Im working on a simple forum script and i made some security feature against posting empty value`s. Problem is its not giving me the right errors its just showing the first error message "U havent filled in a title.".
Can anyone see the error because i cant.
Code:
<?php
include('include/configdb.php');
session_start();
$username = $_SESSION['user_name'];
$title = $_GET['title'];
$message = $_GET['message'];
if ($title == NULL){
echo "U havent filled in a title. Go <a href='post.php'>Back</a>";
} else if($message == NULL) {
echo "U havent filled in a message. Go <a href='post.php'>Back</a>";
} else {
$sql = "SELECT * FROM forumuser WHERE username='$username'";
$query = mysqli_query($mysqli, $sql);
$row = mysqli_fetch_array($query);
$beforep = $row['num_posts'];
$newposts = $beforep + 1;
$newsql = "UPDATE forumuser SET num_posts='$newposts' WHERE username='$username'";
mysqli_query($mysqli, $newsql);
header("location: index.php");
}
?>
Form code:
<form method="POST" name="post" id="post" action="insert.php">
<b>Title of the topic</b><br />
<input name="title" type="text" id="title">
<br />
<b>the topic u want to post</b><br />
<textarea name="message" type="text" id="message" colls="50" rows="5">
</textarea>
<br />
<input type="submit" name="submit" value="Post Topic">
</form>
Your form uses post. So
Replace
$_GET
With
$_POST
(I tested, using post in my form and get in php did not work)
And another thing is use isset($_POST[variable]) to see if it is really NULL. Otherwise you will get a warning
So your code should be like
<?php
include('include/configdb.php');
session_start();
$username = $_SESSION['user_name'];
if (!isset($_POST['title']) || $_POST['title'] == ''){
echo "U havent filled in a title. Go <a href='post.php'>Back</a>";
} else if(!isset($_POST['message']) || $_POST['message'] == ''
|| strlen(trim($_POST['message'])) == 0 || empty($_POST['message']) ){
echo "U havent filled in a message. Go <a href='post.php'>Back</a>";
} else {
$title = $_POST['title'];
$message = $_POST['message'];
$sql = "SELECT * FROM forumuser WHERE username='$username'";
$query = mysqli_query($mysqli, $sql);
$row = mysqli_fetch_array($query);
$beforep = $row['num_posts'];
$newposts = $beforep + 1;
$newsql = "UPDATE forumuser SET num_posts='$newposts' WHERE username='$username'";
mysqli_query($mysqli, $newsql);
header("location: index.php");
}
?>
Not sure if this would work but...
<?php
include('include/configdb.php');
session_start();
$username = $_SESSION['user_name'];
$title = isset( $_GET['title'] ) ? $_GET['title'] : NULL;
$message = isset( $_GET['message'] ) ? $_GET['message'] : NULL;
$msgs=array();
if( is_null( $title ) ) $msgs[]="U havent filled in a title. Go <a href='post.php'>Back</a>";
if( is_null( $message ) ) $msgs[]="U havent filled in a message. Go <a href='post.php'>Back</a>";
if( !empty( $msgs ) ){
echo implode( PHP_EOL, $msgs );
} else {
$newsql = "UPDATE forumuser SET num_posts=num_posts+1 WHERE username='$username'";
mysqli_query($mysqli, $newsql);
header("location: index.php");
}
?>
It look to me like the queries you run only update a count in the forumusers table so you should be able to do that with a single cmd.
That said, there is a serious risk of sql injection using your code ( and thus mine too ) - you really, really ought to begin using PDO and prepared statements to mitigate against sql injection.
update: would just like to note, for the record, that the code for the form was not included when I first answered the question so code was based upon supplied $_GET method and initially there were a couple of misplaced closing braces which might have caused the parse error the OP noted..
Pass a value with ?title= param along with form action. $title need some value to allow you further.
edited
<input name="title" type="text" id="title" />
<br />
<b>the topic u want to post</b><br />
<textarea name="message" type="text" id="message" colls="50" rows="5">
</textarea>
<br />
<input type="submit" name="submit" value="Post Topic" />
You are closing the tags correctly.