PHP News Help

Wolverine

Member
Aug 1, 2014
90
3
So I've been working with a RevCMS theme and implanting some features into it (just on my spare time).

I'm trying to get the news author to appear. I only want the author's avatar to appear, I can get an avatar to appear by using {figure} instead, but then it shows the users avatar (not the authors, it shows your avatar if you view the article).

You must be registered for see images attach

Here's my PHP code. I'm most likely fucking it up, but if someone could fix this up, that'd be excellent.
PHP:
                                        <?php
                                        $onlineRow = "SELECT id,username,motto,online,look FROM users";
                                        {
                                        echo'
                                        <div id="userAvatar" style="margin-bottom: 10px;;float:left;width: 75px;height:70px;background: url(http://avatar-retro.com/habbo-imaging/avatarimage?figure='. $onlineRow['look'] .'&amp;action=drk&amp;direction=3&amp;head_direction=3&amp;gesture=sml&amp;size=1) no-repeat;"></div>
                                        <div id="slickTitle" style="margin-top:17px;" class="newsAuthor"><a href="/home/'. $onlineRow['username'] .'" style="text-decoration:none;color:#666;">{username}</a><span class="newstext"><b>{newsDate}</b></span></div>
                                        ';}
                                       ?>
 

Wolverine

Member
Aug 1, 2014
90
3
In your news replace the php section with this.
PHP:
                                       <?php
                                            if(!isset($_GET['id']) || !is_numeric($_GET['id']))
                                            {
                                                $_GET['id'] = 1;
                                            }
                                            $author = mysql_fetch_array(mysql_query("SELECT author FROM cms_news WHERE id = ".$_GET['id']));
                                            $a = mysql_fetch_array(mysql_query("SELECT * FROM users WHERE id = ".$author['author']));
                                            $look = $a['look'];
                                            $user = $a['username'];
                                            echo '<div id="userAvatar" style="margin-bottom: 10px;;float:left;width: 75px;height:70px;background: url(http://avatar-retro.com/habbo-imaging/avatarimage?figure='.$look.'&amp;action=drk&amp;direction=3&amp;head_direction=3&amp;gesture=sml&amp;size=1) no-repeat;"></div>
                                                  <div id="slickTitle" style="margin-top:17px;" class="newsAuthor"><a href="/home/'.$user.'" style="text-decoration:none;color:#666;">'.$user.'</a><span class="newstext"><b>{newsDate}</b></span></div>';
                                        ?>
Yes, finally! Thank you so much Kodys!
 

CosmoPeak

PeakRP.com
May 15, 2016
271
268
Yes, finally! Thank you so much Kodys!
If you've used this code, you need to be careful. $_GET['id'] hasn't been sanitised (someone could write SQL in the id parameter and it would be ran directly on your database - look up SQL injection). @Nicholas is partially correct, but simply using MySQLi or PDO doesn't make you immune to SQL injection. You can still use MySQLi/PDO in the same way you can use MySQL. What they should be suggesting is using prepared statements. I looked at a CMS advertised as 'MySQLi' recently which just used MySQLi's query function and still escaped the parameters manually. This is not good practice and not what "use MySQLi or PDO" means at all.

In any case, you need to sanitise the user input. Here's an example if you're using RevCMS:

(I've changed the first few lines and changed the variable in the MySQL query from $_GET['id'] to $news_id)

PHP:
                                       <?php
                                            global $engine;

                                            $news_id = 1; // Default value

                                            if(isset($_GET['id']) && is_numeric($_GET['id']))
                                                $news_id = $engine->secure($_GET['id']); // Sanitised input

                                            $author = mysql_fetch_array(mysql_query("SELECT author FROM cms_news WHERE id = " . $news_id)); // Use the sanitised and SQL-injection free value
                                            $a = mysql_fetch_array(mysql_query("SELECT * FROM users WHERE id = ".$author['author']));
                                            $look = $a['look'];
                                            $user = $a['username'];
                                            echo '<div id="userAvatar" style="margin-bottom: 10px;;float:left;width: 75px;height:70px;background: url(http://avatar-retro.com/habbo-imaging/avatarimage?figure='.$look.'&amp;action=drk&amp;direction=3&amp;head_direction=3&amp;gesture=sml&amp;size=1) no-repeat;"></div>
                                                  <div id="slickTitle" style="margin-top:17px;" class="newsAuthor"><a href="/home/'.$user.'" style="text-decoration:none;color:#666;">'.$user.'</a><span class="newstext"><b>{newsDate}</b></span></div>';
                                        ?>
 

Users who are viewing this thread

Top