summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--create_topic.php69
-rw-r--r--header.php4
-rw-r--r--includes/signout_inc.php1
-rw-r--r--includes/topic_inc.php47
-rw-r--r--register.php82
-rw-r--r--reply.php30
-rw-r--r--signin.php68
-rw-r--r--topic.php36
8 files changed, 176 insertions, 161 deletions
diff --git a/create_topic.php b/create_topic.php
index 2953646..278d0fa 100644
--- a/create_topic.php
+++ b/create_topic.php
@@ -9,12 +9,11 @@ if (!isset($_SESSION['signed_in'])) {
}
?>
-<form action="includes/topic_inc.php" method="post">
+<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="post">
<label for="topic_subject">Subject: </label><br>
<input type="text" name="topic_subject"><br>
<label for="topic_cat">Category: </label><br>
- <select name="topic_cat">';
- <?php
+ <?php
include_once 'includes/db_inc.php';
$sql = "SELECT cat_id, cat_name, cat_description FROM categories";
@@ -28,11 +27,14 @@ if (!isset($_SESSION['signed_in'])) {
die('There are currently no categories to post to.');
}
+ echo '<select name="topic_cat">';
+
while ($row = mysqli_fetch_assoc($result)) {
echo '<option value="' . $row['cat_id'] . '">' . $row['cat_name'] . '</option>';
}
- ?>
- </select><br>
+
+ echo '</select><br>';
+ ?>
<label for="post_content">Write your post: </label><br>
<textarea name="post_content"></textarea><br>
<input type="submit" name="submit">
@@ -40,5 +42,58 @@ if (!isset($_SESSION['signed_in'])) {
</section>
<?php
-include 'footer.php';
-?> \ No newline at end of file
+include_once 'includes/db_inc.php';
+
+function create_topic($dbc, $topic_subject, $topic_cat, $topic_author) {
+ $sql = "INSERT INTO topics(topic_subject, topic_date, topic_cat, topic_author) VALUES(?, NOW(), ?, ?);";
+ $stmt = mysqli_stmt_init($dbc);
+
+ if (!mysqli_stmt_prepare($stmt, $sql)) {
+ die('Could not create topic due to internal error: ' . mysqli_error($dbc));
+ }
+
+ mysqli_stmt_bind_param($stmt, "sii", $topic_subject, $topic_cat, $topic_author);
+ mysqli_stmt_execute($stmt);
+ mysqli_stmt_close($stmt);
+}
+
+function create_post($dbc, $post_content, $post_topic, $post_author) {
+ $sql = "INSERT INTO posts(post_content, post_date, post_topic, post_author) VALUES(?, NOW(), ?, ?);";
+ $stmt = mysqli_stmt_init($dbc);
+
+ if (!mysqli_stmt_prepare($stmt, $sql)) {
+ die('Could not create topic due to internal error: ' . mysqli_error($dbc));
+ }
+
+ mysqli_stmt_bind_param($stmt, "sii", $post_content, $post_topic, $post_author);
+ mysqli_stmt_execute($stmt);
+ mysqli_stmt_close($stmt);
+}
+
+function validate($data) {
+ $data = trim($data);
+ $data = stripslashes($data);
+ $data = htmlspecialchars($data);
+ return $data;
+}
+
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+ $post_content = validate($_POST['post_content']);
+ $topic_subject = validate($_POST['topic_subject']);
+ $topic_cat = validate($_POST['topic_cat']);
+ $user_id = validate($_SESSION['user_id']);
+
+ create_topic($dbc, $topic_subject, $topic_cat, $user_id);
+ $topic_id = mysqli_insert_id($dbc);
+ create_post($dbc, $post_content, $topic_id, $user_id);
+
+ if (!$post_result) {
+ echo 'An error occurred creating your post: ' . mysqli_error($dbc);
+ }
+
+ header("Location: topic.php?id=" . $topic_id);
+}
+
+?>
+
+<?php include_once 'footer.php';?> \ No newline at end of file
diff --git a/header.php b/header.php
index 935f063..9d57fba 100644
--- a/header.php
+++ b/header.php
@@ -5,13 +5,13 @@ session_start();
<!DOCTYPE html>
<html>
<head>
- <title>cflip.net forum Beta</title>
+ <title>cflip.net forum</title>
<link rel="stylesheet" href="styles/style.css">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<div id="wrapper">
- <h1 id="title">cflip.net forum</h1>
+ <h1 id="title">cflip.net forum<sub style="font-size: small;">beta</sub></h1>
<nav>
<a href="index.php">Home</a>
<a href="create_topic.php">Create a topic</a>
diff --git a/includes/signout_inc.php b/includes/signout_inc.php
index c86447a..7859c4f 100644
--- a/includes/signout_inc.php
+++ b/includes/signout_inc.php
@@ -1,5 +1,6 @@
<?php
session_start();
+session_unset();
session_destroy();
header("Location: ../index.php"); \ No newline at end of file
diff --git a/includes/topic_inc.php b/includes/topic_inc.php
deleted file mode 100644
index c16a4e0..0000000
--- a/includes/topic_inc.php
+++ /dev/null
@@ -1,47 +0,0 @@
-<?php
-
-include_once 'db_inc.php';
-
-session_start();
-
-$sql = "BEGIN WORK;";
-$result = mysqli_query($dbc, $sql);
-
-if (!$result) {
- echo 'An error occurred creating your topic. Try again later';
-}
-
-$sql = "INSERT INTO topics(topic_subject, topic_date, topic_cat, topic_author) VALUES(
-'" . mysqli_real_escape_string($dbc, $_POST['topic_subject']) . "',
-NOW(),
-" . mysqli_real_escape_string($dbc, $_POST['topic_cat']) . ",
-" . $_SESSION['user_id'] .")";
-
-$result = mysqli_query($dbc, $sql);
-
-if (!$result) {
- echo 'An error occured while creating your post. Please try again later.' . mysql_error();
- $sql = "ROLLBACK;";
- mysqli_query($dbc, $sql);
-} else {
- $topic_id = mysqli_insert_id($dbc);
-
- $sql = "INSERT INTO posts(post_content, post_date, post_topic, post_author) VALUES(
- '" . mysqli_real_escape_string($dbc, $_POST['post_content']) . "',
- NOW(),
- " . $topic_id . ",
- " . $_SESSION['user_id'] . ")";
-
- $result = mysqli_query($dbc, $sql);
-
- if (!$result) {
- echo 'An error occured while creating your post. Please try again later.' . mysqli_error($dbc);
- $sql = "ROLLBACK;";
- mysqli_query($dbc, $sql);
- } else {
- $sql = "COMMIT;";
- $result = mysqli_query($dbc, $sql);
- }
-}
-
-header("Location: ../topic.php?id=" . $topic_id); \ No newline at end of file
diff --git a/register.php b/register.php
index f0cb3f5..d167c2e 100644
--- a/register.php
+++ b/register.php
@@ -1,12 +1,7 @@
-<?php
-
-include_once 'header.php';
-include_once 'includes/db_inc.php';
+<?php include_once 'header.php';?>
-echo '<section><h2>Register an account</h2>';
-
-if ($_SERVER['REQUEST_METHOD'] != 'POST') {
- echo '
+<section>
+ <h2>Register an account</h2>
<form action="register.php" method="post">
<label for="user_name">Username: </label><br>
<input type="text" name="user_name"><br>
@@ -16,27 +11,40 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') {
<input type="password" name="user_pass_check"><br>
<input type="submit" name="submit">
</form>
- ';
-} else {
+
+<?php
+include_once 'includes/db_inc.php';
+
+function validate($data) {
+ $data = trim($data);
+ $data = stripslashes($data);
+ $data = htmlspecialchars($data);
+ return $data;
+}
+
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$errors = array();
- if (isset($_POST['user_name'])) {
- if (!ctype_alnum($_POST['user_name'])) {
- $errors[] = 'Invalid username. Only letters and numbers are supported.';
- }
- if (strlen($_POST['user_name']) > 30) {
- $errors[] = 'Username must be 30 characters or less.';
- }
+ $user_name = "";
+ $user_pass = "";
+
+ if (empty($_POST['user_name'])) {
+ $errors[] = "You must provide a username.";
} else {
- $errors[] = 'Please provide a username.';
+ $user_name = validate($_POST['user_name']);
+ if (strlen($user_name) > 30) {
+ $errors[] = "Your username must be 30 characters or less.";
+ }
}
- if (isset($_POST['user_pass'])) {
- if ($_POST['user_pass'] != $_POST['user_pass_check']) {
- $errors[] = 'The two passwords do not match.';
- }
+ if (empty($_POST['user_pass'])) {
+ $errors[] = "You must provide a password.";
} else {
- $errors[] = 'Please provide a password.';
+ $user_pass = validate($_POST['user_pass']);
+ $pass_check = validate($_POST['user_pass_check']);
+ if ($user_pass !== $pass_check) {
+ $errors[] = "The two passwords do not match.";
+ }
}
if (!empty($errors)) {
@@ -46,22 +54,24 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') {
}
echo '</ul>';
} else {
- $sql = "INSERT INTO users(user_name, user_pass, user_date)
- VALUES('" . mysqli_real_escape_string($dbc, $_POST['user_name']) . "',
- '" . sha1($_POST['user_pass']) . "',
- NOW())
- ";
+ $sql = "INSERT INTO users(user_name, user_pass, user_date) VALUES(?, ?, NOW());";
+ $stmt = mysqli_stmt_init($dbc);
- $result = mysqli_query($dbc, $sql);
- if (!$result) {
- echo 'Failed to register account due to internal error.';
- echo mysqli_error($dbc);
- } else {
- echo 'Account successfully created!';
+ if (!mysqli_stmt_prepare($stmt, $sql)) {
+ die('Could not create account due to internal error: ' . mysqli_error($dbc));
}
+
+ $pass_hash = password_hash($user_pass, PASSWORD_DEFAULT);
+
+ mysqli_stmt_bind_param($stmt, "ss", $user_name, $pass_hash);
+ mysqli_stmt_execute($stmt);
+ mysqli_stmt_close($stmt);
+
+ echo 'Account successfully registered! You can now <a href="signin.php">sign in</a>';
}
}
+?>
-echo '</section>';
+</section>
-include_once 'footer.php';
+<?php include_once 'footer.php';?> \ No newline at end of file
diff --git a/reply.php b/reply.php
deleted file mode 100644
index 051aaa4..0000000
--- a/reply.php
+++ /dev/null
@@ -1,30 +0,0 @@
-<?php
-
-include 'header.php';
-include_once 'connect.php';
-
-if ($_SERVER['REQUEST_METHOD'] != 'POST') {
- echo 'This file cannot be called directly.';
-} else {
- if (!isset($_SESSION['signed_in'])) {
- echo 'You must be signed in to reply to a topic.';
- } else {
- $sql = "INSERT INTO posts(post_content, post_date, post_topic, post_author) VALUES(
- '" . mysqli_real_escape_string($dbc, $_POST['reply_content']) . "',
- NOW(),
- " . mysqli_real_escape_string($dbc, $_GET['reply_to']) . ",
- " . $_SESSION['user_id'] . ")";
-
- $result = mysqli_query($dbc, $sql);
-
- if (!$result) {
- echo 'An error occurred trying to reply to the post.' . mysqli_error($dbc);
- } else {
- echo 'Your reply has been saved, check out <a href="topic.php?id=' . $_GET['reply_to'] . '">the topic</a>.';
- }
- }
-}
-
-include 'footer.php';
-
-?> \ No newline at end of file
diff --git a/signin.php b/signin.php
index 287eeda..4355afe 100644
--- a/signin.php
+++ b/signin.php
@@ -1,29 +1,39 @@
-<?php
-
-include_once 'includes/db_inc.php';
-include_once 'header.php';
+<?php include_once 'header.php';?>
-echo '<section><h2>Sign in</h2>';
-
-if ($_SERVER['REQUEST_METHOD'] != 'POST') {
- echo '
- <form action="" method="post">
+<section>
+ <h2>Sign in</h2>
+ <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="post">
<label for="user_name">Username: </label><br>
<input type="text" name="user_name"><br>
<label for="user_pass">Password: </label><br>
<input type="password" name="user_pass"><br>
<input type="submit" name="submit">
</form>
- ';
-} else {
- $errors = array();
- if (!isset($_POST['user_name'])) {
+<?php
+
+include_once 'includes/db_inc.php';
+
+function validate($data) {
+ $data = trim($data);
+ $data = stripslashes($data);
+ $data = htmlspecialchars($data);
+ return $data;
+}
+
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+ $errors = array();
+
+ if (empty($_POST['user_name'])) {
$errors[] = 'Please provide a username.';
+ } else {
+ $user_name = validate($_POST['user_name']);
}
- if (!isset($_POST['user_pass'])) {
+ if (empty($_POST['user_pass'])) {
$errors[] = 'Please provide a password.';
+ } else {
+ $user_pass = $_POST['user_pass'];
}
if (!empty($errors)) {
@@ -33,28 +43,34 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') {
}
echo '</ul>';
} else {
- $sql = "SELECT user_id, user_name FROM users WHERE user_name = '" . mysqli_real_escape_string($dbc, $_POST['user_name']) . "' AND user_pass = '" . sha1($_POST['user_pass']) ."'";
+ $pass_hash = password_hash($user_pass, PASSWORD_DEFAULT);
+
+ $sql = "SELECT user_id, user_name, user_pass FROM users WHERE user_name = '" . $user_name . "';";
$result = mysqli_query($dbc, $sql);
if (!$result) {
- echo 'An error occurred while signing in.';
- echo mysqli_error($dbc);
+ echo 'An error occurred while signing in: ' . mysqli_error($dbc);
} else {
if (mysqli_num_rows($result) == 0) {
- echo 'There is no user with that username/password combination! Please try again';
+ echo 'There is no user with that name. Did you mean to <a href="register.php">create a new account?</a>';
} else {
- $_SESSION['signed_in'] = true;
-
while ($row = mysqli_fetch_assoc($result)) {
- $_SESSION['user_id'] = $row['user_id'];
- $_SESSION['user_name'] = $row['user_name'];
- }
+ if (!password_verify($user_pass, $row['user_pass'])) {
+ echo 'Password does not match!';
+ } else {
+ $_SESSION['signed_in'] = true;
+ $_SESSION['user_id'] = $row['user_id'];
+ $_SESSION['user_name'] = $row['user_name'];
- echo 'You are now signed in as ' . $_SESSION['user_name'];
+ header("Location: index.php");
+ }
+ }
}
}
}
}
+?>
+
+</section>
-echo '</section>';
-include_once 'footer.php'; \ No newline at end of file
+<?php include_once 'footer.php';?> \ No newline at end of file
diff --git a/topic.php b/topic.php
index 216211f..751370b 100644
--- a/topic.php
+++ b/topic.php
@@ -1,6 +1,6 @@
-<?php
+<?php include_once 'header.php'; ?>
-include_once 'header.php';
+<?php
include_once 'includes/db_inc.php';
$sql = "SELECT topic_id, topic_subject, topic_date, user_id, user_name FROM topics LEFT JOIN users ON topic_author = user_id WHERE topic_id = " . mysqli_real_escape_string($dbc, $_GET['id']);
@@ -40,18 +40,28 @@ if (mysqli_num_rows($result) == 0) {
echo '<td class="left">' . $row['post_content'] . '</td></tr>';
}
echo '</table>';
-
- echo '
-<section>
-<form action="includes/reply_inc.php?reply_to=' . $topic_id . '" method="post">
- <h2>Reply to this thread</h2>
- <textarea name="reply_content"></textarea>
- <br>
- <input type="submit" name="submit">
-</form>
-</section>';
}
mysqli_free_result($result);
-include 'footer.php'; \ No newline at end of file
+if (isset($_SESSION['signed_in'])) {
+ echo '
+ <section>
+ <form action="includes/reply_inc.php?reply_to=' . $topic_id .'>" method="post">
+ <h2>Reply to this thread</h2>
+ <textarea name="reply_content"></textarea>
+ <br>
+ <input type="submit" name="submit">
+ </form>
+ </section>
+ ';
+} else {
+ echo '
+ <section>
+ <a href="signin.php">Sign in</a> to reply to this thread</a>
+ </section>
+ ';
+}
+
+include_once 'footer.php';
+?> \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-26 04:46:30 +0000