0

So the vote page is at Click here the Username should go into the text box, and after you vote on both servers, it should send the Username to the database.

    <form name="vote" class="short style" method="post" target="_blank">
    <input name="username" type="text" size="30" maxlength="30"       placeholder="Username"><button id="nextbutton" type="button" onClick="next();">Next</button>
    <div style="display: none;" id="button" class="button"><button type="submit" onClick="changeAction('http://www.rune-server.org/toplist.php?do=vote&sid=8289&name=');")>Rune-Server</button><button type="submit" onClick="changeAction('http://www.runelocus.com/toplist/index.php?action=vote&id=30838&id2=');")>RuneLocus</button></div>
</form><br>

im not sure what to add, i think i need to do something with the next button.. but please help! another thing is its a html... should it be php? but the mysql is working fine and is sending to the client. its just getting the username to be sent to the database, heres check vote

    if (!$con) {
    die("Could not connect to database: " . mysql_error());
}
mysql_select_db("a5999082_oxidepk", $con);
$username = mysql_escape_string($_GET['username']);
if (isset($_GET['username'])) {
    $result = mysql_query("SELECT * FROM `votes` where username = '$username'") or die(mysql_error());
    $row = mysql_fetch_array($result);
    if($row['username'] == $username) {
        mysql_query("DELETE FROM `votes` where username = '$username'");
        echo "true";
    } else {
        echo "false";
    }
}
mysql_close($con);

and then heres the Call back

<?php
$rspscoding = gethostbyname("http://www.oxidepkz.net63.net");
    if($_SERVER['REMOTE_ADDR'] == $rspscoding) {
        $con = mysql_connect("mysql1.000webhost.com", "a5999082_oxidepk", "password");
        if (!$con) {
            die("Could not connect to database: " . mysql_error());
        }
        mysql_select_db("a5999082_oxidepk", $con);
        $username = mysql_escape_string($_GET['username']);
        if (isset($_GET['username'])) {
            mysql_query("INSERT INTO `votes` (username) VALUES ('$username')") or die(mysql_error());  
        }
        mysql_close($con);
}

?> also not sure what gethostbyname should be... thanks!

John Conde
  • 217,595
  • 99
  • 455
  • 496
Oxide
  • 34
  • 5

1 Answers1

2

So... several comments

First, you're not sanitizing your data, which leaves you open to SQL injection.

Second, you posted your database credentials in your code example. Anyone reading this can see them and access your database. Editing won't fix that (will still be in history) so I would HIGHLY recommend you change your database credentials. Next time you might want to remove those before posting.

Third, you need to stop using mysql and switch to mysqli Why shouldn't I use mysql_* functions in PHP?

Fourth, you're using (in a confusing way)

$rspscoding = gethostbyname("http://www.oxidepkz.net63.net");
if($_SERVER['REMOTE_ADDR'] == $rspscoding) { }

That will never succeed because $_SERVER['REMOTE_ADDR'] contains the IP of the user, not the host name (and your user won't be posting from your server either, which is what I assume $rspscoding is). Check out the PHP $_SERVER reference.

Community
  • 1
  • 1
Machavity
  • 30,841
  • 27
  • 92
  • 100