mere Dunmont</option>
<option value="Sturzdorf">Sturzdorf</option>
<option value="The Scheldt">The Scheldt</option>
<option value="Verrieres Ridge">Verrieres Ridge</option>
<option value="Vire River Valley">Vire River Valley</option>
<option value="Wolfheze">Wolfheze</option>
<option value="Wrecked Train">Wrecked Train</option>
</select>
<br />
<label for="screenshot">Screenshot URL:</label>
<input name="screenshot" type="text" class="form" id="screenshot" size="60" maxlength="255" value="<?php echo $row->screenshot; ?>"/>
<br />
<p>Extra Comment/Match Details:
<textarea name="comment" cols="50" rows="5" class="form" id="comment"><?php echo $row->comment; ?></textarea>
<br />
<input name="submit" type="submit" class="form" id="submit" value="Edit Match" />
</p>
</form>
<?php
} else {
echo "That match could not be located in our database.<br />";
}
} else {
$errorList = array();
if (!get_magic_quotes_gpc()) {
$_POST['opponent'] = addslashes($_POST['opponent']);
$_POST['ladder'] = addslashes($_POST['ladder']);
$_POST['comment'] = addslashes($_POST['comment']);
$_POST['screenshot'] = addslashes($_POST['screenshot']);
}
$day = $_POST['day'];
$month = $_POST['month'];
$year = $_POST['year'];
$opponent = $_POST['opponent'];
$ladder = $_POST['ladder'];
$result = $_POST['result'];
$score1 = $_POST['score1'];
$score2 = $_POST['score2'];
$map = $_POST['map'];
$comment = $_POST['comment'];
$screenshot = $_POST['screenshot'];
$game = $_POST['game'];

if ((!isset($_GET['id']) || trim($_GET['id']) == "")) {
die('Missing record id!');
}
if (trim($_POST['day']) == "") {
$errorList[] = "Invalid entry: Day";
}
if (trim($_POST['month']) == "") {
$errorList[] = "Invalid entry: Month";
}
if (trim($_POST['year']) == "") {
$errorList[] = "Invalid entry: Year";
}
if (trim($_POST['opponent']) == "") {
$errorList[] = "Invalid entry: Opponent";
}
if (trim($_POST['ladder']) == "") {
$errorList[] = "Invalid entry: Ladder";
}
if (trim($_POST['result']) == "") {
$errorList[] = "Invalid entry: Result";
}
if (trim($_POST['score1']) == "") {
$errorList[] = "Invalid entry: Higher score";
}
if (trim($_POST['score2']) == "") {
$errorList[] = "Invalid entry: Lower Score";
}
if (trim($_POST['map']) == "") {
$errorList[] = "Invalid entry: Map";
}
if (trim($_POST['comment']) == "") {
$errorList[] = "Invalid entry: comment";
}
if (trim($_POST['screenshot']) == "") {
$errorList[] = "Invalid entry: Screenshot";
}
if (trim($_POST['game']) == "") {
$errorList[] = "Invalid entry: Game";
}

if (sizeof($errorList) == 0) {
mysql_select_db("$db_name") or die(mysql_error());

$query = "UPDATE $table_name SET day = '$day', month = '$month', year = '$year', opponent = '$opponent', ladder = '$ladder', result = '$result', score1 = '$score1', score2 = '$score2', map = '$map', comment = '$comment', screenshot = '$screenshot', game = '$game' WHERE id = '$id'";
$result = mysql_query($query) or die("Error in query: $query. " . mysql_error());
header("location:show_editmatch.php");

mysql_close($connection);
} else {
echo "The following errors were encountered:";
echo "<br>";
echo "<ul>";
for ($x=0; $x<sizeof($errorList); $x++) {
echo "<li>$errorList[$x]";
}
echo "</ul><br />";
}
}
include ("../includes/logout.php");
?>
</div>
<?php
include ("../includes/right2.php");
include ("../includes/footer2.php");
?>
</div>
</body>
</html>
<?php
}
}
} else {
header("Location: ./login.php");
}
?>

magik
02-24-2008, 08:06 PM
Thanks, mate but in that code you have there, down the bottom


else
header("Location: ./login.php");
}

i think you meant


else {
header("Location: ./login.php");
}

and it still loses its alignment when i click submit. (what it should be doing is going to the next page once the script is complete. (show_addmatch.php) from this part of the code:


header("location:show_editmatch.php");

mysql_close($connection);

Master_script_maker
02-24-2008, 08:15 PM
try :

header("Location: show_editmatch.php");

magik
02-24-2008, 08:26 PM
Same thing.

magik
02-25-2008, 04:43 AM
bumpp

Leafy
02-26-2008, 12:13 AM
You seem to be setting the password in a cookie to check if they are logged in correctly. Why not only set the cookie if they are logged in? Unless it is hashed, you should use PHP sessions.

You MUST protect yourself from SQL injections. Wrap every user input that goes to a database with mysql_real_escape_string. For example:



<?php
$user = $_POST["username"];
$user = mysql_real_escape_string($user);
$q = "SELECT * FROM users WHERE `Username`='$user'";
mysql_query($q);
?>


Try using more foreach loops. They could really clean up some portions of your code like the one below



if (trim($_POST['screenshot']) == "")
{
$errorList[] = "Invalid entry: Screenshot";
}
if (trim($_POST['game']) == "")
{
$errorList[] = "Invalid entry: Game";
}

and make it more readable such as the following


foreach($_POST as $key => $val) {
if(trim($val) == '') $errorList[count($errorList)] = "Invalid entry: $key";
}


Try making these changes and post back your code and I'll try to help. Also, use my indenting tool here (http://leaf.is-a-geek.com/test/indent%20php/) to indent your code before posting.

magik
02-26-2008, 05:55 AM
Firstly, thanks for posting.

You seem to be setting the password in a cookie to check if they are logged in correctly. Why not only set the cookie if they are logged in? Unless it is hashed, you should use PHP sessions.
The password is hashed.



You MUST protect yourself from SQL injections. Wrap every user input that goes to a database with mysql_real_escape_string. For example:



<?php
$user = $_POST["username"];
$user = mysql_real_escape_string($user);
$q = "SELECT * FROM users WHERE `Username`='$user'";
mysql_query($q);
?>


Not sure what you mean :(


Try using more foreach loops. They could really clean up some portions of your code like the one below



if (trim($_POST['screenshot']) == "")
{
$errorList[] = "Invalid entry: Screenshot";
}
if (trim($_POST['game']) == "")
{
$errorList[] = "Invalid entry: Game";
}

and make it more readable such as the following


foreach($_POST as $key => $val) {
if(trim($val) == '') $errorList[count($errorList)] = "Invalid entry: $key";
}


Try making these changes and post back your code and I'll try to help. Also, use my indenting tool here (http://leaf.is-a-geek.com/test/indent%20php/) to indent your code before posting.
I had a a go at the foreach thing.

magik
02-26-2008, 05:57 AM
My code with the foreach thing is:


<?php
include ("../includes/variables.php");
$table_name = "admin";

mysql_connect("x", "x", "x") or die(mysql_error());
mysql_select_db("$db_name") or die(mysql_error());

if(isset($_COOKIE['ID_my_site'])) {
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM $table_name WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check )) {
if ($pass != $info['password']) {
header("Location: ./login.php");
} else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Dark Motives</title>
<script type="text/javascript" src="../equality.js"></script>
<link rel="stylesheet" type="text/css" href="../equality.css" />
</head>

<body>
<div id="container">

<?php
include ("../includes/banner2.php");
include ("../includes/left2.php");
include ("../includes/navigation2.php");
if (!$_POST["submit"]) {
if ((!isset($_GET['id']) || trim($_GET['id']) == "")) {
die('Missing record id!');
}
mysql_select_db("$db_name") or die(mysql_error());

$table_name = "matches";
$id = $_GET['id'];
$query = "SELECT * FROM $table_name WHERE id = '$id'";
$result = mysql_query($query)
or die ("Error in query: $query. " . mysql_error());

if (mysql_num_rows($result) > 0) {
$row = mysql_fetch_object($result);
?>
<div id="main">
<h1>Administration - Edit Match </h1>
<form action="<?php $_SERVER['PHP_SELF']; ?>" method="post" name="form" id="form">
<label for="day">Day: </label>
<input name="day" class="form" size="2" id="day" maxlength="2" value="<?php echo $row->day; ?>"/>
<label for="month">Month: </label>
<input name="month" type="text" class="form" id="month" size="2" maxlength="2" value="<?php echo $row->month; ?>"/>
<label for="year">Year: </label>
<input name="year" type="text" class="form" id="year" size="4" maxlength="4" value="<?php echo $row->year; ?>"/>
<br />
<label for="opponent">Opponent: </label>
<input name="opponent" type="text" class="form" id="opponent" size="50" maxlength="60" value="<?php echo $row->opponent; ?>"/>
<br />
<label for="ladder">Ladder/Competition Name: </label>
<input name="ladder" type="text" class="form" id="ladder" size="50" value="<?php echo $row->ladder; ?>"/>
<br />
<label for="game">Game: </label>
<select name="game" class="form" id="game">
<option value="Company of Heroes">Company of Heroes</option>
<option value="Call of Duty 4">Call of Duty 4</option>
</select>
<br />
<label for="result">Result: </label>
<select name="result" class="form">
<option value="Win">Win</option>
<option value="Loss">Loss</option>
<option value="Draw">Draw</option>
</select>
<label for="score1">Higher Score:</label>
<input name="score1" type="text" class="form" id="score1" size="4" maxlength="4" value="<?php echo $row->score1; ?>"/>
<label for="score1">Lower Score:</label>
<input name="score2" type="text" class="form" id="score2" size="4" maxlength="4" value="<?php echo $row->score2; ?>"/>
<label for="map">Map: </label>
<select name="map" class="form" id="map">
<option value="Map Unavailable">Map Unavailable</option>
</select>
<br />
<label for="screenshot">Screenshot URL:</label>
<input name="screenshot" type="text" class="form" id="screenshot" size="60" maxlength="255" value="<?php echo $row->screenshot; ?>"/>
<br />
<p>Extra Comment/Match Details:
<textarea name="comment" cols="50" rows="5" class="form" id="comment"><?php echo $row->comment; ?></textarea>
<br />
<input name="submit" type="submit" class="form" id="submit" value="Edit Match" />
</p>
</form>
<?php
} else {
echo "That match could not be located in our database.<br />";
}
} else {
$key = array("day","month","year", "opponent", "ladder", "result", "score1", "score2", "map", "comment", "screenshot", "game");
$errorList = array();

if (!get_magic_quotes_gpc()) {
foreach ($key as $val) {
$_POST['$val'] = addslashes($_POST['$val']);
}
}
foreach ($key as $val) {
$$val = $_POST['$val'];
}


if ((!isset($_GET['id']) || trim($_GET['id']) == "")) {
die('Missing record id!');
}
foreach($_POST as $key => $val) {
if(trim($val) == '') $errorList[count($errorList)] = "Invalid entry: $key";
}

if (sizeof($errorList) == 0) {
mysql_select_db("$db_name") or die(mysql_error());

$query = "UPDATE $table_name SET day = '$day', month = '$month', year = '$year', opponent = '$opponent', ladder = '$ladder', result = '$result', score1 = '$score1', score2 = '$score2', map = '$map', comment = '$comment', screenshot = '$screenshot', game = '$game' WHERE id = '$id'";
$result = mysql_query($query) or die("Error in query: $query. " . mysql_error());
header("Location: show_editmatch.php");

mysql_close($connection);
} else {
echo "The following errors were encountered:";
echo "<br>";
echo "<ul>";
for ($x=0; $x<sizeof($errorList); $x++) {
echo "<li>$errorList[$x]";
}
echo "</ul><br />";
}
}
include ("../includes/logout.php");
?>
</div>
<?php
include ("../includes/right2.php");
include ("../includes/footer2.php");
?>
</div>
</body>
</html>
<?php
}
}
} else {
header("Location: ./login.php");
}
?>

Leafy
02-27-2008, 01:15 AM
Firstly, thanks for posting.
The password is hashed.


Not sure what you mean :(

I had a a go at the foreach thing.

Consider the following:


<?php
$id = $_GET["id"];
$query = "SELECT * FROM users WHERE `id`='$id'";
$r = mysql_query($query);
?>


Where the url string is


index.php?id='; DROP DATABASE users; SELECT * FROM users WHERE ''='


The final query string sent to the database is


SELECT * FROM users WHERE `id`=''; DROP DATABASE users; SELECT * FROM users WHERE ''=''


For the PHP Code,

I see two problems: Your HTML code is inside the while() loop, and I don't believe the submit button, or any buttons for that matter, are sent as values to the post page. You may just have to include a hidden element such as the following:


<input type="hidden" name="post" value="post" />

And then check for it like this:


<?php
if(isset($_POST["post"])) {

}
else {

}
?>

alexjewell
02-27-2008, 06:14 PM
This is unrelated to this post entirely, but I really like your indent tool, Leafy...that's cool.

Leafy
02-27-2008, 10:34 PM
:-P I got sick of people posting code here that wasn't indented. One thing, though, it doesn't indent the following:


<?php

if(isset($_POST["submit"]))
die($_POST["submit"]);

?>

I'm not sure that's entirely needed though, as the most important code to indent would be the entire block; that's the part that messes up the readability the most.