Review Script help

crazykid · 11-18-2010, 09:28 PM

Trying to put in a review system where a guest can review a game and the review will display on the game page.

Each game page is generated by a single template file (so if I make a change in the template file, it affects all the game pages).

This is the code I have now that displays the form:

Code:

        <tr>
            <td align=left><strong>Submit Your Review Here:</strong>
<br><br>
            
              Name:<input type=text width=40px /><br /><br />
              <textarea cols=70 rows=15>Enter Text Here...</textarea><br /><br />
              Answer this simple math question:" . $numberOne . " + " . $numberTwo . " = <input type=text /><br /><br />
              <input type=submit text='Submit Review' />
            </td>
        </tr>

The only sql I have right now is this:

$numberOne = rand(1,20);
$numberTwo = rand(1,20);

The anti-spam filter...I'm not sure if it has been completed yet (my friend is the one who did the coding) but it's supposed to ask a math question.

But basically, the review is supposed to take the review that the guest submits, and insert the review and the game name into the reviews database. Problem is figuring out what sql to use. I want the sql code to be able to grab the name of the game page that the review is based on and insert the game name as well as the review into the database. The reviews database has columns in the following format:

reviewId - int(11)
gameId - int(11)
reviewerName - text
reviewContent - longtext
ipAddress - text
date - date
confirmed - text

The URL structure of the game page goes like this: http://www.mmocraze.com/game-directo...ile/?gameId=XX

On the game page, I have php coding that displays the various sql variables. For instance, I have a table tag that encloses the sql variable for the game name that corresponds to the gameId. So the sql code for the reviews system should pull the game name as it is displayed on the specific game page and insert the game name into the database.

I have a ratings system that works similar to this. It allows users to rate the game and displays the average rating. It inserts the rating based on the gameId that the user is on.

The code looks like this:

Code:

if ($_GET[rating] > 0 & $_GET[rating] < 11) {
  mysql_query("INSERT INTO gameRating (gameId, rating) VALUES ($gameId, $_GET[rating])");
  
  $ratings = mysql_query("SELECT rating FROM gameRating WHERE gameId=$gameId");
  while($ratingsRow = mysql_fetch_array($ratings))
  {
    $totalRating = $totalRating + $ratingsRow['rating'];
    $ratingCount = $ratingCount + 1;
  }
  
  $averageRating = $totalRating / $ratingCount;
  
  mysql_query("UPDATE wp_MMOCraze_games SET gameCrazeLevel=$averageRating WHERE gameId=$gameId");
  $rated = true;
}

with the sql variables:

$gameId = $_GET['gameId'];
$rated = false;

Any help is appreciated

derzok · 11-19-2010, 02:24 PM

I'm not exactly sure what you're asking. I will offer this suggestion:

Never ever ever ever do this:

Code:

  mysql_query("INSERT INTO gameRating (gameId, rating) VALUES ($gameId, $_GET[rating])");

You MUST clean the variables $gameId, and especially $_GET[rating]. Always clean ANYTHING that comes in through $_GET, $_POST, or $_COOKIE. Use mysql_real_escape_string or the PDO library. Failure to do this can cause major website vulnerabilities - someone could easily delete everything in your database or steal information out of it.

crazykid · 11-19-2010, 04:45 PM

This is my new updated code for the ratings system:

Code:

$rating = $_GET["rating"];
// shouldn't you check to be sure $rating is an INTEGER number??????
if ($rating > 0 & $rating < 11) 
{
  mysql_query("INSERT INTO gameRating (gameId, rating) VALUES ($gameId, $rating)");
  $sql = "UPDATE wp_MMOCraze_games SET gameCrazeLevel = ( "
        .   "SELECT AVG(rating) FROM gameRating WHERE gameId=$gameId ) "
        .   " WHERE gameId=$gameId";
  mysql_query( $sql );
  $rated = true;
}

Where would I put the mysql_real_escape_string at?

And any ideas on the review system code?
Basically all I want to do is almost the same thing as the ratings system code.

The game profiles are generated using a template file, however each individual game profile has its own separate database.
The game profile has php coding that outputs various sql variables on to the page. One of these variables is the $gameName variable.
I want to have a code that gets the gameName for the specific game profile that the user is on and submits the gameName along with the review into the reviews database.

So basically, if a user is on the game Profile, Aion, the code will pull the gameName "Aion" from the page and insert the name into the database along with the review that the user submitted using the review form that's on the profile itself. And then the code will also output and display every review in order by recent entry that corresponds to that specific gameName for that profile.

tjfoz · 11-19-2010, 05:39 PM

Hey crazykid,

Have you thought about pulling the page name from the $_SERVER vars? This page lists the ones available: http://php.net/manual/en/reserved.variables.server.php

If there is not one that is exactly what you need, you can strip it down using substr functions.

Hope this helps!