safe users commenting
hi, i want to know how i need to change forum script that noone could enter some php or other code to damage my site. (as example !error strings)
My script:
i use tag to convert pictures, i also could use it to solve this problem, but i need better idea, because i cant write all the error variables, etc... There always will be new code to broke my webpage.PHP Code:<?php
//connect to the database
$connect = mysql_connect("nnn","nnn","nnn") or die("Error connecting to db");
//select table
mysql_select_db("nnn") or die("Error selecting db");
//use query to get ALL data
$queryget = mysql_query("SELECT * FROM guestbook ORDER BY `date` DESC, `time` DESC") or die("Error with query");
while ($row = mysql_fetch_array($queryget))
{
// get row data and store in variables
$id = $row['id'];
$name = $row['name'];
$message = $row['message'];
$date = $row['date'];
$time = $row['time'];
// show data to user
echo "
<table>
<tr>
<td width='500px'>
<font size='2' face='Showcard Gothic'>
<hr>Autorius: <b>$name</b> <br> $date
</b></font>
</td>
</tr>
<tr>
<td width='500px' bgcolor='#5CB3FF'>
<font size='2' face='Showcard Gothic'><b>
$message<br><hr>
</b></font>
</td>
</tr>
</table>
";
}
echo "<hr>";
if ($_POST['submit'])
{
$name = $_SESSION['nick'];
$message = $_POST['message'];
$date = date("Y-m-d");
$time = date("H:i:s");
if ($message)
{
$tag = $_POST['message']; // this is the posted message field, from the form
$tag = str_replace(':|', '<img src="images/emoticons/blank.gif" alt="">', $tag);
echo $tag; // echo the output, with emoticons showing.
// all else is self-explanatory.
mysql_query("INSERT INTO guestbook (Name, Message, time, date)
VALUES('$name', '$tag', '$time', '$date')") or die(mysql_error());
echo "Please wait...<meta http-equiv='refresh' content='2'>";
}
else
echo "Please fill out all fields!";
}
?>
If you need more info ASK. THANKS
CSS Codes
Reply With Quote
Bookmarks