This is it, I've completed my forum script and I'm sharing it with you!!!!!!!
:O
Hope you like it, if you find any bugs, please post it here
Oh yea, and the first registered person will be the admin
This is it!!
<?php
//save this as style.css
?>
body {
background-color: #666666;
border: 10px solid #000000;
color: #300000;
text-align: center;
padding: 5px;
}
#page {
border: 1px solid #000000;
color: #300000;
background-color: #C0C0C0;
text-align: center;
padding: 5px;
}
#login {
position: absolute;
border: 1px solid black;
color: #300000;
background-color: #C0C0C0;
text-align: center;
padding: 5px;
left: 50px;
margin-top:5px;
}
#register {
position: absolute;
border: 1px solid black;
color: #300000;
background-color: #C0C0C0;
text-align: center;
padding: 5px;
right: 50px;
margin-top:5px;
}
#user_info {
border: 1px solid black;
margin: 5px;
padding: 2px;
text-align: right;
}
#page2 {
border: 1px solid black;
margin: 5px;
padding: 2px;
}
#post {
border: 1px solid black;
}
a {
color: #000;
text-decoration: underline;
}
a:hover {
text-decoration: none;
color: #000;
}
<?php
//Save This Page as index.php
?>
<?php
session_start();
include("global.php");
echo "<link href='style.css' rel='stylesheet' type='text/css' />";
?>
<title>Main Forums Page</title>
<div id="page">
<?php
if($_SESSION['username']){
echo "<div id='user_info'>";
echo "<h6>Welcome ".$_SESSION['username']."!";
$result = mysql_query("SELECT `admin` FROM `users` WHERE `username` = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result)){
if($row['admin'] == 1){
echo "<br><a href='new_cat.php'>New Catagory</a>";
}
}
echo "<br>\n<a href='userchange.php'>Edit User Info</a>\n";
echo "<br>\n<a href='logout.php'>Logout</a></h6>";
echo "</div>";
echo "<div id='page2'>\n";
echo "<h2>Categories</h2>\n";
echo "<hr size='1' width='75%'>\n";
$result0 = mysql_query("SELECT * FROM forum_cats ORDER BY date");
while($row = mysql_fetch_array($result0)){
echo "<a href='forums.php?id=".$row['id']."'>".$row['cat_name']."</a><br>Date Added: ".$row['date']."<hr size='1' width='50%'><br>\n";
}
echo "<br>\n";
echo "</div>";
}else{
echo "Welcome Guest! Please login or register to start viewing the categories, topics, and to start posting!";
?>
<div id="login">
<table border=0>
<form action='./index.php' method='post'>
<tr><td colspan="2" align="center" bgcolor="#333333"><font color="#ffffff">Login Form</font></td></tr>
<tr><td>Username:</td><td><input type=text name=user maxsize=20></td></tr>
<tr><td>Password:</td><td><input type=password name=pass maxsize=20></td></tr>
<tr><td colspan="2"><input type="submit" value="Login" name="submit2"/></td></tr>
</form>
</table>
<?php
$sub = $_POST['submit2'];
$u = $_POST['user'];
$p = $_POST['pass'];
if($sub){
$sql = mysql_query("SELECT count(id) FROM users WHERE username='$u' AND password='$p'");
$result = mysql_result($sql, 0);
if($result!=1){
print "<br>Invalid Login Information";
}else{
$result1 = mysql_query("SELECT * FROM users");
while($row = mysql_fetch_array($result1)){
mysql_query("UPDATE users SET admin = '1' WHERE id = '1'") or die(mysql_error());
}
$_SESSION['username'] = $u;
echo "<br>You are now logged in ".$_SESSION['username']."!";
}
}
?>
</div>
<div id="register">
<table border="0" cellspacing="3" cellpadding="3">
<form method="post" action="index.php">
<tr><td colspan="2" align="center" bgcolor="#333333"><font color="#ffffff">Registration Form</font></td></tr>
<tr><td>Username</td><td><input type="text" name="username"></td></tr>
<tr><td>Password</td><td><input type="password" name="password"></td></tr>
<tr><td>Confirm</td><td><input type="password" name="passconf"></td></tr>
<tr><td>E-Mail</td><td><input type="text" name="email"></td></tr>
<tr><td colspan="2" align="center"><input type="submit" name="submit" value="Register"></td></tr>
</form>
</table>
</div>
<?php
if($_POST['submit']){
function protect($string){
$string = mysql_real_escape_string($string);
$string = strip_tags($string);
$string = addslashes($string);
return $string;
}
$username = protect($_POST['username']);
$password = protect($_POST['password']);
$confirm = protect($_POST['passconf']);
$email = protect($_POST['email']);
$errors = array();
if(!$username){
$errors[] = "<br>Username is not defined!";
}
if(!$password){
$errors[] = "<br>Password is not defined!";
}
if($password){
if(!$confirm){
$errors[] = "<br>Confirmation password is not defined!";
}
}
if(!$email){
$errors[] = "<br>E-mail is not defined!";
}
if($username){
if(!ctype_alnum($username)){
$errors[] = "<br>Username can only contain numbers and letters!";
}
$range = range(1,32);
if(!in_array(strlen($username),$range)){
$errors[] = "<br>Username must be between 1 and 32 characters!";
}
}
if($password && $confirm){
if($password != $confirm){
$errors[] = "<br>Passwords do not match!";
}
}
if($email){
$checkemail = "/^[a-z0-9]+([_\\.-][a-z0-9]+)*@([a-z0-9]+([\.-][a-z0-9]+)*)+\\.[a-z]{2,}$/i";
if(!preg_match($checkemail, $email)){
$errors[] = "<br>E-mail is not valid, must be name@server.tld!";
}
}
if($username){
$sql = "SELECT * FROM `users` WHERE `username`='".$username."'";
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res) > 0){
$errors[] = "<br>The username you supplied is already in use!";
}
}
if($email){
$sql2 = "SELECT * FROM `users` WHERE `email`='".$email."'";
$res2 = mysql_query($sql2) or die(mysql_error());
if(mysql_num_rows($res2) > 0){
$errors[] = "<br>The e-mail address you supplied is already in use of another user!";
}
}
if(count($errors) > 0){
foreach($errors AS $error){
echo $error . "<br>\n";
}
}else {
$ip = $_SERVER['REMOTE_ADDR'];
$sql4 = "INSERT INTO `users`
(`username`,`password`,`email`, `admin`, `ip`, `displaypic`, `ban`)
VALUES ('".$username."','".$password."','".$email."','0', '$ip', 'None!', 'no')";
$res4 = mysql_query($sql4) or die(mysql_error());
echo "<font align=\"center\"><br><br>You have successfully<br>\n registered with the username <br>\n<b>".$username."</b> and the <br>\npassword <b>".$password."</b>!</font>";
echo "</div>";
}
}
}
?>
</div>
<?php
//Save This As new_cat.php
?>
<?php
session_start();
include("global.php");
echo "<link href='style.css' rel='stylesheet' type='text/css' />";
?>
<title>Adding Category</title>
<div id="page">
<?php
$result000 = mysql_query("SELECT * FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result000)){
if($row['ban'] == 'yes'){
echo "<a href='logout.php'>logout</a><br>\n";
die("I'm sorry, but you are currently banned and may not view the site.");
}
}
if(!$_SESSION['username']){
header("Location: index.php");
}
$query = mysql_query("SELECT admin FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($query)){
$admin = $row['admin'];
}
if($admin != 1){
die("You are not authorized to be here.");
}
echo "<div id='user_info'>";
echo "<h6>Logged in as: ".$_SESSION['username'].".<br><a href='userchange.php'>Edit User Info</a> | Click here to <a href='logout.php'>logout</a> | <a href='index.php'>Main Page</a></h6>";
?>
</div>
<div id='page2'><center><h2>Adding New Category</h2>
<form action='new_cat.php' method='POST'>
<p>Category Name: <input type='text' name='cat_name'></p>
<p><input type='submit' value='Create Category' name='submit'></p>
</form>
<?php
$sub = $_POST['submit'];
$name = $_POST['cat_name'];
if($sub){
mysql_query("INSERT INTO forum_cats (cat_name) VALUES ('$name')");
echo "Created category <b>".$name."</b>!";
}
?>
</div>
<?php
//Save This as forums.php
?>
<?php
session_start();
include("global.php");
echo "<link href='style.css' rel='stylesheet' type='text/css' />\n";
?>
<title>Forums Page</title>
<div id="page">
<?php
$result000 = mysql_query("SELECT * FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result000)){
if($row['ban'] == 'yes'){
echo "<a href='logout.php'>logout</a><br>\n";
die("I'm sorry, but you are currently banned and may not view the site.");
}
}
if(!$_SESSION['username']){
die("You must login to view the topics!");
}
echo "<div id='user_info'>\n";
$id = $_GET['id'];
$result2 = mysql_query("SELECT * FROM forum_cats WHERE id = '".$id."'");
while($row = mysql_fetch_array($result2)){
$cat = $row['cat_name'];
}
echo "<h6>Logged in as: ".$_SESSION['username'].".<br><a href='userchange.php'>Edit User Info</a> | Click here to <a href='logout.php'>logout</a> | <a href='index.php'>Main Page</a></h6>";
?>
</div>
<div id='page2'><center><h3>Topics In Category: <?php
echo "<b>".$cat."</b>";
?>.</h3>
<form action='?id=<?php echo $id; ?>' method='POST'>
<input type='submit' value='New Topic' name='submit'>
</form>
<hr size='1' width='75%'>
<?php
$result = mysql_query("SELECT * FROM forum_sub_cats WHERE forum_cat_name = '".$cat."'");
while($row = mysql_fetch_array($result)){
echo "<a href='./topic.php?id=".$row['id']."'>".$row['sub_cat_name']."</a><br>\nDescription: <b>".$row['desc']."</b><br>\nDate Added: ".$row['date']."<hr size='1' width='50%'>\n<br>";
}
$sub = $_POST['submit'];
if($sub){
?>
<table border='0' cellpadding='5'>
<tr><th colspan='2'>New Topic</th></tr>
<form action='?id=<?php echo $id; ?>' method='POST'>
<tr><td>Topic Name: </td><td><input type='text' name='sub_name'></td><tr>
<tr><td>Topic Description: </td><td><input type='text' name='sub_desc'></td></tr>
<tr><td colspan='2' align='right'><input type='submit' value='Create Topic' name='submit2'></td></tr>
</form>
</table>
<?php
}
$sub2 = $_POST['submit2'];
$name = $_POST['sub_name'];
$desc = $_POST['sub_desc'];
if($sub2){
mysql_query("INSERT INTO forum_sub_cats (`sub_cat_name`, `forum_cat_name`, `desc`) VALUES ('$name', '$cat', '$desc')") or die(mysql_error());
echo "Added Topic <b>".$name."</b>!";
}
?>
<?php
//Save this as topic.php
?>
<?php
session_start();
include("global.php");
echo "<link href='style.css' rel='stylesheet' type='text/css' />\n";
?>
<title>Forums Page</title>
<div id="page">
<?php
$result000 = mysql_query("SELECT * FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result000)){
if($row['ban'] == 'yes'){
echo "<a href='logout.php'>logout</a><br>\n";
die("I'm sorry, but you are currently banned and may not view the site.");
}
}
if(!$_SESSION['username']){
die("You must login to view the posts!");
}
$result = mysql_query("SELECT * FROM users");
while($row = mysql_fetch_array($result)){
$uslevel = $row['admin'];
}
echo "<div id='user_info'>\n";
$id = $_GET['id'];
$result2 = mysql_query("SELECT * FROM forum_sub_cats WHERE id = '".$id."'");
while($row = mysql_fetch_array($result2)){
$cat = $row['sub_cat_name'];
}
$result1 = mysql_query("SELECT admin FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result1)){
$ulevel = $row['admin'];
}
echo "<h6>Logged in as: ".$_SESSION['username'].".<br><a href='userchange.php'>Edit User Info</a> | Click here to <a href='logout.php'>logout</a> | <a href='index.php'>Main Page</a></h6>";
?>
</div>
<div id='page2'><center><h3>Posts In Topic: <?php
echo "<b>".$cat."</b>";
?>.</h3>
<form action='?id=<?php echo $id; ?>' method='POST'>
</form>
<hr size='1' width='75%'>
<p>Posts:</p>
<?php
echo "<table border='0' cellpadding='5' cellspacing='5'>";
$result3 = mysql_query("SELECT * FROM posts WHERE forum_sub_cat_name = '".$cat."'");
while($row = mysql_fetch_array($result3)){
$user = $row['user'];
$post = $row['post'];
echo "<tr><td colspan='3'><hr size='1'></td></tr>";
echo "<tr align='left'><td colspan='2' align='center' bgcolor='#333333'><font color='#ffffff'>Username: <b>".$user."</b> Userlevel: ";
if($uslevel == 0){
echo "<b>Memeber</b>";
if($ulevel == 1){
echo " <br>\n<center><form action='?id=".$id."' method='POST'><input type='submit' name='edit' value='Edit'></form><form action='?id=".$id."' method='POST'><input type='submit' name='ban' value='Ban'></form>";
}
echo "</font></td></tr><tr><td align='left'>User Forum Pic: <br>\n".$row['display']."</td><td align='center'>Post: <br>\n<textarea rows='15' cols='20' readonly='readonly'>".$post."</textarea></td></tr>\n";
}else if($uslevel == 1){
echo "<b>Administrator</b>";
if($ulevel == 1){
echo " <br>\n<center><form action='?id=".$id."' method='POST'><input type='submit' name='edit' value='Edit'></form><form action='?id=".$id."' method='POST'><input type='submit' name='ban' value='Ban'></form>";
}
echo "</font></td></tr><tr><td align='left'>User Forum Pic: <br>\n".$row['display']."</td><td align='center'><textarea rows='15' cols='15' readonly='readonly'>".$post."</textarea></td></tr>\n";
}
echo "<tr><td bgcolor='#333333'><font color='#ffffff'>Posted: ".$row['date']."</font></td><td bgcolor='#333333'><font color='#ffffff'>Subject: ".$row['subject']."</font></td></tr>";
echo "<tr><td colspan='3'><hr size='1'></td></tr>";
}
echo "</table>";
?>
<hr size='1' width='75%'>
<form action='?id=<?php echo $id; ?>' method='POST'>
<table border='0' align='center' cellspacing='5'>
<tr><th colspan='2'>Add A Post</th></tr>
<tr><td>Subject: </td><td><input type='text' name='sub' size='20'></td></tr>
<tr><td>Comment: </td><td><textarea name='comment' rows='5' cols='20'></textarea></td></tr>
</tr><td colspan='2' align='right'><input type='submit' value='Add Post' name='submit'></td></tr>
</table>
</form>
<?php
$result3 = mysql_query("SELECT displaypic FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result3)){
$display = $row['displaypic'];
}
$sub = $_POST['submit'];
$subj = $_POST['sub'];
$com = $_POST['comment'];
if($sub){
if(($subj == '') || ($com == '')){
die("You did not enter a Subject and/or a Post!");
}
mysql_query("INSERT INTO posts (`user`, `post`, `subject`, `forum_sub_cat_name`, `display`) VALUES ('".$_SESSION['username']."', '$com', '$subj', '$cat', '<img src=$display width=150 height=150/>')") or die(mysql_error());
echo "Post Added!";
}
$sub2 = $_POST['edit'];
$sub3 = $_POST['ban'];
if($sub2){
?>
<form action='?id=<?php echo $id; ?>' method='POST'>
<p>Current Post: <textarea rows='15' cols='20' readonly='readonly'><?php echo $post; ?></textarea></p>
<p>New Post: <textarea name='npost' rows='5' cols='20'></textarea></p>
<p><input type='submit' name='edit2' value='Edit Post'></p>
</form>
<?php
}
$sub4 = $_POST['edit2'];
$npost = $_POST['npost'];
if($sub4){
mysql_query("UPDATE posts SET post = '".$npost."'") or die(mysql_error());
echo "Post Edited!";
}
if($sub3){
mysql_query("UPDATE users SET ban = 'yes' WHERE username = '".$user."'") or die(mysql_error());
echo "User Banned!";
}
?>
<?php
//Save this as logout.php
?>
<?php
session_start();
session_unset();
session_destroy();
header("Location: index.php");
?>
<?php
//Save this as global.php
//Make sure to edit the database names
?>
<?php
$connect = mysql_connect('localhost', 'username', 'password') OR die("Error: ".mysql_error());
$db = mysql_select_db('forum', $connect) OR die("Error: ".mysql_error());
?>
<?php
//Save this as userchange.php
?>
<?php
session_start();
include("global.php");
echo "<link href='style.css' rel='stylesheet' type='text/css' />\n";
?>
<title>User Administration</title>
<div id="page">
<?php
$result000 = mysql_query("SELECT * FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result000)){
if($row['ban'] == 'yes'){
echo "<a href='logout.php'>logout</a><br>\n";
die("I'm sorry, but you are currently banned and may not view the site.");
}
}
if(!$_SESSION['username']){
die("You must login to view this page!");
}
echo "<div id='user_info'>\n";
echo "<h6>Logged in as: ".$_SESSION['username'].".<br><a href='userchange.php'>Edit User Info</a> | Click here to <a href='logout.php'>logout</a> | <a href='index.php'>Main Page</a></h6>";
?>
</div>
<div id='page2'><center><h2>User Administration</h2>
<form action='userchange.php' method='POST'>
<table border='0'>
<tr><th>Change Password | </th><th>Current Pass:
<?php
$result = mysql_query("SELECT password FROM users WHERE username = '".$_SESSION['username']."'");
while($row = mysql_fetch_array($result)){
echo $row['password'];
}
?></th></tr>
<tr><td>New Pass</td><td><input type='password' name='pass' maxsize=20 /></td></tr>
<tr><td>Confirm Pass</td><td><input type='password' name='pass2' maxsize=20 /></td></tr>
<tr><td colspan=2><input type="submit" value="Change Pass" name="submit"/></td></tr>
</table>
</form>
<?php
$np = $_POST['submit'];
$p = $_POST['pass'];
$p2 = $_POST['pass2'];
if($np){
if($p!=$p2){
die("Passwords Don't Match!<br>");
}
if(($p=='') || ($p2=='')){
die("Passwords Are Blank!<br>");
}
mysql_query("UPDATE users SET password = '".$p."' WHERE username = '".$_SESSION['username']."'") or die(mysql_error());
echo "Password Changed!";
}
?>
<form action='userchange.php' method='POST'>
<table border='0'>
<tr><th>Change Forum Display Pic </th><th>(Note, this will be resized to 150 x 150)</th></tr>
<tr><td>Forum Pic URL: </td><td><input type='text' name='url'></td></tr>
<tr><td colspan='2'><input type='submit' value='Change Pic' name='submit0'></td></tr>
</table>
</form>
<?php
$sub2 = $_POST['submit0'];
$url = $_POST['url'];
if($sub2){
mysql_query("UPDATE users SET displaypic = '".$url."' WHERE username = '".$_SESSION['username']."'");
echo "Forum Pic Changed!";
}
?>
</div>
<?php
//And finally, import this sql to your database
?>
CREATE TABLE IF NOT EXISTS `users` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`username` varchar(20) NOT NULL,
`password` varchar(20) NOT NULL,
`email` varchar(50) NOT NULL,
`admin` varchar(1) NOT NULL,
`joined` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`displaypic` varchar(500) NOT NULL,
`ip` varchar(60) NOT NULL,
`ban` varchar(10) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
CREATE TABLE IF NOT EXISTS `posts` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`user` varchar(20) NOT NULL,
`post` text NOT NULL,
`subject` varchar(20) NOT NULL,
`forum_sub_cat_name` varchar(60) NOT NULL,
`date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`display` varchar(500) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
CREATE TABLE IF NOT EXISTS `forum_sub_cats` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`sub_cat_name` varchar(60) NOT NULL,
`forum_cat_name` varchar(60) NOT NULL,
`desc` varchar(100) NOT NULL,
`date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
CREATE TABLE IF NOT EXISTS `forum_cats` (
`id` int(255) NOT NULL AUTO_INCREMENT,
`cat_name` varchar(60) NOT NULL,
`date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
`admin` varchar(1) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;
DealthRune
2
Light Poster
Hopes you like it :D
somedude3488
228
Nearly a Posting Virtuoso
This code is horribly insecure. There are sql injection and xss holes. The code is a mess and very hard to follow. You should add some comments.
The way it stands now, I could delete your tables in your database and hijack sessions (there is a lot more I can do as well).
NO ONE USE THIS UNTIL THE ISSUES ARE FIXED!
LloydFarrell
0
Junior Poster
This is dissapointing as I have been looking for a forum script to use for my site,
Would it be possible to add security to this to make this script secure ??
Hoping to hear a reply
smartness
-3
Junior Poster
@LloydFarrell!
Why don't you use phpBB?
@AUTHOR:
Thanks, but looks insecure! Improve it!
Also a lot of errors appear! Use error_reporting(E_ALL); when you code!
Tip:
Don't use:
if($_POST['submit']) {
//Code here
}Use instead:
if(isset($_POST['submit'])) {
//Code here
}
smartness
-3
Junior Poster
Bug:
When you log-in, the "Welcome Guest" still apears!
After refreshing it's gone, but users will think login was unsuccessful !
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.