This is a simple little forum that I made.
First lets make the tables
mysql> create table forum_topics (
topic_id int not null primary key auto_increment,
topic_title varchar (150),
topic_create_time datetime,
topic_owner varchar (150)
);
mysql> create table forum_posts (
post_id int not null primary key auto_increment,
topic_id int not null,
post_text text,
post_create_time datetime,
post_owner varchar (150)
);
Now heres the code to show the topics
<?php//check for required info from the query stringif (!$_GET[topic_id]) { header("Location: topiclist.php"); exit;}//connect to server and select database$conn = mysql_connect("localhost", "joeuser", "somepass") or die(mysql_error());mysql_select_db("testDB",$conn) or die(mysql_error());//verify the topic exists$verify_topic = "select topic_title from forum_topics where topic_id = $_GET[topic_id]";$verify_topic_res = mysql_query($verify_topic, $conn) or die(mysql_error());if (mysql_num_rows($verify_topic_res) < 1) { //this topic does not exist $display_block = "<P><em>You have selected an invalid topic. Please <a href=\"topiclist.php\">try again</a>.</em></p>";} else { //get the topic title $topic_title = stripslashes(mysql_result($verify_topic_res,0, 'topic_title')); //gather the posts $get_posts = "select post_id, post_text, date_format(post_create_time, '%b %e %Y at %r') as fmt_post_create_time, post_owner from forum_posts where topic_id = $_GET[topic_id] order by post_create_time asc"; $get_posts_res = mysql_query($get_posts,$conn) or die(mysql_error()); //create the display string $display_block = " <P>Showing posts for the <strong>$topic_title</strong> topic:</p> <table width=100% cellpadding=3 cellspacing=1 border=1> <tr> <th>AUTHOR</th> <th>POST</th> </tr>"; while ($posts_info = mysql_fetch_array($get_posts_res)) { $post_id = $posts_info['post_id']; $post_text = nl2br(stripslashes($posts_info['post_text'])); $post_create_time = $posts_info['fmt_post_create_time']; $post_owner = stripslashes($posts_info['post_owner']); //add to display $display_block .= " <tr> <td width=35% valign=top>$post_owner<br>[$post_create_time]</td> <td width=65% valign=top>$post_text<br><br> <a href=\"replytopost.php?post_id=$post_id\"><strong>REPLY TO POST</strong></a></td> </tr>"; } //close up the table $display_block .= "</table>";}?>
<html>
<head>
<title>Posts in Topic</title>
</head>
<body>
<h1>Posts in Topic</h1>
<?php print $display_block; ?>
</body>
</html>
This code is the topic lists
<?php//connect to server and select database$conn = mysql_connect("localhost", "joeuser", "somepass") or die(mysql_error());mysql_select_db("testDB",$conn) or die(mysql_error());//gather the topics$get_topics = "select topic_id, topic_title, date_format(topic_create_time, '%b %e %Y at %r') as fmt_topic_create_time, topic_owner from forum_topics order by topic_create_time desc";$get_topics_res = mysql_query($get_topics,$conn) or die(mysql_error());if (mysql_num_rows($get_topics_res) < 1) { //there are no topics, so say so $display_block = "<P><em>No topics exist.</em></p>";} else { //create the display string $display_block = " <table cellpadding=3 cellspacing=1 border=1> <tr> <th>TOPIC TITLE</th> <th># of POSTS</th> </tr>"; while ($topic_info = mysql_fetch_array($get_topics_res)) { $topic_id = $topic_info['topic_id']; $topic_title = stripslashes($topic_info['topic_title']); $topic_create_time = $topic_info['fmt_topic_create_time']; $topic_owner = stripslashes($topic_info['topic_owner']); //get number of posts $get_num_posts = "select count(post_id) from forum_posts where topic_id = $topic_id"; $get_num_posts_res = mysql_query($get_num_posts,$conn) or die(mysql_error()); $num_posts = mysql_result($get_num_posts_res,0,'count(post_id)'); //add to display $display_block .= " <tr> <td><a href=\"showtopic.php?topic_id=$topic_id\"><strong>$topic_title</strong></a><br> Created on $topic_create_time by $topic_owner</td> <td align=center>$num_posts</td> </tr>"; } //close up the table $display_block .= "</table>";}?>
<html>
<head>
<title>Topics in My Forum</title>
</head>
<body>
<h1>Topics in My Forum</h1>
<?php print $display_block; ?>
<P>Would you like to <a href="addtopic.html">add a topic</a>?</p>
</body>
</html>
Script to add topic
<?php//check for required fields from the formif ((!$_POST[topic_owner]) || (!$_POST[topic_title])|| (!$_POST[post_text])) { header("Location: addtopic.html"); exit;}//connect to server and select database$conn = mysql_connect("localhost", "joeuser", "somepass") or die(mysql_error());mysql_select_db("testDB",$conn) or die(mysql_error());//create and issue the first query$add_topic = "insert into forum_topics values ('', '$_POST[topic_title]', now(), '$_POST[topic_owner]')";mysql_query($add_topic,$conn) or die(mysql_error());//get the id of the last query$topic_id = mysql_insert_id();//create and issue the second query$add_post = "insert into forum_posts values ('', '$topic_id','$_POST[post_text]', now(), '$_POST[topic_owner]')";mysql_query($add_post,$conn) or die(mysql_error());//create nice message for user$msg = "<P>The <strong>$topic_title</strong> topic has been created.</p>";?>
<html>
<head>
<title>New Topic Added</title>
</head>
<body>
<h1>New Topic Added</h1>
<?php print $msg; ?>
</body>
</html>
Script to reply to post
<?php//connect to server and select database; we'll need it soon$conn = mysql_connect("localhost", "joeuser", "somepass") or die(mysql_error());mysql_select_db("testDB",$conn) or die(mysql_error());//check to see if we're showing the form or adding the postif ($_POST[op] != "addpost") { // showing the form; check for required item in query string if (!$_GET[post_id]) { header("Location: topiclist.php"); exit; } //still have to verify topic and post $verify = "select ft.topic_id, ft.topic_title from forum_posts as fp left join forum_topics as ft on fp.topic_id = ft.topic_id where fp.post_id = $_GET[post_id]"; $verify_res = mysql_query($verify, $conn) or die(mysql_error()); if (mysql_num_rows($verify_res) < 1) { //this post or topic does not exist header("Location: topiclist.php"); exit; } else { //get the topic id and title $topic_id = mysql_result($verify_res,0,'topic_id'); $topic_title = stripslashes(mysql_result($verify_res, 0,'topic_title')); print " <html> <head> <title>Post Your Reply in $topic_title</title> </head> <body> <h1>Post Your Reply in $topic_title</h1> <form method=post action=\"$_SERVER[PHP_SELF]\"> <p><strong>Your E-Mail Address:</strong><br> <input type=\"text\" name=\"post_owner\" size=40 maxlength=150> <P><strong>Post Text:</strong><br> <textarea name=\"post_text\" rows=8 cols=40 wrap=virtual></textarea> <input type=\"hidden\" name=\"op\" value=\"addpost\"> <input type=\"hidden\" name=\"topic_id\" value=\"$topic_id\"> <P><input type=\"submit\" name=\"submit\" value=\"Add Post\"></p> </form> </body> </html>"; }} else if ($_POST[op] == "addpost") { //check for required items from form if ((!$_POST[topic_id]) || (!$_POST[post_text]) || (!$_POST[post_owner])) { header("Location: topiclist.php"); exit; } //add the post $add_post = "insert into forum_posts values ('', '$_POST[topic_id]', '$_POST[post_text]', now(), '$_POST[post_owner]')"; mysql_query($add_post,$conn) or die(mysql_error()); //redirect user to topic header("Location: showtopic.php?topic_id=$topic_id"); exit;}?>
and here is the form of adding a topic
<html>
<head>
<title>Add a Topic</title>
</head>
<body>
<h1>Add a Topic</h1>
<form method=post action="do_addtopic.php">
<p><strong>Your E-Mail Address:</strong><br>
<input type="text" name="topic_owner" size=40 maxlength=150>
<p><strong>Topic Title:</strong><br>
<input type="text" name="topic_title" size=40 maxlength=150>
<P><strong>Post Text:</strong><br>
<textarea name="post_text" rows=8 cols=40 wrap=virtual></textarea>
<P><input type="submit" name="submit" value="Add Topic"></p>
</form>
</body>
</html>
This is just a simple forum... nothing fancy
It's sql-injectable. Should check that out asap.
No, it has a security flaw. Should upload it somewhere and let me hax it.
Quote from: St0rm.iD on January 22, 2004, 08:27 PM
No, it has a security flaw. Should upload it somewhere and let me hax it.
http://www.digitaldoozie.net/st0rm/showtopic.php (http://www.digitaldoozie.net/st0rm/showtopic.php)
have fun ;D
There were no interesting passwords to fish for...but...
http://www.digitaldoozie.net/st0rm/showtopic.php?topic_id=1%20or%201=1
That's a quick example.
Its good but could do with passwords and admins. Thumbs upo from me though