Valhalla Legends Forums Archive | Web Development | A simple forum in PHP and MySQL

AuthorMessageTime
Kaiory
This is a simple little forum that I made.

First lets make the tables
[code]
mysql> create table forum_topics (
topic_id int not null primary key auto_increment,
topic_title varchar (150),
topic_create_time datetime,
topic_owner varchar (150)
);

mysql> create table forum_posts (
post_id int not null primary key auto_increment,
topic_id int not null,
post_text text,
post_create_time datetime,
post_owner varchar (150)
);
[/code]

Now heres the code to show the topics

[code]
<?php
//check for required info from the query string
if (!$_GET[topic_id]) {
header("Location: topiclist.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("localhost", "joeuser", "somepass") or die(mysql_error());
mysql_select_db("testDB",$conn) or die(mysql_error());

//verify the topic exists
$verify_topic = "select topic_title from forum_topics where topic_id = $_GET[topic_id]";
$verify_topic_res = mysql_query($verify_topic, $conn) or die(mysql_error());

if (mysql_num_rows($verify_topic_res) < 1) {
//this topic does not exist
$display_block = "<P><em>You have selected an invalid topic. Please <a href=\"topiclist.php\">try again</a>.</em></p>";
} else {
//get the topic title
$topic_title = stripslashes(mysql_result($verify_topic_res,0, 'topic_title'));

//gather the posts
$get_posts = "select post_id, post_text, date_format(post_create_time, '%b %e %Y at %r') as fmt_post_create_time, post_owner from forum_posts where topic_id = $_GET[topic_id] order by post_create_time asc";
$get_posts_res = mysql_query($get_posts,$conn) or die(mysql_error());

//create the display string
$display_block = "
<P>Showing posts for the <strong>$topic_title</strong> topic:</p>

<table width=100% cellpadding=3 cellspacing=1 border=1>
<tr>
<th>AUTHOR</th>
<th>POST</th>
</tr>";

while ($posts_info = mysql_fetch_array($get_posts_res)) {
$post_id = $posts_info['post_id'];
$post_text = nl2br(stripslashes($posts_info['post_text']));
$post_create_time = $posts_info['fmt_post_create_time'];
$post_owner = stripslashes($posts_info['post_owner']);

//add to display
$display_block .= "
<tr>
<td width=35% valign=top>$post_owner<br>[$post_create_time]</td>
<td width=65% valign=top>$post_text<br><br>
<a href=\"replytopost.php?post_id=$post_id\"><strong>REPLY TO POST</strong></a></td>
</tr>";
}

//close up the table
$display_block .= "</table>";
}
?>
<html>
<head>
<title>Posts in Topic</title>
</head>
<body>
<h1>Posts in Topic</h1>
<?php print $display_block; ?>
</body>
</html>
[/code]

This code is the topic lists

[code]
<?php
//connect to server and select database
$conn = mysql_connect("localhost", "joeuser", "somepass") or die(mysql_error());
mysql_select_db("testDB",$conn) or die(mysql_error());

//gather the topics
$get_topics = "select topic_id, topic_title, date_format(topic_create_time, '%b %e %Y at %r') as fmt_topic_create_time, topic_owner from forum_topics order by topic_create_time desc";
$get_topics_res = mysql_query($get_topics,$conn) or die(mysql_error());
if (mysql_num_rows($get_topics_res) < 1) {
//there are no topics, so say so
$display_block = "<P><em>No topics exist.</em></p>";
} else {
//create the display string
$display_block = "
<table cellpadding=3 cellspacing=1 border=1>
<tr>
<th>TOPIC TITLE</th>
<th># of POSTS</th>
</tr>";

while ($topic_info = mysql_fetch_array($get_topics_res)) {
$topic_id = $topic_info['topic_id'];
$topic_title = stripslashes($topic_info['topic_title']);
$topic_create_time = $topic_info['fmt_topic_create_time'];
$topic_owner = stripslashes($topic_info['topic_owner']);

//get number of posts
$get_num_posts = "select count(post_id) from forum_posts where topic_id = $topic_id";
$get_num_posts_res = mysql_query($get_num_posts,$conn) or die(mysql_error());
$num_posts = mysql_result($get_num_posts_res,0,'count(post_id)');

//add to display
$display_block .= "
<tr>
<td><a href=\"showtopic.php?topic_id=$topic_id\"><strong>$topic_title</strong></a><br>
Created on $topic_create_time by $topic_owner</td>
<td align=center>$num_posts</td>
</tr>";
}

//close up the table
$display_block .= "</table>";
}
?>
<html>
<head>
<title>Topics in My Forum</title>
</head>
<body>
<h1>Topics in My Forum</h1>
<?php print $display_block; ?>
<P>Would you like to <a href="addtopic.html">add a topic</a>?</p>
</body>
</html>
[/code]

Script to add topic
[code]
<?php
//check for required fields from the form
if ((!$_POST[topic_owner]) || (!$_POST[topic_title])|| (!$_POST[post_text])) {
header("Location: addtopic.html");
exit;
}

//connect to server and select database
$conn = mysql_connect("localhost", "joeuser", "somepass") or die(mysql_error());
mysql_select_db("testDB",$conn) or die(mysql_error());

//create and issue the first query
$add_topic = "insert into forum_topics values ('', '$_POST[topic_title]', now(), '$_POST[topic_owner]')";
mysql_query($add_topic,$conn) or die(mysql_error());

//get the id of the last query
$topic_id = mysql_insert_id();

//create and issue the second query
$add_post = "insert into forum_posts values ('', '$topic_id','$_POST[post_text]', now(), '$_POST[topic_owner]')";
mysql_query($add_post,$conn) or die(mysql_error());

//create nice message for user
$msg = "<P>The <strong>$topic_title</strong> topic has been created.</p>";
?>
<html>
<head>
<title>New Topic Added</title>
</head>
<body>
<h1>New Topic Added</h1>
<?php print $msg; ?>
</body>
</html>
[/code]

Script to reply to post

[code]
<?php
//connect to server and select database; we'll need it soon
$conn = mysql_connect("localhost", "joeuser", "somepass") or die(mysql_error());
mysql_select_db("testDB",$conn) or die(mysql_error());

//check to see if we're showing the form or adding the post
if ($_POST[op] != "addpost") {
// showing the form; check for required item in query string
if (!$_GET[post_id]) {
header("Location: topiclist.php");
exit;
}

//still have to verify topic and post
$verify = "select ft.topic_id, ft.topic_title from forum_posts as fp left join forum_topics as ft on fp.topic_id = ft.topic_id where fp.post_id = $_GET[post_id]";
$verify_res = mysql_query($verify, $conn) or die(mysql_error());
if (mysql_num_rows($verify_res) < 1) {
//this post or topic does not exist
header("Location: topiclist.php");
exit;
} else {
//get the topic id and title
$topic_id = mysql_result($verify_res,0,'topic_id');
$topic_title = stripslashes(mysql_result($verify_res, 0,'topic_title'));

print "
<html>
<head>
<title>Post Your Reply in $topic_title</title>
</head>
<body>
<h1>Post Your Reply in $topic_title</h1>
<form method=post action=\"$_SERVER[PHP_SELF]\">
<p><strong>Your E-Mail Address:</strong><br>
<input type=\"text\" name=\"post_owner\" size=40 maxlength=150>

<P><strong>Post Text:</strong><br>
<textarea name=\"post_text\" rows=8 cols=40 wrap=virtual></textarea>

<input type=\"hidden\" name=\"op\" value=\"addpost\">
<input type=\"hidden\" name=\"topic_id\" value=\"$topic_id\">

<P><input type=\"submit\" name=\"submit\" value=\"Add Post\"></p>

</form>
</body>
</html>";
}
} else if ($_POST[op] == "addpost") {
//check for required items from form
if ((!$_POST[topic_id]) || (!$_POST[post_text]) || (!$_POST[post_owner])) {
header("Location: topiclist.php");
exit;
}

//add the post
$add_post = "insert into forum_posts values ('', '$_POST[topic_id]', '$_POST[post_text]', now(), '$_POST[post_owner]')";
mysql_query($add_post,$conn) or die(mysql_error());

//redirect user to topic
header("Location: showtopic.php?topic_id=$topic_id");
exit;
}
?>
[/code]

and here is the form of adding a topic

[code]
<html>
<head>
<title>Add a Topic</title>
</head>
<body>
<h1>Add a Topic</h1>
<form method=post action="do_addtopic.php">
<p><strong>Your E-Mail Address:</strong><br>
<input type="text" name="topic_owner" size=40 maxlength=150>
<p><strong>Topic Title:</strong><br>
<input type="text" name="topic_title" size=40 maxlength=150>
<P><strong>Post Text:</strong><br>
<textarea name="post_text" rows=8 cols=40 wrap=virtual></textarea>
<P><input type="submit" name="submit" value="Add Topic"></p>
</form>
</body>
</html>
[/code]

This is just a simple forum... nothing fancy
January 22, 2004, 11:23 PM
St0rm.iD
It's sql-injectable. Should check that out asap.
January 23, 2004, 12:59 AM
Kaiory
[code]
# --------------------------------------------------------
#
# Table structure for table 'forum_topics'
#


topic_id int not null primary key auto_increment,
topic_title varchar (150),
topic_create_time datetime,
topic_owner varchar (150)
);




# --------------------------------------------------------
#
# Table structure for table 'forum_posts'
#



post_id int not null primary key auto_increment,
topic_id int not null,
post_text text,
post_create_time datetime
post_owner varchar (150)
);
[/code]

That should work
January 23, 2004, 1:18 AM
St0rm.iD
No, it has a security flaw. Should upload it somewhere and let me hax it.
January 23, 2004, 2:27 AM
Kaiory
O, I gotcha...
January 23, 2004, 9:38 PM
hismajesty
[quote author=St0rm.iD link=board=22;threadid=4854;start=0#msg40755 date=1074824870]
No, it has a security flaw. Should upload it somewhere and let me hax it.
[/quote]

http://www.digitaldoozie.net/st0rm/showtopic.php

have fun ;D
January 24, 2004, 4:13 PM
St0rm.iD
There were no interesting passwords to fish for...but...

http://www.digitaldoozie.net/st0rm/showtopic.php?topic_id=1%20or%201=1

That's a quick example.
January 25, 2004, 3:59 AM
Kaiory
Do you like it though?
January 27, 2004, 2:10 AM
The-Rabid-Lord
Its good but could do with passwords and admins. Thumbs upo from me though
January 27, 2004, 7:06 PM
Kaiory
Thank-you
But I did just say it was simple and it would be EXTREMELY easy to set up a login system/admin system
But thanks again for likeing my forum
January 28, 2004, 3:57 PM

Search