4images Forum & Community
4images Issues / Ausgaben => Installation, Update & Configuration => Topic started by: uksoreeyes on March 24, 2003, 03:13:42 AM
-
Hi I am currently intergrating 4images with a shoutbox I coded. The shoutbox uses php and mysql.
As a way to stop just anyone posting in my shoutbox I made it so users had to register with 4images before they could post anything. In other words I have made use of the {if user_loggedin} etc so is the user is not logged in they get a message telling them to login. If they are logged in they are presented with the form in which they can freely post messages.
I have this working great, they do not have to put in their name as what ever name they are logged in as, appears above their messages which makes it easy to track and ban troublemakers.
The bit I am haveing trouble with is inserting the logged_in_username into my mysql database. at the moment I have a hidden form field:
<input type='hidden' name='name' class="news" size='20' value='{loggedin_user_name}'>
This works fine and inserts the username correctly. But I find it a bit of a security risk as someone could easily 'view source' edit and change the name inside the 'value' bit. what I would like to do is get rid of that hidden field and have the username taken from the 4images database.
Here is my shoutbox code:
<?php
if ($shout){
if ($name == !"" && $message == !""){
$ip = $REMOTE_ADDR;
$info = $HTTP_USER_AGENT;
$add_date=time (void);
$name = stripslashes($name);
$name = htmlspecialchars($name);
$message = stripslashes($message);
$message = htmlspecialchars($message);
mysql_connect("username etc");
mysql_select_db("shout");
$result=MYSQL_QUERY("INSERT INTO shouts (id,name,message,timestamp,ip,browser,block)".
"VALUES ('NULL', '$name', '$message', '$add_date', '$ip', '$info', '$block')");
echo "<META http-equiv='refresh' content='0;URL=/4images/index.php?template=shout'>";
}
else {
echo "<META http-equiv='refresh' content='0;URL=/4images/index.php?template=shout'>";
}
}
?>
as you see the $name bit relates to that hidden form field I showed you earliar. Is there any way I can replace that $name bit with the actual logged in username data taken straight from mysql? my shoutbox resides on the same mysql tabe as 4images does so there is no need to connect twice.
Please help me here as I am very stuck and this will finish my site off nicely. I am not very good at explaining things so if theres something you don't understand, just ask me and I'll tell you.
Thanks in advance
Carl
-
just add this code on top of your shoutbox code:
define('ROOT_PATH', './');
include(ROOT_PATH.'global.php');
require(ROOT_PATH.'includes/sessions.php');
after that, u'll have user's name in $user_info['user_name']; variable.
or, the hard way is just read it from 4images mysql table...
since u went so far in coding, I belive u can figure out how to read user info from 4images_users table ;)
-
Hi, Thanks for the quick reply.
Will that code still work even though I have applied the phpbb intergration?
-
Hi, Thanks for the quick reply.
Will that code still work even though I have applied the phpbb intergration?
yes, it should. this code u can find in ALL "main" 4images .php files ;)
-
Oh god its just one problem after another lol
Part of me wishes he hadnt taken on this project yet the other is some what excited.
These are the changes I made to my script:
<?php
if ($shout){
include('4images/global.php');
require('4images/includes/sessions.php');
if ($message == !""){
$ip = $REMOTE_ADDR;
$info = $HTTP_USER_AGENT;
$add_date=time (void);
$message = stripslashes($message);
$message = htmlspecialchars($message);
$user_name = $user_info['user_name'];
$result=MYSQL_QUERY("INSERT INTO shoutbox (id,name,message,timestamp,ip,browser,block)".
"VALUES ('NULL', '$user_name', '$message', '$add_date', '$ip', '$info', '$block')");
echo "<META http-equiv='refresh' content='0;URL=/4images/index.php?template=shout'>";
}
else {
echo "<META http-equiv='refresh' content='0;URL=/4images/index.php?template=shout'>";
}
}
?>
Now I am getting an error saying Security violation
Can you explain what I am doing wrong?
Regards Carl
-
u forgot add atleast one line:
define('ROOT_PATH', './');
I know that u changed to real path for next two includes, but this define is important.
-
success, lol I feel so dumb, I had that
define('ROOT_PATH', './');
bit in before but always got internal server error, so I took it out and got that security violation, when I put it back like you said I got another internal server error. So what I done is looked at my lightbox.php and seen that code above and then realised that I had my shout.php in the wrong folder, so I moved it into the 4images main directory and it worked.
Now that script is finally done and secure I can get on and finish the rest of my site and then add all my images :D
If anyone would like to see how my site is getting along you can do so here: http://www.myleeneklass.com/4images/index.php
Thanks alot v@no you have been a massive help
Carl