þµþ: Mæn

What you will learn:

You will learn how to make a News system for your website that allows you to add, edit and delete news from a database. You will also learn how to make a

"comments" system with it, so users can comment on it. You will be able to add, edit, and delete comments as well.

Who should be using this tutorial:

You should understand the basics of SQL and PHP and know how to use MySQL or PhpMyAdmin before using this...

=======================

Alright down to business...This is a long script. Please don't post until I have stated that it is finished...Thanks.

All you need for this is two pages. It all deals with "actions" or index.php?action=blah and a security page.

Before you start, you need to create a database. If you haven't already. Then you need to put in these 2 scripts:

1.

CREATE TABLE `news` (
`id` int(10) unsigned NOT NULL auto_increment,
`postdate` timestamp NULL default NULL,
`title` varchar(50) NOT NULL default '',
`newstext` text NOT NULL,
PRIMARY KEY (`id`),
KEY `postdate` (`postdate`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=10 ;

That will be your news table. Now time for the comments that will be added onto the news...

2.

CREATE TABLE `news_comments` (
`id` int(10) unsigned NOT NULL auto_increment,
`news_id` int(10) unsigned NOT NULL default '0',
`name` varchar(40) NOT NULL default '',
`comment` text NOT NULL,
PRIMARY KEY (`id`),
KEY `news_id` (`news_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=14 ;

And that will sync the news comments with the news posts.

First you need to create index.php in the directory news ( /news/index.php )

Here's what's going to happen. I'll tell you about the sessions after we finish index.php:

<?php session_start(); ?>
<?php include ('../header.php');
$max_items = 10;
// This will tell how many news items will be displayed. Just the link will be displayed though...
// The whole news part will be displayed on individual pages.

$db = mysql_connect ('localhost','USERNAME','PASSWORD');
mysql_select_db ('DATABASE_NAME',$db);

// Replace USERNAME, PASSWORD, and DATABASE NAME with your information from your database.

// Now we are going to make all of these functions, so you can just easily call them into a switch at the end....oh how nice ;)

function displayNews($all) {

global $db, $max_items;
// This is just making the variables usable throughout the whole script...

if ($all == 0) {

$query = "SELECT id, title, newstext," .
"DATE_FORMAT(postdate, '%b %e, %Y') as date " .
"FROM news ORDER BY id DESC LIMIT $max_items";
// A simple if statement, saying that if $all == 0 ($all being the number of items shown. If $all is 0, then it will limit the query to only showing the

latest 10 news posts. If $all is more than 10, then all of the data in the database will be shown.

} else {
// Else show all of the data. In descending order, so the latest news will be shown first.
$query = "SELECT id, title, newstext," .
"DATE_FORMAT(postdate, '%b %e, %Y') as date " .
"FROM news ORDER BY id DESC";
}
$result = mysql_query ($query);
while ($row = mysql_fetch_assoc ($result)) {
// Next we are going to create a while loop, that gathers all of the information, and orders it into a nice little table.
echo "<TABLE border=\"0\" width=\"400\" align=\"center\">\n";

// We can now select the rows, because we stated $row = mysql_fetch_assoc($result). Because of this, each row is accessable as an array, so they can

be added as variables. You could just use $row['blah'] for the whole thing, but I like to make it simpler, and put them into separate variables...

$date = $row['date'];
$title = htmlentities ($row['title']);
$news = strip_tags ($row['newstext'], '<a><b><i><u>');
// We are making sure no tags but the ones stated above get added to the news script. Feel free to add more, like <font> and what not...
$news = nl2br ($news);
// this just creates a NEW LINE (nl) to (2) a LINE BREAK (br)
$id = $row['id'];

echo "<TR><TD><p><a href=\"{$_SERVER['PHP_SELF']}" . "?action=show&id=$id\"<b>$title</b></a> posted on

<i>$date</i></p></TD>\n";
echo "\n";

$comment_query = "SELECT count(*) FROM news_comments " .
"WHERE news_id={$row['id']}";
$comment_result = mysql_query ($comment_query);
$comment_row = mysql_fetch_row($comment_result);
// This just gets all of the information from the comments table...

echo "<TD algin=\"right\"><p><a href=\"{$_SERVER['PHP_SELF']}" .
"?action=showcom&id={$row['id']}\">Comment
s</a> " . "{" . "$comment_row[0]}</p></TD></TR>\n";
// This echos the link "Comments" (you'll see that you can either choose the title of the news post, to show no comments, or you can click the

comments link next to the title, to show the comments) with how many comments are actually posted on that script.

echo "</TABLE>\n";
echo "\n";
}

if ($all == 0) {
echo "<br /><center><a href=\"{$_SERVER['PHP_SELF']}" .
"?action=all\">View all news</a></center>\n";
// If all of the news = 0, then add the link "View all news" so you can view the complete list of news instead of just the $max_items you listed

above.
}
}

// This next function will display one news item, with out the comments showing. This is what function will happen when you click the title.

function displayOneItem($id) {
global $db;

<!!-- CONTINUED --!!>

THAT MEANS DON'T POST!

<!!-- CONTINUED --!!>
$query = "SELECT * FROM news WHERE id=$id";
$result = mysql_query ($query);

// Since you stated the ID in the function (which we will use as a $_GET later on) then you now have the variable "$id". So you order the news by

that id, so the news you select will be shown, and nothing else.

if (mysql_num_rows ($result) == 0) {
echo "<center><b>Error!</b></center>\n";
echo "<p>No News Exists for the ID specified. Please try again.</p>\n";
return;
// If no id exists in the database, echo an error code...
// But if it did work, make $row an array of the columns, and start the news showing process...
}
$row = mysql_fetch_assoc($result);
echo "<TABLE border=\"0\" width=\"400\" align=\"center\">\n";

$title = htmlentities ($row['title']);
$news = strip_tags ($row['newstext'], '<a><b><i><u>');
$news = nl2br ($news);
// Same thing as before.....NL2BR and strip the tags so only they show up, and no other funky tags like <table> show up. If you want colors to be added

into your news posts, then add the <font> tag there...

echo "<TR><TD align=\"center\"><b><p>$title</p></b></TD>
</TR>\n";
echo "<tr><td align=\"center\"><p><<<-------------------
------------------------>>></p></td></tr>\
n";
echo "<TR><TD><p>$news</p></TD></TR>\n";

echo "</TABLE>\n";
echo "<BR>\n";

// Now, this next part will intervein with the admin login script. So, you can either study this now, and come back to it, or you can wait til' I explain it

at the admin_login.php page... But I'm not explaining this right now....

//-- ADMIN OPTIONS --\\

echo "<Center>";

if(!isset($_SESSION['admin']) && !isset($_SESSION['password'])){
echo "";
}else{
echo "<hr color=\"#666666\" width=\"50%\" />";
echo "&rarr; <b><a href=\"/news/index.php?action=editnews129&
id=$id\">Edit News</a></b>
--
<b><a href=\"/news/index.php?action=deletenews12
9&id=$id\" onClick=\"return confirm('Are you sure you really want to start to try to delete this valuable piece of information that can never be retrieved no matter how hard I trys?')\">Delete News</a></b> &larr;";
echo "<hr color=\"#666666\" width=\"50%\" />";

}
echo "</center>";
//-- END ADMIN OPTIONS --\\

echo '<center><a href="' . $_SERVER[PHP_SELF] . '?action=showcom&id=' . $id . '">Show Comments</a></center>';
// This echos to show the comments, since this is the part that you aren't showing comments...
}
// And this is the function WITH comments...
function displayOneItem_withComments($id) {
global $db;

$query = "SELECT * FROM news WHERE id=$id";
$result = mysql_query ($query);

// blah blah blah...already explained.
if (mysql_num_rows ($result) == 0) {
echo "<center><b>Error!</b></center>\n";
echo "<p>No News Exists for the ID specified. Please try again.</p>\n";
return;
}
$row = mysql_fetch_assoc($result);
echo "<TABLE border=\"0\" width=\"400\" align=\"center\">\n";

$title = htmlentities ($row['title']);
$news = strip_tags ($row['newstext'], '<a><b><i><u>');
$news = nl2br ($news);

echo "<TR><TD align=\"center\"><b><p>$title</p></b></TD>
</TR>\n";
echo "<tr><td align=\"center\"><p><<<-------------------
------------------------>>></p></td></tr>\
n";
echo "<TR><TD><p>$news</p></TD></TR>\n";
echo "</TABLE>\n";
echo "<BR>\n";

// Again with the admin options...This just makes it so you can see the admin panel even WHEN you are showing comments...der.
//-- ADMIN OPTIONS --\\

echo "<Center>";

if(!isset($_SESSION['admin']) && !isset($_SESSION['password'])){
echo "";
}else{
echo "<hr color=\"#666666\" width=\"50%\" />";
echo "&rarr; <b><a href=\"/news/index.php?action=editnews129&
id=$id\">Edit News</a></b>
--
<b><a href=\"/news/index.php?action=deletenews12
9&id=$id\" onClick=\"return confirm('Are you sure you really want to start to try to delete this valuable piece of information that can never be retrieved no matter how hard I trys?')\">Delete News</a></b> &larr;";
echo "<hr color=\"#666666\" width=\"50%\" />";

}
echo "</center>";
//-- END ADMIN OPTIONS --\\
displayComments($id);
}// This says to display the comments function, with the $id that is already specified... so the right new posts' comments come up..
function displayComments($id) {

global $db;

$query = "SELECT * FROM news_comments WHERE news_id=$id";
$result = mysql_query ($query);

echo '<center><a href="' . $_SERVER[PHP_SELF] . '?action=show&id=' . $id . '">Show without Comments</a></center>';
echo "<center><h3>Comments</h3><HR width=\"100%\"></center>\n";
// This shows the link to go back to showing without comments...

while ($row = mysql_fetch_assoc ($result)) {
echo "<TABLE border=\"0\" width=\"400\" align=\"center\">\n";

$name = htmlentities ($row['name']);
echo "<TR><TD><u>Posted by <b>$name</b></u>";

echo "</TD></TR>\n";

$comment = strip_tags ($row['comment'], '<a><b><i><u>');
$comment = nl2br ($comment);
echo "<TR><TD><p>$comment</p></TD></TR>\n";
echo "<tr><td align=\"left\" valign=\"top\">";
// This just echo's the comments...

//--- ADMIN PANEL --\\
if(!isset($_SESSION['admin']) && !isset($_SESSION['password'])){
echo "";
}else{

echo "<p>&larr; <a href=\"/news/index.php?action=editcom129&i
d={$row['id']}\">Edit Comment</a> -- <a href=\"/news/index.php?action=deletecom129
&id={$row['id']}\" onClick=\"return confirm('Are you sure you really want to start to try to delete this valuable piece of information that can never be retrieved no matter how hard I trys?')\">Delete Comment</a> &rarr;</p>";
}
echo "</tr></td>";
echo "<tr><td><p>==============================
======================</p></td></tr>\n";

echo "</TABLE>\n";
echo "\n";
}// Separater for comments....

<!-- CONTINUED !!-->

<!- CONTINUED -!>

// This is the function to insert all of that comment information that you just entered on the previous function...
function addComment($id) {
global $db;

$query = "INSERT INTO news_comments " .
"VALUES('',$id,'{$_POST['name']}'," .
"'{$_POST['comment']}')";
mysql_query($query);
// Just a nice little query
echo "Comment entered. Thanks!<BR>\n";
echo "<center><a href=\"{$_SERVER['PHP_SELF']}" .
"?action=showcom&id=$id\">Back</a></center
>\n";
}

// As you've noticed, the is the add news script. This will get the information to add news, to instert into the database. This script also requires you to

be logged in, which I will explain later on...
///----- ADD NEWS ----\\\
function addnews129($id) {

global $db;

session_start();
if(!isset($_SESSION['admin']) && !isset($_SESSION['password'])){
echo '<center><h3>Error!</h3></center>You do not have sufficeint permission to view this page.';

// Tellin' you ya need to login!
}else{

$query = "SELECT * FROM news WHERE id=$id";
$result = mysql_query ($query);
echo "<center><h3>Add News</h3></center>\n";
// Selects the news table, the $id part is in there for no reason to my knowledge, but keep it in there....
echo "<div align=\"left\">";
echo "There are 4 types of add-ins allowed to be used. They are: <ul>";
echo "<li>&lt;b&gt;<b>BOLD</b>&lt;/b&gt; </li>";
echo "<li>&lt;i&gt;<i>ITALIC</i>&lt;/i&gt; </li>";
echo "<li>&lt;u&gt;<u>UNDERLINED</u>&lt;/u&gt; </li>";
echo "<li>&lt;a href=\"http://www.somesite.com\"&gt;<a href=\"http://www.somesite.com\">NAME OF SOMESITE</a>&lt;/a&gt;

</li></ul>";
echo "</div>";
// Just telling you what can and cannot be added to the news post...
// And the form to add it..
echo "<center><FORM action=\"{$_SERVER['PHP_SELF']}" .
"?action=addnews\" method=POST>\n";
echo "Title: <input type=\"text\" " .
"size=\"30\" name=\"title\"><BR>\n";
echo "<TEXTAREA cols=\"40\" rows=\"15\" " .
"name=\"news\"></TEXTAREA><BR>\n";
echo "<input type=\"submit\" name=\"submit\" " .
"value=\"Add News\"\n";
echo "</FORM></center>\n";
}

}

// This is the function that adds the news to the database, and displays a nice little message...

function addnews($id) {
global $db;

$title = $_POST['title'];
$newstext = $_POST['news'];
$query = "INSERT INTO news (postdate, title, newstext)" .
"VALUES(NOW(), '$title', '$newstext')";
$result = mysql_query($query);

if($result){
echo "<center>News Submitted</center><BR>\n";
echo "<center><a href=\"{$_SERVER['PHP_SELF']}\">Back</a></
center>\n";
}else{
echo 'Error! Something\'s wrong with the database or something!<br /><br /><b>';
echo mysql_error();
echo '</b>';

// This displays the errors that happen with MYSQL. Though you shouldn't get any if you set this up right, it is still there, just incase you forgot

something ;)
}
}

////----- END ADD NEWS -----\\

// Now on to the editing of the news
///----- EDIT NEWS ------\\

function editnews129($id) {
global $db;

if(!isset($_SESSION['admin']) && !isset($_SESSION['password'])){
echo '<center><h3>Error!</h3></center>You do not have sufficeint permission to view this page.';
// again the admin thing
}else{

$query = "SELECT * FROM news WHERE id='$id'";
$result = mysql_query ($query) or die('Error! <b>' . mysql_error() . '</b>');
$row = mysql_fetch_assoc ($result);
$title = $row['title'];
$body = $row['newstext'];
$title = stripslashes($title);
$body = nl2br($body);
$body = strip_tags($body, '<a><b><i><u>');
// Just the same little thingys as above, removing and adding unwanted and wanted things...
echo "<center><h3>Edit News Topic</h3><br /><b>$topic</b></center>";

echo "<table width=\"65%\" cellpadding=\"0\" cellspacing=\"0\" align=\"center\">\n";
echo "<form action=\"/news/index.php?action=editnews\" method=\"post\">";
echo "<tr><td>Title: </td><td><input type=\"text\" size=\"25\" name=\"title\" value=\"$title\" /></td></tr>\n";
echo "<tr><td>News Body: </td><td><textarea cols=\"40\" rows=\"15\" name=\"news\">$body</textarea></td></tr>\n
";
echo "<tr><td colspan=\"2\" align=\"center\"><input type=\"submit\" name=\"submitted\" value=\" Submit \" /></td></tr>\n";
echo "<input type=\"hidden\" value=\"submitted\" />";
echo "</form>";
echo "</table>";
echo "<form action=\"/news/index.php?action=editnews\" method=\"get\">";
echo "<input type=\"hidden\" value=\"$id\" name=\"$id\" />";
echo "</form>";
// Form to edit the news...which displays the news' information in the text boxes and what not
}
}
// The edit news function that adds everything to the database.
function editnews($id) {
global $db;

$title = $_POST['title'];
$newso = $_POST['news'];
$newso = strip_tags($newso, '<a><b><i><u>');

if(!isset($_SESSION['admin']) && !isset($_SESSION['password'])){
echo '<center><h3>Error!</h3></center>You do not have sufficeint permission to view this page.';
// admin session check...
}else{
if(isset($_POST['submitted'])){
$query = "SELECT id FROM news WHERE title='$title' LIMIT 1";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
$id = $row['id'];
$date = $row['postdate'];
// checks to see if the form has been submitted, if it has, then get the information from the database, and set the variables. again using the $row array...

(by the way, you don't have to use the variable '$row'. I just used that, because it's common to use.
$query = "UPDATE news SET newstext='$newso', title='$title' WHERE id='$id' LIMIT 1";
$result = mysql_query($query);
// An update query script....nice ain't it?

// If everything went smoothly...then....

<!- CONTINUED -!>

<!- CONTINUED -!>

if($result) {
$title = stripslashes($title);
// Strip any slashes " \ / " from the title, so the viewer doesn't see "HEY THEY\'RE BOBIE\" O"
echo "News topic <a href=\"/news/index.php?action=show&id=$id\
"><B>$title</B></a> has been updated. <br /> <center><a

href=\"/news/index.php\">Go Back</a></center>";
}else{
echo 'Error! <b>' . mysql_error() . '</b>';
// There's that darned mysql_error() script again!!!

}
}
}
}
////----- END EDIT NEWS -----\\

// Time for deleteing news functions! YEA!!!
/////------ DELETE NEWS ------\\

// Not like the others, edit and add, who had 2 functions each, this one has only one, because there is no form to submit.
function deletenews129($id) {
if(!isset($_SESSION['admin']) && !isset($_SESSION['password'])){
echo "<center><h3>Error!</h3></center> <br />You cannont view this page because you do not have proper identification. Please login.";
}else{
// Just makin sure you are logged in ....
$query = "DELETE FROM news WHERE id='$id' LIMIT 1";
$result = mysql_query($query);
// And the script (query, as it's called) deletes the news, according to the $id you specified, and it only limit's one, so no one can hack in and

delete every single news script with one click of the button...
if($result) {
echo "The news you have select to delete has been successfully deleted.<br /> Either <a href=\"/news/index.php\">Go back</a> or go to your

<a href=\"/admin_login.php\">Admin Panel</a>";
}else{
echo 'Error! <b>' . mysql_error() . '</b>';
}
}
}
////------- END DELETE NEWS -----\\

// Don't like those pesky "YOU SUCK BALLZ" comments? then you can delete them!! W00t!

/////------ DELETE COMMENTS ------\\

function deletecom129($id) {
if(!isset($_SESSION['admin']) && !isset($_SESSION['password'])){
echo "<center><h3>Error!</h3></center> <br />You cannont view this page because you do not have proper identification. Please login.";
}else{
// Admin login script...
$query = "DELETE FROM news_comments WHERE id='$id' LIMIT 1";
$result = mysql_query($query);
// Get's the $id and delete's that row from the database, only limiting one, for security reasons.
if($result) {
echo "The Comment you have select to delete has been successfully deleted.<br /> Either <a href=\"/news/index.php\">Go back</a> or go to

your <a href=\"/admin_login.php\">Admin Panel</a>";
}else{
echo 'Error! <b>' . mysql_error() . '</b>';
}
// Again, the error statement for mysql....ug right? But very useful if you have an error, and can't figure out what it is!
}
}
//-------- END DELETE COMMENTS ----\\

// Don't like the "YOU SUCK BALLZ" comment, but enjoy everything else they've said? Then just edit it! WHOOP!
//-------- EDIT COMMENTS ------\\

function editcom129($id) {
global $db;

if(!isset($_SESSION['admin']) && !isset($_SESSION['password'])){
echo '<center><h3>Error!</h3></center>You do not have sufficeint permission to view this page.';
// Admin login
}else{

$query = "SELECT * FROM news_comments WHERE id='$id'";
$result = mysql_query ($query) or die('Error! <b>' . mysql_error() . '</b>');
$row = mysql_fetch_assoc ($result);
$name = $row['name'];
$comment = $row['comment'];
$name = stripslashes($name);
$comment = nl2br($comment);
$comment = strip_tags($comment, '<a><b><i><u>');
echo "<center><h3>Edit Comment by</h3></center>";
// Just making sure we add what we want, and take away what we dont...

echo "<table width=\"65%\" cellpadding=\"0\" cellspacing=\"0\" align=\"center\">\n";
echo "<form action=\"/news/index.php?action=editnews\" method=\"post\">";
echo "<tr><td>Name: </td><td><input type=\"text\" size=\"25\" name=\"name\" value=\"$name\" /></td></tr>\n";
echo "<tr><td>Comment: </td><td><textarea cols=\"40\" rows=\"15\" name=\"comment\">$comment</textarea></td><
/tr>\n";
echo "<tr><td colspan=\"2\" align=\"center\"><input type=\"submit\" name=\"submitted\" value=\" Submit \" /></td></tr>\n";
echo "<input type=\"hidden\" value=\"submitted\" />";
echo "</form>";
echo "</table>";
echo "<form action=\"/news/index.php?action=editnews\" method=\"get\">";
echo "<input type=\"hidden\" value=\"$id\" name=\"$id\" />";
echo "</form>";
}
// This is the form, that displays the information, that you just go out of your database...
}
// This is the script that updates it...and sends a nice friendly "yea!" when you've accomplished it, and everything worked fine...
function editcom($id) {
global $db;

$comment = $_POST['comment'];
$name = $_POST['name'];
$comment = strip_tags($comment, '<a><b><i><u>');
// Stripping tags, stripping tags...must make sure that we get them all!

if(!isset($_SESSION['admin']) && !isset($_SESSION['password'])){
echo '<center><h3>Error!</h3></center>You do not have sufficeint permission to view this page.';
// admin login
}else{
if(isset($_POST['submitted'])){
$query = "SELECT id FROM news_comments WHERE comment='$comment' LIMIT 1";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
$id = $row['id'];
// If the form has been submitted, get the information out of the database, referring to the $comment that was previously posted before you edited it, and

limit one, so 5 comments don't update...But this isn't the update script. This just sets the ID so you can select the appropriate row.

$query = "UPDATE news_comments SET comment='$comment', name='$name' WHERE id='$id' LIMIT 1";
$result = mysql_query($query);
// Now THIS is the update script...using the id and the limit 1 function...a very useful function for MYSQL my I add...
if($result) {
$name = stripslashes($name);
// Make sure no one sees the "Bob\'s gay" (\/) part
echo "Comment has been updated. <br /> <center><a href=\"/news/index.php\">Go Back</a></center>";
}else{
echo 'Error! <b>' . mysql_error() . '</b>';

}
}
}
}

<!- CONTINUED -!>

<!- CONT -!>

// Alright, now that you have done all of that nice coding of functions, let put them to use with a switch statement! I'm not going to explain each one, but

if you type ?action= and the the case, you will get the function that case is connected to...
//-------- END EDIT COMMENTS ------\\
switch($_GET['action']) {

case 'show':
displayOneItem($_GET['id']);
break;
case 'showcom':
displayOneItem_withComments($_GET['id']);
break;
case 'all':
displayNews(1);
break;
case 'editnews129':
editnews129($_GET['id']);
break;
case 'editnews':
editnews();
break;
case 'deletenews129':
deletenews129($_GET['id']);
break;
case 'addcomment':
addComment($_GET['id']);
break;
case 'deletecom129':
deletecom129($_GET['id']);
break;
case 'editcom129':
editcom129($_GET['id']);
break;
case 'editcom':
editcom();
break;
case 'addnews':
addnews();
break;
case 'addnews129':
addnews129();
break;
default:
displayNews();
}

// Lol, the footer I have on my website, this is not really needed ;p
include ('../footer.php');
?>

And that's it for index.php
But now you need admin_login.php so you can set those sessions I was talking about the whole time...

Before any HTML tags, you need to have session_start(); if you want to use sessions...That is what I will start this script with, seeing as I'm using

sessions to base everything on..

<?php session_start(); ?>

<?php include('header.php');
// Lol, headers not included *teeeheee, get it?...bah whatever*
?>
<?php
// Now, these next 2 things are the USERNAME and the PASSWORD, please feel free to change them to you likeing..
$chickens_are_real = "USERNAME";
$cows_are_real = "PASSWORD";
if(isset($_POST['submit'])) {
if($_POST['admin'] == $chickens_are_real && $_POST['password'] == $cows_are_real){
// This makes sure the form at the end of the page has been submitted.
// If it has, then make sure the "admin" text box and the "password" text box match the variables.
// If they do, then make some variables...
$admin = $_POST['admin'];
$pass = $_POST['password'];
session_start();
// This is random... the ^^^ line above I mean

$admin = addslashes($admin);
$pass = addslashes($pass);
// This adds slashes, so if you enter a ' or a " it won't screw up the session..
// Next you set the sessions, according to the variables.
$_SESSION['admin'] = $admin;

$_SESSION['password'] = $pass;

}
}
// Now, if you have submitted the form, but the username and password are wrong, then display an error message.

if($_POST['submit']){
if($_POST['admin'] !== $chickens_are_real && $_POST['password'] !== $cows_are_real){
echo "<center><h3>Error</h3></center>";
echo "<p>The login name or password was not correct.</p>";
}else{ // But if they are right, display the directions for using the admin panel...

echo "The login name and password were correct. You may now access the following Admin Areas:<br /><ul><li><a

href=\"/news/index.php?action=addnews129\"
>Adding News</a></li><li>Editing News <li>Delete News</li><br /><li>Edit Comment</li><li>Delete

Comment</li></ul>For editing and deleting news, you should see a little \"admin\" panel (incased between two..count'em...two grey bars) with links. Just

follow the link to what you want to do...<Br />For Editing and Deleting Comments, just look right above the dotted \"equal bar\" line, right before the post

ends. You should see \"edit comment\" and
\"delete comment\"";
}
}
// If you really care, you could "test" the session by saying admin_login.php?actn=test but it isn't nesscessary
elseif($_GET['actn'] == "test"){
session_start();
$admin = $_SESSION['admin'];
$pass = $_SESSION['password'];
echo "$admin is your admin name.<br />\n";
echo "$pass is you password.";
}
else{

// But, if the session isn't set, then display the form for you to login with
if(!isset($_SESSION['admin'])){
?>
<center><h3>Admin Login</h3>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" />
Admin:<br />
<input type="text" name="admin" /><br />
Password:<br />
<input type="password" name="password" /><br />
<input type="submit" value=" Submit " name="submit" />
<input type="hidden" value="submit" name="submit" />
</form>
</center>
<?php
}else{
// If you view this page, and you already have the session set, just display the instructions that were given above...
echo "The login name and password were correct. You may now access the following Admin Areas:<br /><ul><li><a

href=\"/news/index.php?action=addnews129\"
>Adding News</a></li><li>Editing News <li>Delete News</li><br /><li>Edit Comment</li><li>Delete

Comment</li></ul>For editing and deleting news, you should see a little \"admin\" panel (incased between two..count'em...two grey bars) with links. Just

follow the link to what you want to do...<Br />For Editing and Deleting Comments, just look right above the dotted \"equal bar\" line, right before the post

ends. You should see \"edit comment\" and
\"delete comment\"";
}
}
// Lol footer again... :/
?>
<?php include('footer.php'); ?>

==========================================
===

<!_ CONT _!>

Yea, Yea, I know, it's a massively huge tutorial. Bigger than any tutorial yet, But the code itself is like 3 posts alone, then add all of those tiny little comments...

SHEESH!

It took as long to write this as there is pages...But here's the conclusion...Even though it's VERY harsh, here it is anyway:

I do have this same EXACT script (without all of the hidge-ibity comments) working on a site that I am not going to share with you, because it is personal,

and for a friend. And I don't think she wants a ton of "you-know-what"s spamming up her nice news system. But I can tell you that this exact script works. So

if it doesn't work for you, check to see if you are connecting to the right database, have the right tables and columns set up, or you just copy and pasted

something wrong.

It took me about 2 1/2 weeks to make and perfect this whole script. If you feel the need to complain about how it's not working (for your noobish reason) or

you just want to complain about...really anything, I will not stand up for that kind of crap. Long hard hours have gone into making this script, and then

decided to make the tutorial, and then making the tutorial.

So if you complain about copy and pasteing everything, to find out it doesn't work...Please for the love of God...Don't talk to anyone about it. You

shouldn't even be reading this if 2 things have(n't) happened in your life.

1. If you don't know PHP (at least the basics) then there is no way that you should understand this, and there for shouldn't read it

2. If you are just now reading this part, thinking to copy and paste everything, GET OUT OF THIS FORUM! If you can't read things to their extent, then you

shouldn't be reading at all, and you shouldn't know php, which brings you back to rule 1.

So basically...DON'T COMPLAIN and the world will go round, just peachily!

<3 Momo

Because I care, and so do the people around you, but they hate you if you complain.

PATIENCE IS A VIRTUE! (look it up, that's what Webster's is for you Nerd) :/ lol insult \:

Very good, I think I'm gonna try it. Well done.

I'm really sorry, but I'm getting errors even though I've changed everything that needs changing. Have you tried this script? And is there a working script that I could use?

At 9/22/06 03:39 PM, C41um wrote:

At 9/22/06 03:34 PM, cherries wrote: Its just commented code, not a tutorial.

So it is... but still pretty usefull.

Very useful.

Im actually gonna use it on my website. :)

At 9/22/06 04:01 PM, novalyfe wrote:

At 9/22/06 03:39 PM, C41um wrote:

At 9/22/06 03:34 PM, cherries wrote: Its just commented code, not a tutorial.

So it is... but still pretty usefull.

Very useful.

Im actually gonna use it on my website. :)

Just please be sure to at least read the whole thing before you start going willy nilly with it...

You could make improvements to it like random image verification.
Nice though.

Tutorial? not at all, it's a code dump.
Got html injection vulnerabilitys? It sure does, I can cause all sorts of damage.
Got sql injection vulnerabilitys? Yes! Too bad I am out of things thatis worth injecting.
Got loads of repeated code? Yes! You have like 6 fucntions for the same task, go and use a few more parameters.
Is strict xhtml? No!
Is valid html? No!

Fix those points and then we got an awesome tutorial.

I am very new to php. It took me awhile to write this. You don't like the security? then fix it yourself. I made it for a site that will be viewed by about 5 people a day. Not 500 people a day. I only made the security check small, because one person might feel the need to "serrch around".

At 9/23/06 06:22 AM, henke37 wrote: Tutorial? not at all, it's a code dump.
Got html injection vulnerabilitys? It sure does, I can cause all sorts of damage.

Don't even know how to fix that....why don't you try?

Got sql injection vulnerabilitys? Yes! Too bad I am out of things thatis worth injecting.

Like I said, I've never done that kind of thing (security) so why don't you teach me how?

Got loads of repeated code? Yes! You have like 6 fucntions for the same task, go and use a few more parameters.

Yes, maybe I do, but it still works doesn't it?

Is strict xhtml? No!

I really don't care about those things in this point in my knowledge.

Is valid html? No!

Read above

Fix those points and then we got an awesome tutorial.

I'm sorry for having limited knowledge. This isn't supposed to be perfect. I just wrote the code, and decided to make a "tutorial" or code dump as you wish to call it, about this.
The reason I decided to do that, is because the only one I could find in php main, was Woogie's Blog, and I wanted more than that. So I made one myself.

So if you'd like to show the world how to make this secure, please make another tutorial on it, because I couldn't do any of that kind of stuff.

Sorry for sounding harsh...I just wanted to get the point across <3 ;p

At 9/23/06 08:41 AM, Momo-the-Monkey wrote:

Sorry for sounding harsh...I just wanted to get the point across <3 ;p

Sorry for double posting, but's that's not what I meant to say...I meant to say:

Sorry for sounding harsh, I just wanted to clarify a few things about my knowledge. And I do respect your opinion. Please don't take that as a "I know all and I don't care what you say" because even though I can't make this one any better, I will try to strive to make the next one better...

Yea, that's what I meant to say....And I was serious about the you teaching me how to do security checks...either you or someone

It's really good from what I read over. I don't have time to read over the entire thing...maybe another time, but what I read was good.

As for security risks and stuff...you don't need to defend yourself against that! You wrote out a tutorial for a news system. If someone wants it to be more secure, they can code it themselves! It's a tutorial, not a script.

If I have time later on, I'll give it a good read through.

At 9/23/06 01:11 PM, WoogieNoogie wrote: It's really good from what I read over. I don't have time to read over the entire thing...maybe another time, but what I read was good.

As for security risks and stuff...you don't need to defend yourself against that! You wrote out a tutorial for a news system. If someone wants it to be more secure, they can code it themselves! It's a tutorial, not a script.

If I have time later on, I'll give it a good read through.

Thankyou! Thanks for that nice comment. So far only 2 people had negatives, or opinions in the opposite way about it..

But, basically what you said, that's what I was trying to get across, "if you don't like it, then don't use it" or "if you want something else, make it yourself, because this is what I gave you"...ect..

But thanks again WoogieNoogie much <3

Great news system, havn't read all through the code but i will later.

I'd suggest uploading it somewhere as a zip, it would be alot easier and would also prevent a few errors that people would get from copy and pasting from this.

At 9/23/06 04:33 PM, Jordan wrote: Great news system, havn't read all through the code but i will later.

I'd suggest uploading it somewhere as a zip, it would be alot easier and would also prevent a few errors that people would get from copy and pasting from this.

http://www.negown.com/news.zip

There is the zip folder with the commented code....

Security is easy.
First of all, do not use the optional parameter for the strip_tags function, it does not filter teh atteributes and atteributes can cause serious damage with the style and event handler atteributes.

To prevent html injection, run htmlspecialchars on any string that is outputed in the html. Sounds simple right? It is, but just one slip up and all the work is worthless.
Yes, it will not allow formating, but nothing says you can't add formating tags after you have run every string trught htmlspecialchars.

To prevent sql injection you basicaly do the same thing, run mysql_real_escape_string on any input you use in a sql query. It also helps if you force numbers to be numbers with a typecast. Other wise you might end up with a string in the variable.
Like this:
$id=(int)$_REQUEST['id'];

At 9/24/06 05:06 AM, henke37 wrote:

To prevent sql injection you basicaly do the same thing, run mysql_real_escape_string on any input you use in a sql query. It also helps if you force numbers to be numbers with a typecast. Other wise you might end up with a string in the variable.
Like this:
$id=(int)$_REQUEST['id'];

Thanks...So where would exactly I put mysql_real_escape_string? On the query? Where?

Like this:
$sql='select * from table where sometextfield =\'' . mysql_real_escape_string( $_REQUEST['somename'] ) . '\'';
It will magicaly make sure no body enters things like a ' to end the string and add things to the query.

Do note that php also have the "feature" magic quotes(it will be droped in v6), runing the less usefull function addslashes on every item in the auto global arrays(_REQUEST,_POST,_GET). It was suposed to secure badly writen scripts from injections. While it was a nice idea, it will cause all sorts of strange \' in the texts, you should disable it and do the escapeing with mysql_real_escape_string when the text is used in a query.
And I also belive that addslashes migth even leave some characters unescaped, giving a false sence of security.
So all hosts, please stop using the soon depraciated "feature" magic quotes.

At 9/25/06 03:08 AM, henke37 wrote: Like this:
$sql='select * from table where sometextfield =\'' . mysql_real_escape_string( $_REQUEST['somename'] ) . '\'';

So, i would request the value? What if it is a variable?

Do i request $_REQUEST['$fmv']; ?

I just used $_REQUEST as an example, it is the same code if the variable is from $_POST or some other place, run mysql_real_escape_string on every string that is used in a sql query.

Btw, $_REQUEST is the sum of $_POST and $_GET, use it when a page can be both posted and gotten.

For some reason when I downloaded the zip file and ran it all the links were broken and in the source files the open tags for most of the a's were located a couple spaces back. Has anyone else had this problem? Was this intented or is it just a bug?