PHP Member Pages... Need major help...

Graham Breach

The error message is about the  bit on line 42 - since it is inside a double-quoted string, the double-quotes have to be escaped with backslashes:

This kind of thing is dangerous though:

$list_memberinfo = mysql_query("SELECT * FROM `members` WHERE id='".$_GET['user']."'");

I suggest you Google for "SQL injection".

Lost User

Well... Thanks on the first one, but the second one is supposed to be used with the "memberlist" page, to where when they click "visit" it will link them to the profile page of which will take the hidden input of the ".list[id]." which is the id number of the user they chose to visit, as the "'".$_GET['user']."'" so that on the profile page it will automatically "get the id" and print out only the information for that id. So the url will in turn turn out to be like this..... "profile.php?user=IDOFUSERTHEYCHOSETOVISIT" I need some help with that part of it... I don't know if where I put all the GETs if they should be POSTs... or any other implementation that would help me to get this to work. Thanks. EDIT: I also added the backslashes to all the "spans" and it now loads the page... but it doesn't print any of the information out... Please help... I would like the finished profile page to look like... This is what it does read... so I'm not that far into a hole I think... profile.php?username=USERNAMEOFCHOSENMEMBER&user=IDOFCHOSENMEMBER "profile.php?user=IDOFUSERTHEYCHOSETOVISIT"

modified on Saturday, January 23, 2010 10:40 AM

Graham Breach · modified on Saturday, January 23, 2010 10:40 AM

It's not printing anything because of this:

$list_memberinfo = mysql_query("SELECT * FROM `members` WHERE id='".$_GET['user']."'");
$list = mysql_fetch_array( $list_memberinfo );
while($list = mysql_fetch_array( $list_memberinfo ))

Presumably the id is unique, so the first (and only) record is retrieved with the first call to mysql_fetch_array, then it gets called again for the while loop where the value you got first in $list is thrown away. Then the while condition will fail, because you've already got the one record out. Try changing it to this:

$list_memberinfo = mysql_query("SELECT * FROM `members` WHERE id='".$_GET['user']."'");
while($list = mysql_fetch_array( $list_memberinfo ))

- or you could remove the "while" line instead, maybe replacing it with

if(!empty($list))

As for $_POST and $_GET - GET is the one you want for this. In the GET method, the parameters are passed in as part of the URI. In the POST method, the parameters are passed in the body of the request, and you would need to use a form to do that in HTML. Or you could use $_REQUEST instead, which contains everything from POST and GET, and the cookies too.

Lost User

Okay thanks... I guess the first part was just a stupid mistake... even though it worked in the "memberlist" file..... But thanks, it now works. The "Edit Profile" page should include... Such like:

mysql_query("UPDATE `DBNAME`.`TABLE` SET VARIABLE = '$_POST[VARIABLE]'
WHERE username = '$SINGEDINUSERNAME' AND password = '$DIGNEDINUSER'SPASSWORD'");

I believe, and then it would be edited to where the user can edit multiple profile fields of which would be displayed on their profile!! Thanks so much for your help. Also, how would I be able to make the "Profile" page not include the "username=" in the url... Also, I tried adding more profile fields to make it seem as though there was 4 tables, when there is actually 1... I tried making it print it all out, now I need help to get it fixed... here is the code:

fly904

thebiostyle wrote:

Print "".$list['username']."</td><td bgcolor=\"#000000\" colspan=\"2\"></td><td class=\"alt\"><td class="alt"><center>Email</center></td><td><a href='mailto:".$list['email']."'>Send Message</a></td></tr><tr class="alt"><td class="alt"><center>Member Title</center></td><td>
".$list['title']."</td><td bgcolor=\"#000000\" colspan=\"2\"></td><td class=\"alt\"><td class="alt"><center>Country</center></td><td>".$list['country']."</td></tr><tr class="alt"><td class="alt"><center>Company</center></td><td>
".$list['company']."</td><td bgcolor=\"#000000\" colspan=\"2\"></td><td class=\"alt\"><td class="alt"><center>Website</center></td><td>".$list['www']."</td></tr><tr class="alt"><td class="alt"><center>Joined On: </center></td><td>
".$list['date']."</td><td bgcolor=\"#000000\" colspan=\"2\"></td><td class=\"alt\"><td class="alt"><center>Browser</center></td><td>".$list['browser']."</td></tr> <tr class="alt"><td class="alt"><center>About</center></td><td>
".$list['about']."</td><td bgcolor=\"#000000\" colspan=\"2\"></td><td class=\"alt\"><td class="alt"><center>Intrests</center></td><td>".$list['intrests']."</td></tr>";

Graham gave you the solution earlier. You still have unescaped double quotes in your string, <td class="alt"> in particular.

If at first you don't succeed, you're not Chuck Norris.

Lost User

Okay... Thanks, it now shows the page and loads the information... But how do I fix the... "profile.php?username=USERNAMEOFCHOSENUSER&user=IDOFCHOSENUSER" to "profile.php?user=IDOFCHOSENUSER" THANKS! EDIT: There is something... "humorously fatal" on the profile page... The first two "columns in the first row"... Are turning "Background Color = limegreen, Font Color = red"... Here is the code:

<td bgcolor=\"#FF0000\" color=\"#000000\"><center>Username</center></td><td bgcolor=\"#FF0000\" color=\"#000000\">';
Print "".$list['username']."</td>

So obviously somethings wrong... I can take a screenshot and post a link to it if ya'd like... Thanks.

modified on Saturday, January 23, 2010 4:16 PM

fly904 · modified on Saturday, January 23, 2010 4:16 PM

thebiostyle wrote:

Okay... Thanks, it now shows the page and loads the information... But how do I fix the... "profile.php?username=USERNAMEOFCHOSENUSER&user=IDOFCHOSENUSER" to "profile.php?user=IDOFCHOSENUSER"

You change the link, obviously. eg.

Will be:

thebiostyle wrote:

<td bgcolor=\"#FF0000\" color=\"#000000\"><center>Username</center></td><td bgcolor=\"#FF0000\" color=\"#000000\">';
Print "".$list['username']."</td>

It's obviously not that line. Do you have any other styles affecting it i.e. from a Style Sheet?

If at first you don't succeed, you're not Chuck Norris.

Lost User

Well, when I took out that line it showed as BG=black FC=red, but I don't know, maybe you can find the mistake... Here is the code for "profile.php":

<?
include_once"CONFIGPAGE.php";

$fetch_users_data = mysql_fetch_object(mysql_query("SELECT * FROM `members` WHERE username='".$_REQUEST['username']."'"));

$fetch_users_id = mysql_fetch_object(mysql_query("SELECT * FROM `members` WHERE id='".$_GET['user']."'"));

?>
<html>
<head>
<title>Members - Profile - <? echo "".$fetch_users_data->username.""; ?> ~ Bio-Designs</title>

<style type="text/css">
<!--
a {color: #000000; text-decoration: none;}a:link {color: #000000} a:visited {color: #000000} a:hover {color:#000000; width:7em} body{color: #FF0000} .dockmenu{ text-align: center; height: 50px; position: relative;}a.dockItem { text-align: center; color: #000;font-weight: bold; text-decoration: none; width: 50px; position: absolute; display: block; bottom: 0;}.dockItem img { border: none; margin: 0 auto 5px auto; width: 75%;}.dockItem span { display: none; positon: absolute;}.dockmenuContainer { height: 50px; left: 76px; position: absolute; top: 40px;}font {color: FF0000;}<!--BODY { scrollbar-arrow-color:#000000; scrollbar-track-color:#000000; scrollbar-shadow-color:#000000; scrollbar-face-color:#FF0000; scrollbar-highlight-color:#FF0000; scrollbar-darkshadow-color:#000000; scrollbar-3dlight-color:#FF0000; } table, td, th{border:0px 1px 0px 1px dashed #FF0000; padding:2px 2px 2px 2px;} td.alt {font-size:14pt; color: #000000;} tr.alt { background-color: #FF0000; color: #000000; border: 1px dotted red;}

//-->
</style>

<div>
	<div style="text-align: center;">
	<img src="http://www.thebiostyle.com/biologoblackv1.0.png" /><br /><br />

<div align="center">
Profile 
<table cellspacing="4" cellpadding="4" style=" border:1px dotted red;">
<?
$list_memberinfo = mysql_query("SELECT * FROM `members` WHERE id='".$_GET['user']."'");
while($list = mysql_fetch_array( $list_memberinfo ))
{
Print '<tr class=\"alt\"><td class=\"alt

fly904

thebiostyle wrote:

<form action='profile.php' method='GET'>

Do you know what the GET method of submitting a form actually does? Every input within the form, has their value displayed in the URL on the action page (the page the form is submited to). E.g.

Would direct to submit.php?fieldName=fieldValue&fieldName2=fieldValue2

If at first you don't succeed, you're not Chuck Norris.

Lost User

Yes, I know that, but in an earlier post, it said that I was right to use the "GET" method. Also, Did you find anything out about the "color" issue...?

fly904

Before you continue, I suggest you tidy up your code and get into some good practices.

thebiostyle wrote:

include_once"CONFIGPAGE.php";

Encapsulate the target file in brackets: include_once('CONFIGPAGE.php');. And use single quotes, as it is quicker.

thebiostyle wrote:

$fetch_users_data = mysql_fetch_object(mysql_query("SELECT * FROM `members` WHERE username='".$_REQUEST['username']."'"));
$fetch_users_id = mysql_fetch_object(mysql_query("SELECT * FROM `members` WHERE id='".$_GET['user']."'"));

You need to check first whether or not 'user' and 'username' are set. If they aren't then it will throw errors.

$username = isset( $_REQUEST['username'] ) ? $_REQUEST['username'] : '';
$user = isset( $_GET['user'] ) ? $_GET['user'] : '';

You seriously need to sanitise your data inputs to protect from SQL injection attacks. Use the mysql_real_escape_string[^] function.

$username = mysql_real_escape_string( $username );
$user = mysql_real_escape_string( $user );

Then use those sanitized values as your SQL inputs.

thebiostyle wrote:

echo "".$fetch_users_data->username."";

There is no need for the "" around the value. It will work just fine without it: echo $fetch_users_data->username;

thebiostyle wrote:

There is no need to have an onload attribute, with $_GET['user']. It is also bad practice to use bgcolor. Use the style attribute instead, or better still use CSS classes.

thebiostyle wrote:

</div>
</table>

From what I can see you haven't opened a div; therefore there is no need to close one. Note that you should also have a DOCTYPE which you should work from. http://www.w3schools.com/tags/tag_DOCTYPE.asp[^]

If at first you don't succeed, you're not Chuck Norris.

fly904

thebiostyle wrote:

Yes, I know that, but in an earlier post, it said that I was right to use the "GET" method.

thebiostyle wrote:

Okay... Thanks, it now shows the page and loads the information... But how do I fix the... "profile.php?username=USERNAMEOFCHOSENUSER&user=IDOFCHOSENUSER" to "profile.php?user=IDOFCHOSENUSER"

ALL the inputs in your form are sent to the URL, if you don't want them in the URL then don't have them in the form!

If at first you don't succeed, you're not Chuck Norris.

Lost User

Okay, everything is fixed, except the color issue... With the DOCTYPE, I think it fixed the colors, but now they're BG=black and FC=red, when they need to be BG=red and FC=black..... BTW, the whole site is filled with errors, but it works for me, lol so it's okay. Though with the site being used for web design and computer graphic design, I will make sure not to include errors in any other page. Thanks!

Lost User

I still need help with the color issue....

Graham Breach

I'd really recommend removing all the bgcolor= stuff (and the span, center, b, u tags)and putting it into the style sheet. You can apply multiple classes to an element if you want to, you just need to separate them with spaces, like this:

<td class="alt dark">some stuff</td>

Where "dark" is your new class specifying the correct background and font colours:

td.dark {
background-color: #FF0000;
color: #000000;
font-size: 16pt;
text-align: center;
font-weight: bold;
text-decoration: underline
}

If you move all the style information into the style sheet it becomes a lot easier to spot problems in the PHP and HTML.

Lost User

Thanks for all the help everyone!!