Display comments AND poster's info!

Discussion in 'PHP' started by Tony Brar, Jun 13, 2012.

0
  1. #1
    Hi everybody.
    I have a problem with my PHP/MySQL. I want my code to display all comments for a piece of .
    Each comment should have the poster's info in a table, then the text in the comment, then the date posted.
    Right now, it displays comments right, but that's not the issue.
    Just to test it out, I put one comment in the database. It displayed the comment - exactly 10 times.:confused:
    For the page to work, the id of the content has been sent through $_GET.
    Here is the code (very messy, I'm new to PHP/MySQL):
    php Code:

    <?php
    //connect/declare
    $con = mysql_connect("******************","******","******");
    if (!$con)
    {
    die('Error: ' . mysql_error());
    }
    //select db
    mysql_select_db("*********", $con);
    //select appropriate row
    $contentresult = mysql_query("SELECT * FROM content WHERE content_id=$_GET[content_id]");
    $userresult = mysql_query("SELECT * FROM users WHERE user_id='$_GET[user_id]'");
    $commentresult = mysql_query("SELECT * FROM comments WHERE content_id='$_GET[content_id]'");
    $commentrow = mysql_fetch_array($commentresult);$userrow = mysql_fetch_array($userresult);
    $contentrow = mysql_fetch_array($contentresult);
    //end connect/declare
    //print each comment
    foreach ($commentrow as $value)
    {
    $commentrow['user_id'] = $user_id;
    $posterresult = mysql_query("SELECT * FROM users WHERE user_id='1'");
    $posterrow = mysql_fetch_array($posterresult, MYSQL_ASSOC);
    //print a comment
    echo '<div class="comment"><div class="userinfo"><table border="0"><tr><span class="userinfoheader"><th colspan="2"><strong><em>User info</em></strong></th></span></tr><tr><span class="uiusername"><td><em>Username:</em></td></span><span class="uiusernameval"><td><strong>' . $posterrow['username'] . '</strong></td></span></tr><tr><span class="uicoins"><td><em>Coins:</em></td></span><span class="uicoinsval"><td><strong>' . $posterrow['coins'] . '</strong></td></span></tr><tr><span class="uijoined"><td><em>Join Date:</em></td></span><span class="uijoinedval"><td><strong>' . $posterrow['datejoined'] . '</strong></td></span></tr><tr><span class="uiuploads"><td><em>Uploads:</em></td></span><span class="uiuploadsval"><td><strong>' . $posterrow['uploads'] . '</strong></td></span></tr></table></div><h3><strong>' . $posterrow['username'] . '</strong> said:</h3><p>' . $commentrow['text'] . '</p><p><em>Posted ' . $commentrow['dateposted'] . '</em></p></div>';
    }
    mysql_close($con);
    ?>

    Please help.

    - Tony
     
    Tony Brar, Jun 13, 2012 IP
  2. ssmm987

    ssmm987 Member

    Messages:
    180
    Likes Received:
    4
    Best Answers:
    3
    Trophy Points:
    43
    #2 
    $contentresult = mysql_query("SELECT * FROM content WHERE content_id=$_GET[content_id]");
$userresult = mysql_query("SELECT * FROM users WHERE user_id='$_GET[user_id]'");
$commentresult = mysql_query("SELECT * FROM comments WHERE content_id='$_GET[content_id]'");
    Code (markup):
    Please, for God's sake, never ever do this anymore. Never ever set _GET and _POST variable directly into your mysql_query. It is asking to be hacked.

    Instead use this:
    
$cid=(int)$_GET['content_id'];
$uid=(int)$_GET['user_id'];
$contentresult = mysql_query("SELECT * FROM content WHERE content_id=".$cid);
$userresult = mysql_query("SELECT * FROM users WHERE user_id='".$uid."');
$commentresult = mysql_query("SELECT * FROM comments WHERE content_id='".$cid."'");
    Code (markup):
    The very first lesson you should know about mysql, is how to execute commands safely. Although many people have the tendency to not really care about mysql security while they are still learning the basics, it will be better to train it from the very first day on, otherwise you'll never get that into your system. Always be sure that the variables contain valid input, so they can't be used for hacking. This can be done by either a type casting, like in this i've used (int) to ensure that the id was an integer, or, when you use strings, use mysql_real_escape_string. If you get more professional and all, you might want to look at PDO, which is - when properly used - safer.
    [hr]
    Anyway, on the case of your problem, delete this line:
    
$commentrow = mysql_fetch_array($commentresult);
    Code (markup):
    and replace this line
     
foreach ($commentrow as $value)
    Code (markup):
    With this:
    
while($value=mysql_fetch_array($commentresult){
    Code (markup):
    Also, the $user_id is never set in the foreach loop, and the $value variable as declared in the loop, is never used. I think there is your problem somewhere.
    [hr]
    Two other comments:
    - You might want to use LIMIT's in your mysql statements. Since the content_id and user_id will be unique in the tables content and users, there is no sense in continuing your search when you found your record. It will be faster once your databases get larger.
    - Use htmlentities when you post user created text and names in your html. If in this case, the user name is <ssmm987, then the whole page will be one big mess.

    I hope I fixed your problem, and taught you something about mysql security.
     
    ssmm987, Jun 14, 2012 IP