[PHP] Forum System

[SpellEffects]

Here's a forum system i wrote in PHP.

I hope you enjoy it.

And if you have any suggestions on how I could improve it then i would be happy to get some constructive suggestions.

http://filebeam.com/efaf179ddb22c4a9e705e8256a9f8955

This is what the frontpage looks like when you've finally made your first thread.


Here are 3 different ranks that you can post as; Admin, Mod, Janitor.


This is the Mod Panel, where you can delete post/threads and sticky threads.

[stoneharry]

Would have been a good idea to note the password is mmowned.

I'm getting syntax errors, but then again that could be because I cba to install the DB: http://stoneharry.com/test/

[SpellEffects]

Would have been a good idea to note the password is mmowned.

I'm getting syntax errors, but then again that could be because I cba to install the DB: http://stoneharry.com/test/

Corrected error.

Filebeam - Beam up that File Scottie!

Since you figured out the password then I do not think I have to note it down in my thread.

Imo if people can not figure it out then why are they even on the internet to begin with?

[stoneharry]

title

Seems to be riddled with errors, I executed the file and have it configured properly.

[SpellEffects]

title

Seems to be riddled with errors, I executed the file and have it configured properly.

I might have uploaded the wrong revision.

Ill upload the correct one in a few.

---------- Post added at 02:33 PM ---------- Previous post was at 01:52 PM ----------

I might have uploaded the wrong revision.

Ill upload the correct one in a few.

Made some minor changes to the forum, to fix bugs etc.

Added screenshots aswell.

You need to redownload the new version and clear your database and reimport the new db structure.

[Sonic Waffle]

I like the way it's based off the Wakaba forum styles.

[SpellEffects]

Anyone used it yet?

Im waiting for some constructive criticism on how to improve it.

[GrooN]

Well it would be a fine start, but I wouldn't personally recommend it for any official use. There are lots of HTML mistakes, and no error handling at all, everything is sent directly to the user. There isn't any way to format your code either. So I would say, it is a fine start, but could still use a lot of work

Good luck with your project !

[just1name]

thread.php

Code:

$publickey = "6Len4MISAAAAANPZKzVvKFhTgt5ZAz7NJ3y6O5uU";
$privatekey = "6Len4MISAAAAAFkkAl5azpMB4szt734uDlCOQlWm";

Wooppsss !

threadview.php

Code:

$id = $_GET['id'];
$sql = "SELECT * FROM $table WHERE id='$id'";
$result = $mysqli->query($sql);

SQL Injection .

reply.php

Code:

$id = $_POST['id'];
$sql = "SELECT * FROM $table WHERE id='$id'";
$result = $mysqli->query($sql);

SQL Injection .

Code:

<? echo $_GET['id']; ?>

XSS .

postview.php

Code:

$id = $_GET['id'];
$sql = "SELECT * FROM $table2 WHERE id='$id'";
$result = $mysqli->query($sql);

mod.php

Code:

if (isset($_POST['delete'])) {
	$delID = $_POST['id'];
	if ($sql = $mysqli->prepare("DELETE FROM $table WHERE id=$delID")) {
		$sql->execute();
		$sql->close();
		echo "Success!";
	} else {
		echo "Something Went Wrong!";
	}
}

SQL injection + CSRF .

and others ...

[merfed]

Here's some old code from my own framework, this is mostly a very stripped down version of handling database connections and functions.

Code:

class Database {
	public $Hostname;
	public $Username;
	public $Password;
	public $DbName;

	public $AffectedRows = 0;

	public function Connect($Database) {
		$this->_database_connection = mysql_connect( $this->Hostname,
													 $this->Username,
													 $this->Password );
													 
		if (!$this->_database_connection) {
			echo "Could not connect to server: <strong>$this->Hostname</strong>.";
		}
		
		return $this->_database_connection;
	}
	
	public function SelectDatabase() {
		$this->_database_connection_select = mysql_select_db($this->DbName,
															 $this->_database_connection);
															 
		if (!mysql_select_db($this->DbName)) {
			echo "Could not open database: <strong>$this->DbName</strong>.";
		}
		return $this->_database_connection_select;
	}
	
	public function ProcessConnection($Database) {
		$Database->Connect($Database);
		$Database->SelectDatabase($Database);
	}
	
	public function MainConnection($Database) {
		$Database->ProcessConnection($Database);
	}
	
	public function ChangeDatabase($DbName) {
		mysql_select_db($Database, $this->ConnectionID);
		$this->DbName = $DbName;
	}

	/**
	 * Executes a query on the database.
	 * @param	string		The query to be executed.
	 *
	 * @example		$Database->Query($SQL);
	 */
	public function Query($SQL) {
		$this->QueryID = mysql_query($SQL);
		if (!$this->QueryID) {
			echo "<strong>MySQL query failed:</strong> $SQL";
			return 0;
		}
		
		$this->AffectedRows = mysql_affected_rows($this->_database_connection);
		
		return $this->QueryID;
	}

	/**
	 * Updates records in the database.
	 * @param 	string		The table with wish to change
	 * @param	array 		Array of changes: field => value
	 * @param 	string		Changes the condition
	 * @return 	bool
	 *
	 * @example		$Database->Update( 'testTable', array('name'=>'MichaelP' ), 'ID=2' );
	 */
	public function Update($Table, $Changes, $Condition) {
		$Update = "UPDATE " . $Table . " SET ";
		foreach($Changes as $Field => $Value) {
			$Update .= "`" . $Field . "`='{$Value}',";
		}
		
		$Update = substr($Update, 0, -1);
		if ($Condition != '') {
			$Update .= "WHERE " . $Condition;
		}
		
		$this->Query($Update);
		return true;
	}
	
	/**
	 * Deletes records from the database.
	 * @param	string		The table to remove rows from
	 * @param	string		The condition for which rows are to be removed
	 * @param	int			The number of rows to be removed
	 * @return	void
	 *
	 * @example		$Database->Delete( 'testTable', "name='MichaelP'", 5 );  
	 */
	public function Delete($Table, $Condition, $Limit) {
		$Limit = ( $Limit == '' ) ? '' : ' LIMIT ' . $Limit;
		$Delete = "DELETE FROM {$Table} WHERE {$Condition} {$LIMIT}";
		$this->Query($Delete);
	}
	
	/**
	 * Inserts records into the database.
	 * @param	string		The table you wish to insert records into
	 * @param	array 		Array data to insert: field => value
	 * @return	bool	 
	 *
	 * @example		$Database->Insert( 'testTable', array('name'=>'Michael' ) );
	 */
	
	public function Insert($Table, $Data) {
		$Fields = "";
		$Values = "";
		
		foreach ($Data as $F => $V) {
			$Fields .= "`$F`,";
			$Values .= ( is_numeric( $V ) && ( intval( $V ) == $V ) ) ? $V."," : "'$V',";
		}
		
		$Fields = substr($Fields, 0, -1);
		$Values = substr($Values, 0, -1);
		
		$Insert = "INSERT INTO $Table ({$Fields}) VALUES({$Values})";
		$This->Query($Insert);
		
		return true;
	}
	
	public function Close() {
		if (!mysql_close($this->_database_connection)) {
			echo "Connection close failed.";
		}
	}

}

Which can be initialized as such:

Code:

session_start();
$Database = new blm_Database();
$Database->Hostname = $Hostname;
$Database->Username = $Username;
$Database->Password = $Password;
$Database->DbName = $DbName;

$Database->MainConnection($Database);

Include a config file with those variables defined and your good to go. This was done a few years ago, and since then the framework's database class is a bit better, handling queries more safely and checking for almost every possible outcome. I'd share that if it wasn't tied into error handling and the core factory. It's all object oriented, so to apply it to your code wouldn't be too hard but your looking at a complete rewrite and it's way to undocumented for me to want to provide help. I put some documentation into the script above if your not familiar with objects and what not.

Have fun. Keep up the work, maybe something will come of it.

[Kirth]

Here's some old code from my own framework....

What's wrong with using PDO and/or things such as Active Record?