1

Hey guys sorry if this is an amateur question but I'm having a little trouble with this.

How do I display comments towards a specific page? (page.php?id=48)

Because right now, every time i post a comment, it displays on all pages instead of the one i wanted it to post on

Heres the code:

$userfinal=$_SESSION['username'];
$rs = mysql_query("SELECT id FROM searchengine") or die(mysql_error());
$rec = mysql_fetch_assoc($rs);
$id = $rec['id'];

// get the messages from the table.
$get_messages = mysql_query("SELECT messages_id FROM messages WHERE to_user='$id' ORDER BY messages_id DESC") or die(mysql_error());

$get_messages2 = mysql_query("SELECT * FROM messages WHERE to_user='$id' ORDER BY messages_id DESC") or die(mysql_error());

$num_messages = mysql_num_rows($get_messages);
// display each message title, with a link to their content
echo '<ul>';

for($count = 1; $count <= $num_messages; $count++){
    $row = mysql_fetch_array($get_messages2); 
    // if the message is not read, show "(new)"
    // after the title, else, just show the title.
    if($row['message_read'] == 0)

Any help would be appreciated, thanks

AJ.
  • 27,586
  • 18
  • 84
  • 94
mohamed
  • 23
  • 4
  • 3
    Must there be an SQL-injection hole in **every** single php-mysql post! – Johan Jun 04 '11 at 20:40
  • @mohamed, please read this question: http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain – Johan Jun 04 '11 at 20:41
  • @Johan: There's not necessarily any injection possibility there. `id` is read straight from the database, and since it's probably numeric, it can't contain injection code. Of course, the whole thing could be constructed as one query. @mohamed: What's your `$userfinal` variable for? You don't use it anywhere! – Eric Jun 04 '11 at 20:44
  • very badly structured codes, vulnerable to most of the threats. try improving your codes – Ibrahim Azhar Armar Jun 04 '11 at 20:44
  • @eric lol i used it originally for displaying messages but decided to use id instead. – mohamed Jun 04 '11 at 20:46
  • @ibrahimazhararmar what would you suggest i do? – mohamed Jun 04 '11 at 20:46
  • What is `SELECT id FROM searchengine` trying to do? What does your searchengine table look like? – Eric Jun 04 '11 at 20:56
  • id int(11) No auto_increment title varchar(100) latin1_swedish_ci No description text latin1_swedish_ci No url text latin1_swedish_ci No keywords varchar(200) l No user varchar(255) – mohamed Jun 04 '11 at 21:08
  • what it does, is select "id" from the searchengine table and use it as a user's id so i can send messages directly to id's instead of username (like what i was trying to do earlier with session user) – mohamed Jun 04 '11 at 21:10

1 Answers1

3

take a look at my sample code.

Consider a table comments with the basic structure.

CREATE TABLE `comments` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `comment` text NOT NULL,
  `article_id` int(11) NOT NULL,
  PRIMARY KEY (`id`)
);

comment column will hold the text of your comment

article_id holds the foreign key of the article it belongs to.

now lets say you want to retrieve the comment from a particular articleid article.php?id=48

here is how you should be doing it.

$articleId = mysql_real_escape_string($_GET['id']);
$query = 'SELECT id,comment FROM comments WHERE article_id ='.$articleId;
$result = mysql_query($query);
while($row = mysql_fetch_array($result)) {
    echo nl2br($row['comments']);
}

although my codes does not relate to your question at all, but it should give you the basic idea on how to implement the logic.

EDIT :

you should not use the code for production, the code is only meant to explain you to implement the logic, remember this code is vulnerable to SQL injections, if you want a temporary fix you could use mysql_real_escape_string() function to avoid it. check my updated code.

TIP : you should try and use PDO for all your database queries here is the tutorial to get you started http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

Ibrahim Azhar Armar
  • 25,288
  • 35
  • 131
  • 207
  • **-1** - SQL injection! `article.php?id=48';+DROP+TABLE+comments--` – Eric Jun 04 '11 at 20:59
  • @eric doesn't that drop the table – mohamed Jun 04 '11 at 21:00
  • thanks ibrahim really lol its been bugging me for almost a week – mohamed Jun 04 '11 at 21:00
  • @mohamed: Yes, it does. If I type that into my address bar on your site, all your comments suddenly disappear from the database. – Eric Jun 04 '11 at 21:00
  • @mohamed, you should take care of Sql Injections(that is what Eric is talking about), the above code is purely meant for reference, in any case i don't recommend it to use for production. consider using PHP's PDO for all your database queries. here have a look at this article [net.tutsplus.com](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) – Ibrahim Azhar Armar Jun 04 '11 at 21:03
  • 1
    "the above code is purely meant for reference" - Using injection-vulnerable code as a reference?? That sounds like a bad idea! – Eric Jun 04 '11 at 21:05
  • oh okay. and that would prevent indirect access to databases. my goodness and i thought my site would go live tomorrow lol – mohamed Jun 04 '11 at 21:06
  • @Eric my mistake i updated my code which explains what the OP needs to counter the problem :) – Ibrahim Azhar Armar Jun 04 '11 at 21:07
  • @Ibrahim, +1 for fixing the code, please don't post SQL-injectable code in answers, it will only get you downvotes. – Johan Jun 04 '11 at 21:39