...

View Full Version : Url not echoing $puser :S



runnerjp
10-16-2009, 11:43 AM
Im having trouble echoing my url correctly.

i have checked $puser above the code and it echos admin yet when i add it to this code


<a href="<? echo $puser; ?>&m=<?=(($m-1)<1) ? 12 : $m-1 ?>&amp;y=<?=(($m-1)<1) ? $y-1 : $y ?>"><img src='http://www.runningprofiles.com/calendar/images/prev.gif' height='18' width='18' alt='' border='0' /></a>

all i get echoed is http://www.runningprofiles.com/members/&m=9&y=2009


now i must mention that i use a rewrite rule on this page
RewriteRule ^([^/.]+)/?$ members/index.php?page=profile&username=$1

any help would be great guys :)

SKDevelopment
10-16-2009, 12:05 PM
What does $puser contain ? And could you explain please which URL exactly you would like to be echoed ?

runnerjp
10-16-2009, 12:09 PM
Ok $puser;contains the username of the person currently logged in.

the url i would like to see would look something like this

http://www.runningprofiles.com/members/admin&m=9&y=2009


admin being the username obtained by $puser. 9 being the month form
<?=(($m-1)<1) ? 12 : $m-1 ?> and 2009 from
<?=(($m-1)<1) ? $y-1 : $y ?>">

SKDevelopment
10-16-2009, 12:34 PM
I tried your code together with the RewriteRule. For me it echoed the URL with "admin". So it worked ...

Could you explain your problem a little bit more in detail please ? Where the file which contains the hyperlink is located ? In the HTTP server root ? Or in the folder "members"? .htaccess with the rule is in the same folder ?

runnerjp
10-16-2009, 12:46 PM
Well when i run the code it wont echo the "admin" part... but the strange thing is when i chnage the & to ? it will but then my $m = $_GET['m']; wont get the month... its highly strange.

My profile.php and htaccess. files are in an include folder within members ( public_html/members/incude)

on profiles.php im including a calander script
<?php include "diary/cal_show.php";?>

which then goes to my cal_show.php shown below


<script src="http://www.runningprofiles.com/jquery.js" type="text/javascript"></script>
<link href="http://www.runningprofiles.com/members/diary/facebox/facebox.css" media="screen" rel="stylesheet" type="text/css"/>
<script src="http://www.runningprofiles.com/members/diary/facebox/facebox.js" type="text/javascript"></script>
<script>
jQuery(document).ready(function($) {
$('a[rel*=facebox]').facebox()
}) </script>




<?php


// there is NO NEED to edit ANY of this code

$ev_dat = array();
for ($i=0;$i<32;$i++) {
$ev_dat[$i]=0;
}

$now = date("Y-m-d", time());
list($ty, $tm, $td) = explode('-',$now); // ty=thisyear, etc. used for highlighting 'today'

include("cal_parms.php"); // assorted configuration variables
include($dat_names); // retrieved from cal_parms.php as a 'language' file

if (!isset($_GET['m'])) {
$m = date("m",mktime());
} else {
$m = $_GET['m'];
}
if (!isset($_GET['y'])) {
$y = date("Y",mktime());
} else {
$y = $_GET['y'];
}

/*== get what weekday the first is on ==*/
$tmpd = getdate(mktime(0,0,0,$m,1,$y));
$month = $tmpd["month"];
$firstwday= $tmpd["wday"];
if ($firstDayIsMonday == 1) {
if ($firstwday == 0) {
$firstwday = 6;
} else {
$firstwday--;
}
}
$lastday = mk_getLastDayofMonth($m,$y);

/*== get the last day of the month ==*/
function mk_getLastDayofMonth($mon,$year)
{
for ($tday=28; $tday <= 31; $tday++)
{
$tdate = getdate(mktime(0,0,0,$mon,$tday,$year));
if ($tdate["mon"] != $mon)
{
break;
}
}
$tday--;
return $tday;
}

// compute range of dates for this month to match dates in database in the format yyyy-mm-dd
if (strlen($m)<2) {
$q="0";
$q.=$m;
}
else {
$q = $m;
}
$dats_beg = $y. "-". $q. "-01";
$dats_en = $y. "-". $q. "-". $lastday;

// open db conn and select all records where date is between $dats_beg and $dats_en
include("cal_db_conn.php");
mysql_connect($db_host, $db_login, $db_pass) or die ("Can't connect!");
mysql_select_db($db_name) or die ("Can't open database!");
$query = "SELECT * FROM $db_table WHERE (ev_dat>='$dats_beg') AND (ev_dat<='$dats_en') ";

$result = mysql_db_query($db_name, $query);
// any matches?
if ($result)
{
// handle the matches and pass relevant info to arrays
while ($myrow = mysql_fetch_array($result))
{
$found = $myrow['ev_dat'];
$pieces = explode("-", $found);
$dd = intval($pieces[2]);
$ev_dat[$dd] = $myrow['id'];
}
}
?>
<table cellpadding="1" cellspacing="1" border="0" bgcolor="#<? echo $bg_edge; ?>">
<tr><td colspan="7" bgcolor="#<? echo $bg_top; ?>">
<table cellpadding="1" cellspacing="1" border="0" width="100%">
<tr bgcolor="#<? echo $bg_top; ?>"><th width="20" style="<?php echo $hcell; ?>"><a href="<? echo $puser; ?>&m=<?=(($m-1)<1) ? 12 : $m-1 ?>&amp;y=<?=(($m-1)<1) ? $y-1 : $y ?>"><img src='http://www.runningprofiles.com/calendar/images/prev.gif' height='18' width='18' alt='' border='0' /></a></th>
<th style="<?php echo $hcell; ?>">
<?php
echo "<a href='../diary/show-month.php?mon=". $m. "&amp;yr=". $y. "'rel=\"facebox\">";
echo "<span style='text-decoration:none'>". $mo[intval($m)]. " ". $y. "</span></a>";
?>
</th>
<th width="20" style="<? echo $hcell; ?>"><a href="<? echo $_SERVER['PHP_SELF']; ?>?m=<?=(($m+1)>12) ? 1 : $m+1 ?>&amp;y=<?=(($m+1)>12) ? $y+1 : $y ?>"><img src='http://www.runningprofiles.com/calendar/images/next.gif' height='18' width='18' border='0' alt='' /></a></th>
</tr>
</table>
</td></tr>
<tr bgcolor="#<? echo $bg_top; ?>">
<th width="20" style="<?php echo $hcell; ?>"><? echo $da[1]; ?></th>
<th width="20" style="<?php echo $hcell; ?>"><? echo $da[2]; ?></th>
<th width="20" style="<?php echo $hcell; ?>"><? echo $da[3]; ?></th>
<th width="20" style="<?php echo $hcell; ?>"><? echo $da[4]; ?></th>
<th width="20" style="<?php echo $hcell; ?>"><? echo $da[5]; ?></th>
<th width="20" style="<?php echo $hcell; ?>"><? echo $da[6]; ?></th>
<th width="20" style="<?php echo $hcell; ?>"><? echo $da[7]; ?></th>
</tr>

<?
$d = 1;
$wday = $firstwday;
$firstweek = true;
/*== loop through all the days of the month ==*/
while ( $d <= $lastday)
{
/*== set up blank days for first week ==*/
if ($firstweek)
{
if ($wday!=0) {
echo "<tr bgcolor='#". $bg_tabl. "'>\n";
for ($i=1; $i<=$firstwday; $i++) {
echo "<td style='". $tcell. "' bgcolor='#". $bg_fill. "'>&nbsp;</td>\n";
}
}
/*== Sunday start week with <tr> ==*/
else {
echo "<tr bgcolor='#". $bg_tabl. "'>\n";
}
$firstweek = false;
}
/*== check for event ==*/
echo "<td style='". $tcell. "' ";
// is this day 'today' AND there's no event today
if (($ty==$y) && ($tm==$m) && ($td == $d) && (!$ev_dat[$d])) {
echo "bgcolor='#". $bg_now. "'>". $d;
}
elseif ($ev_dat[$d]) {
// get what's happening that day and use as 'mouseOver' for the link
$query = "SELECT * FROM $db_table WHERE id=$ev_dat[$d] ";
$result = mysql_query($query);
$ev = mysql_fetch_array($result);
$titl = $ev['ev_title'];
echo "bgcolor='#". $bg_act. "'>";
$url = "../diary/show.php?event=". $ev_dat[$d]. "&amp;sho=". $win_sho;

echo "<a href=' $url' rel=\"facebox\" title=\"". $titl. "\">". $d. "</a>";

}
else {
echo "bgcolor='#". $bg_days. "'>". $d;
}
echo "</td>\n";

/*== Saturday end week with </tr> ==*/
if ($wday==6) {
echo "</tr>\n";
}
$wday++;
$wday = $wday % 7;
if (($wday==0) AND ($d!=$lastday)){ echo "<tr bgcolor='#". $bg_tabl. "'>\n"; }
$d++;
}
// and close off the table
if (($wday!=7) AND ($wday!=0)) {
for ($i=$wday; $i<=6; $i++) {
echo "<td style='". $tcell. "' bgcolor='#". $bg_fill. "'>&nbsp;</td>\n";
}
echo "</tr>";
}
echo "\n</table>";
include("win_open.php");


?>



line 101 is where im trying to code the link so that when a user is on a profile page, they can also look at a diary of the person

SKDevelopment
10-16-2009, 01:05 PM
1) The code you have posted does not initialize the variable $puser anywhere. And I do not see any include or require statements above the place where $puser is echoed. Could you tell me where $puser is initialized ?

2) Since the variables you use in your queries a based on potential user input, I would highly recommend to use mysql_real_escape_string() (http://php.net/mysql_real_escape_string) on them before using them in the queries to avoid SQL injections. Please notice that anything which comes from the arrays $_GET, $_POST, $_COOKIE must be considered as potential user input, should never be trusted and must be always escaped or strictly validated.

runnerjp
10-16-2009, 01:13 PM
Ah this is alitte embarrasing lol... i started this project awhile back and i forgot i had chnaged $puser to $username ... thats why it didnt work.

thanks without your help i wouldnt notice that.

so with all $_GET, $_POST chnage them to use mysq escape and it would be fine?

any other advice?

SKDevelopment
10-16-2009, 01:31 PM
Actually you could simply escape variables $dats_beg, $dats_en and any other right before using them in the query. For string variables you would use mysql_real_escape_string() (http://php.net/mysql_real_escape_string). If you are sure some variable must be e.g. an integer you could cast it to the integer explicitly with intval() (http://php.net/intval) before using it in a query. Actually there are many functions in PHP which allow to check that a variable contains a number. For some variables with complicated format you could even use regular expressions (if no other method of validation could be used effectively). The main point is to never use anything from potential user input ($_GET, $_POST, $_COOKIE or any other input) not escaped or validated in queries. Or someone could try to attack you with an SQL injection attack (stealing sensitive data, deleting all the records in the database etc.).



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum