MyBB Community Forums

This is not for a MyBB forum and I really don't care about vulnerabilities at the present. I just want it working.

<?php
/*
	NEWTHREAD
	Ben Cousins
	2012
	Hope it's right this time.
*/
session_start();
//Get config script...
require '../inc/config.php';
//Assign Pagetitle, and get Header:
$pagetitle = 'New Thread';
include '../tmp/header.php';
echo '<br><br><br><h1 class="pagetitle">Asperger\'s Network - Create a New Thread</h1><br>';
if(!$_POST){ 
$sqltitle = mysql_query("SELECT `name` from `f-forums` WHERE `id` = '{$_GET["f"]}'") or die(mysql_error());
while($row = mysql_fetch_array($sqltitle)){
echo '<br><div class="cathead"><h1>New Thread in Forum: '.$row["name"]. '</h1></div>';
}
 ?>
 <center><table><tbody><form method="post" action="" name="newthread">
 			<tr><td class="u-details">New Thread Title</td><td class="u-post-content"><input type="text" name="title" id="title" /></td></tr>
            <tr><td class="u-details">Post Content</td><td class="u-post-content"><textarea rows="30" cols="45" name="content" id="content"></textarea></td></tr>
            <tr><td class="u-details"><input type="submit" value="Post Thread" /></td><td class="u-post-content"></td></tr></form>
            </tbody></table></center>
<?php
}
else{
	//Get the stuff from the form...
	$title = $_POST['title'];
	$content = $_POST['content'];

mysql_query("INSERT INTO `f-topics` (f_id, title, poster_id)
VALUES ('{$_GET["f"]}', '{$title}', '{$id}')") or die(mysql_error());

$gettitle = mysql_query("SELECT * from `f-topics` WHERE `title` = ".mysql_real_escape_string($title)."") or die(mysql_error());
while($rowfid = mysql_fetch_assoc($sqltitle)){
mysql_query("INSERT INTO `f-posts` (t_id, content, poster_id)
VALUES ('{$rowfid["id"]}', '{$content}', '{$id}')") or die(mysql_error());
}
}
//And in closing
include '../tmp/footer.php';
?>

That is the page I am trying to execute. You submit the form, and...

It inserts the first bit fine, then when it gets to inserting the post, assuming you call it "Blah"

Quote:Unknown column 'Blah' in 'where clause'

Why would it be erroring that?

Yes, I ensured that it was the correct table in the DB.

(2012-12-07, 07:12 AM)Ben Cousins Wrote: [ -> ]mysql_query()

(2012-12-07, 07:12 AM)Ben Cousins Wrote: [ -> ]SELECT *

(2012-12-07, 07:12 AM)Ben Cousins Wrote: [ -> ]<br>

(2012-12-07, 07:12 AM)Ben Cousins Wrote: [ -> ]<center>

(2012-12-07, 07:12 AM)Ben Cousins Wrote: [ -> ]<table>

Wait, what year is this?

First line...

Quote:This is not for a MyBB forum and I really don't care about vulnerabilities at the present. I just want it working.

And, For the record, MyBB uses tables. Go check.

Plus, It makes an attractive design.

MyBB's also had the same design since 2002. PHP says on their own site that you shouldn't be using mysql_* functions for new projects, they're for MySQL 4.x which is ancient. I don't know why you would want to anyway, procedural database wrappers and lack of bound params is a pain.

Does your $content have any punctuation in it? I noticed you aren't escaping it, I know you don't care about vulnerability at this point but even one ' mark can malform the query. Your code is pretty messy, I'm having trouble following your exact data flow. :\

Simply put, For those that actually wish to help, instead of critisizing my use of tables:

Text fields:
-Title (Pretty self explanatory)
-Content (What will form the post)

Submit the form

else{}

Get the title, and Content as variables ($title and $content as such)

Write into the Database the title, and Poster ID (Referenced by a User Query in config.php)

Then, if that was successful, get the TopicID which has just been created, and insert that, the poster ID, and Content into the Posts table.

(2012-12-07, 07:54 AM)CAwesome Wrote: [ -> ]Does your $content have any punctuation in it? I noticed you aren't escaping it, I know you don't care about vulnerability at this point but even one ' mark can malform the query. Your code is pretty messy, I'm having trouble following your exact data flow. :\

I'm not even getting that far - It's throwing an error with the

$gettitle = mysql_query("SELECT * from `f-topics` WHERE `title` = ".mysql_real_escape_string($title)."") or die(mysql_error());
while($rowfid = mysql_fetch_assoc($gettitle)){

And yes, I did just update that.

You said the problem is at inserting the post, but that's a select query. Shot in the dark, but what if you put quotes around the title value?

$gettitle = mysql_query("SELECT * FROM `f-topics` WHERE `title` = '".mysql_real_escape_string($title)."'") or die(mysql_error());
while($rowfid = mysql_fetch_assoc($gettitle)){

Tried with double and single quotes.

Double rendered the same, single rendered:

Quote:Unknown column '$title' in 'where clause'

I meant around the entire function, like I put in the code in my post. Double quotes inside the function aren't going to make a difference, and single ones make the string literal.

For the sake of troubleshooting, can you rename the table and query from f-topics to f_topics? I've never seen dashes in table names before, I'm not sure if it's syntactically correct and there's nothing else left, lol.

The tables are referenced as f-*

That denotes to me, the only developer, that it's a forum table. And that would not be the issue as everything works if manually inserted into the Table.

So this works successfully when done in phpMyAdmin?

SELECT * FROM `f-topics` WHERE `title` = 'test';

Replace test with something that will yield a result.