Need Help

[calthephenom]

im currently coding a rockband score tracking script for my site
i have this as the form

Code Select Expand


<form name="input" action="score_add.php" method="post">
Welcome <?php echo $_POST["username"]; ?>!<br />
echo "Song:"
<input type="text" name="song" />
echo "Score"
<input type="text" name="Score" />
echo "Instrument:"
<input type="text" name="instrument" />
echo "Percent"
<input type="text" name="Percent" />
?>




and for the script that proccess it i have this

Code Select Expand


<?
$con = mysql_connect("localhost","REMOVED","REMOVED");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
INSERT INTO scores (id, username, song, Score, instrument, Percent)
VALUES (username, song, Score, instrument, Percent)
?>


i've only known php for about 8 months(being that I am only 13), what should i do to make this functional?

[Arantor]

Is this for an SMF forum, and is that table being used in an SMF mod?

[calthephenom]

im just going to insert the form at the bottom of my themes index.template.php
it will be on the same server ,and i may release this as a mod

[Arantor]

If you're doing this within SMF, you never under any circumstances need to use a manual mysql_connect or mysql_query.

What version of SMF?

[calthephenom]

1.10.10
and for the score submission form, its on the index page, but the Actual script is
not on an actual part of SMF

[Arantor]

If the intention is to make a mod, it would all have to be moved inside the forum anyway.

Unfortunately making that function is less easy than it sounds.

First up, tweaking the form to remove a fairly nasty security vulnerability.

Code (the form) Select Expand

<form name="input" action="score_add.php" method="post">
Welcome <?php echo html_specialchars($_POST["username"]); ?>!<br />
echo "Song:"
<input type="text" name="song" />
echo "Score"
<input type="text" name="score" />
echo "Instrument:"
<input type="text" name="instrument" />
echo "Percent"
<input type="text" name="percent" />
?>


Assuming the scores table has id as an auto-increment on it... (I did remove your password and username for your protection) and we're not including this in SMF itself for now:

Code Select Expand

<?
$con = mysql_connect("localhost","REMOVED","REMOVED");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

$fields = array('username', 'song', 'instrument', 'score', 'percent');
foreach($fields as $field)
  $_POST[$field] = empty($_POST[$field]) ? '' : $_POST[$field];

$username = addslashes(stripslashes($_POST['username']));
$song = addslashes(stripslashes($_POST['song']));
$instrument = addslashes(stripslashes($_POST['instrument']));
$score = (int) $_POST['score'];
$percent = (int) $_POST['percent']; // I'm assuming it's a whole number?

mysql_query("INSERT INTO scores (username, song, Score, instrument, Percent)
VALUES ('$username', '$song', $score, '$instrument', $percent);");
?>

Note that this doesn't check if any of the fields are empty as such; it just puts the values into the database as is. You'll need to do more work to figure out whether it should return to the user with an error.

[calthephenom]

"Fatal error: Call to undefined function html_specialchars() in D:\Hosting\4881395\html\forum\index.php on line 537"

[Arantor]

Bah, it's htmlspecialchars not html_specialchars. I do wish PHP would be more consistent in its function naming.

[calthephenom]

http://yourawk.net/forum/index.php
the username is invisible xD
i modded the code just a little bit

Code Select Expand


<form name="input" action="score_add.php" method="post">
Welcome <h1><?php echo htmlspecialchars($_POST["username"]); ?><h1>
"Song:"
<input type="text" name="song" />
"Score"
<input type="text" name="score" />
"Instrument:"
<input type="text" name="instrument" />
"Percent"
<input type="text" name="percent" />
<input type="submit" value="Submit" />
</form>

with this, i don't get any errors, but in PHPMyAdmin the values aren't there :O

[Arantor]

Since the username is being specified by $_POST I assumed you had something else that set that up in the first place.

So is the other code in score_add.php ?

Does a new row get created at all?

[calthephenom]

"MySQL returned an empty result set (i.e. zero rows). (Query took 0.0096 sec)"
i already have said rows, and about the $_POST i thought that SMF's username system was ['username']
and how would i have the form not show if your not logged in?

[calthephenom]

hello? any help?

[Arantor]

Please do not bump within 24 hours; we are all volunteers here and I have other things to do as well as providing coding support.

No, SMF's username system is quite different, besides you told me you were running that form outside SMF anyway.

You would expect MySQL to return 0 rows since you're not selecting anything, but inserting.

[calthephenom]

sorry, the form itself is actually at the bottom of index.php ,but the script that handles it is outside the forum software
but with the later script, how can you make it insert it into said tables?
i have a makeshift table-output script ready, but no script to populate the database

[Arantor]

How do you know it isn't? Did you look in phpMyAdmin to verify it isn't adding the row?

[calthephenom]

it says "MySQL returned an empty result set (i.e. zero rows). (Query took 0.0017 sec)"

[Arantor]

Change the code to:

Code Select Expand

mysql_query("INSERT INTO scores (username, song, Score, instrument, Percent)
VALUES ('$username', '$song', $score, '$instrument', $percent);") or die(mysql_error());

[calthephenom]

Code Select Expand


SELECT COUNT( * ) AS  `Rows` ,  `Score`
FROM  `scores`
GROUP BY  `Score`
ORDER BY  `Score`
LIMIT 0 , 30


[Arantor]

I think you missed my edited reply.

[calthephenom]

should i erase the XSS slashing area ,or just the last area?