一个简易的web论坛系统
本人小白,为了练习一下php,就尝试着写了一个web论坛系统,安全方面没有考虑太多,有很多地方存在漏洞,欢迎大家指正
index.php
1 <?php
2 @ $db = mysqli_connect ('localhost', 'root', 'xxx', 'forum');
3 if (mysqli_connect_errno()) {
4 ¦ die("Error: Could not connect to database. Please try it again.");
5 }
6 $query = 'select * from articals order by date desc';
7 $result = mysqli_query ($db, $query);
8 $num_results = mysqli_num_rows ($result);
9 for ($i = 0; $i < $num_results; $i++) {
10 ¦ $row = mysqli_fetch_assoc ($result);
11 ¦ $query = 'select username from users where userid=' . $row['userid'] ;
12 ¦ $name_result = mysqli_query ($db, $query);
13 ¦ $name = mysqli_fetch_assoc ($name_result);
14 ¦ echo '<p><strong><big><a href="artical.php?id=';
15 ¦ echo $row['postid'] . '">';
16 ¦ echo htmlspecialchars (stripslashes ($row['title']));
17 ¦ echo '</a></big></strong> <i>';
18 ¦ echo htmlspecialchars (stripslashes ($name['username']));
19 ¦ echo '</i> ';
20 ¦ echo htmlspecialchars ($row['date']);
21 }
22 mysqli_close ($db);
23 ?>
24 <html>
25 <head>
26 <meta charset="utf-8">
27 <title>Online Forum</title>
28 </head>
29 <body>
30 <h1>琪琪的论坛</h1>
31 <form action= "register.php" method= "post">
32 ¦ <input type= "submit" value= "Register"/>
33 </form>
34 <form action= "login.php" method= "post">
35 ¦ <input type= "submit" value= "Login"/>
36 </form>
37 <form action= "post.php" method= "post">
38 ¦ <input type= "submit" value= "Post an artical"/>
39 </form>
40 <hr />
41 </body>
42 </html>
artical.php
1 <?php
2 @ $db = mysqli_connect ('localhost', 'root', 'xxx', 'forum');
3 if (mysqli_connect_errno()) {
4 ¦ die ("Error: Could not connect to database. Please try it again later");
5 }
6 $query = 'select * from articals where postid=' . $_GET['id'];
7 $result = mysqli_query ($db, $query);
8 $row = mysqli_fetch_assoc ($result);
9 echo '<h1>' . htmlspecialchars (stripslashes ($row['title'])) . '</h1>';
10 echo '<p>' . htmlspecialchars (stripslashes ($row['content'])) . '</p>';
11 echo '<hr />';
12 echo '<h1>Comment</h1>';
13 $query = 'select * from comment where postid=' . $_GET['id'] . ' order by date desc';
14 $result = mysqli_query ($db, $query);
15 $num_results = mysqli_num_rows ($result);
16 if ($num_results < 1) {
17 ¦ echo 'No comment';
18 } else {
19 ¦ for ($i = 0; $i < $num_results; $i++) {
20 ¦ ¦ $row = mysqli_fetch_assoc($result);
21 ¦ ¦ $query = 'select username from users where userid=' . $row['userid'];
22 ¦ ¦ $name_result = mysqli_query ($db, $query);
23 ¦ ¦ $name = mysqli_fetch_assoc ($name_result);
24 ¦ ¦ echo '<p><i>';
25 ¦ ¦ echo htmlspecialchars (stripslashes ($name['username']));
26 ¦ ¦ echo ':</i> ';
27 ¦ ¦ echo htmlspecialchars (stripslashes ($row['comment']));
28 ¦ ¦ echo ' ';
29 ¦ ¦ echo htmlspecialchars ($row['date']);
30 ¦ ¦ echo '</p>';
31 ¦ }
32 }
33 mysqli_close ($db);
34 ?>
35 <html>
36 <body>
37 <form method= "post">
38 ¦ <?php
39 ¦ ¦ echo '<a href="comment.php?id=' . $_GET['id'] . '">';
40 ¦ ?>
41 ¦ <input type= "button" value= "Post a comment"/>
42 ¦ <?php
43 ¦ ¦ echo '</a>';
44 ¦ ?>
45 </form>
46 </body>
47 </html>
register.php
1 <?php
2 @ $db = mysqli_connect ('localhost', 'root', 'xxx', 'forum');
3 if (mysqli_connect_errno()) {
4 ¦ die ("Error: Could not connect to database. Please try it again later.");
5 }
6 if (isset ($_POST['uname'], $_POST['passwd'])) {
7 ¦ $query = "insert into users (username, password) values ('" . $_POST ['uname'] . "', '" . $_POST['passwd'] . "')";
8 ¦ $result = mysqli_query ($db, $query);
9 ¦ if (!$result) {
10 ¦ ¦ echo 'Fault';
11 ¦ } else {
12 ¦ ¦ header ("Location: login.php");
13 ¦ }
14 }
15 mysqli_close ($db);
16 ?>
17 <html>
18 <head>
19 <title>Register</title>
20 </head>
21 <body>
22 <form action= "register.php" method= "post">
23 ¦ <table border= "0">
24 ¦ ¦ <tr>
25 ¦ ¦ ¦ <td>Username:</td>
26 ¦ ¦ ¦ <td align= "center" width= "150"><input type= "text" name= "uname" size= "15" maxlength= "15"/></td>
27 ¦ ¦ </tr>
28 ¦ ¦ <tr>
29 ¦ ¦ ¦ <td>Password:</td>
30 ¦ ¦ ¦ <td align= "center" width= "150"><input type= "text" name= "passwd" size= "15" maxlength= "15"/></td>
31 ¦ ¦ </tr>
32 ¦ ¦ <tr>
33 ¦ ¦ ¦ <td colspan= "4" align= "center"><input type= "submit" value= "register"/></td>
34 ¦ ¦ </tr>
35 ¦ </table>
36 </form>
37 </body>
38 </html>
login.php
1 <?php
2 session_start();
3 if ($_SESSION['info'] === true) {
4 ¦ header ("Location: index.php");
5 }
6 if ($_POST) {
7 ¦ $uname = $_POST['uname'];
8 ¦ $passwd = $_POST['passwd'];
9 ¦ @ $db = mysqli_connect ('localhost', 'root', 'xxx', 'forum');
10 ¦ if (mysqli_connect_errno()) {
11 ¦ ¦ die ("Error: Could not connect to database. Please try it again later.");
12 ¦ }
13 ¦ $query = "select * from users where username='" . $uname . "'and password='" . $passwd . "'";
14 ¦ $result = mysqli_query ($db, $query);
15 ¦ $num_results = mysqli_num_rows ($result);
16 ¦ if (!$num_results) {
17 ¦ ¦ die ("Please input the right username and password.");
18 ¦ } else {
19 ¦ ¦ $_SESSION['info'] = true;
20 ¦ ¦ $row = mysqli_fetch_assoc ($result);
21 ¦ ¦ $_SESSION['userid'] = $row['userid'];
22 ¦ ¦ header ("Location: index.php");
23 ¦ }
24 }
25 echo '<p><a href= "register.php">还没有账号?快去注册一个吧</a><p>';
26 ?>
27 <html>
28 <head>
29 <title>Log In</title>
30 </head>
31 <body>
32 <form action= "login.php" method= "post">
33 ¦ <table border= "0">
34 ¦ ¦ <tr>
35 ¦ ¦ ¦ <td>Username:</td>
36 ¦ ¦ ¦ <td align= "center" width= "150"><input type= "text" name= "uname" size= "15" maxlength= "15"/></td>
37 ¦ ¦ </tr>
38 ¦ ¦ <tr>
39 ¦ ¦ ¦ <td>Password:</td>
40 ¦ ¦ ¦ <td align= "center" width= "150"><input type= "text" name= "passwd" size= "15" maxlength="15"/></td>
41 ¦ ¦ </tr>
42 ¦ ¦ <tr>
43 ¦ ¦ ¦ <td colspan= "8" align= "center"><input type= "submit" value= "Log In"/></td>
44 ¦ ¦ </tr>
45 ¦ </table>
46 </form>
47 </body>
48 </html>
comment.php
1 <?php
2 session_start ();
3 if (!(isset ($_SESSION['info']) && $_SESSION['info'] === true)) {
4 ¦ header ("Location: login.php");
5 }
6 @ $db = mysqli_connect ('localhost', 'root', 'xxx', 'forum');
7 if (mysqli_connect_errno ()) {
8 ¦ die ("Error: Could not connect to database. Please try it again later.");
9 }
10 if (isset ($_GET['id'], $_SESSION['userid']) && $_POST['comment']) {
11 ¦ $query = "insert into comment (postid, userid, comment) values (" . $_GET['id'] . ", " . $_SESSION['userid'] . ", '" . $_POST['comment'] . "')";
12 ¦ $result = mysqli_query ($db, $query);
13 ¦ if (!$result) {
14 ¦ ¦ echo "False";
15 ¦ } else {
16 ¦ ¦ header ("Location: artical.php?id=" . $_GET['id']);
17 ¦ }
18 }
19 mysqli_close ($db);
20 ?>
21 <html>
22 <body>
23 <form action= "comment.php?id=<?php echo $_GET['id']; ?>" method= "post">
24 ¦ <table border= "0">
25 ¦ ¦ <tr>
26 ¦ ¦ ¦ <td>Comment:</td>
27 ¦ ¦ ¦ <td><textarea name= "comment" rows= "3" cols= "35"></textarea></td>
28 ¦ ¦ </tr>
29 ¦ ¦ <tr>
30 ¦ ¦ ¦ <td colspan= "50" align= "center"><input type= "submit" name= "post"/></td>
31 ¦ ¦ </tr>
32 ¦ </table>
33 </form>
34 </body>
35 <html>
post.php
1 <?php
2 session_start ();
3 if (!(isset ($_SESSION['info']) && $_SESSION['info'] === true)) {
4 ¦ header ("Location: login.php");
5 }
6 @ $db = mysqli_connect ('localhost', 'root', 'xxx', 'forum');
7 if (mysqli_connect_errno ()) {
8 ¦ die ("Error: Could not connect to database. Please try it again later.");
9 }
10 if (isset ($_SESSION['userid'], $_POST['title']) && $_POST['content']) {
11 ¦ $query = "insert into articals (title, userid, content) values ('" . $_POST['title'] . "', " . $_SESSION['userid'] . ", '" . $_POST['content'] . "')";
12 ¦ $result = mysqli_query ($db, $query);
13 ¦ if (!$result) {
14 ¦ ¦ echo 'False';
15 ¦ } else {
16 ¦ ¦ header ("Location: index.php");
17 ¦ }
18 }
19 mysqli_close ($db);
20 ?>
21 <html>
22 <body>
23 <form action= "post.php" method= "post">
24 ¦ <table border= "0">
25 ¦ ¦ <tr>
26 ¦ ¦ ¦ <td>Title:</td>
27 ¦ ¦ ¦ <td><input type= "text" name= "title" size= "37" maxlength= "35"/></td>
28 ¦ ¦ </tr>
29 ¦ ¦ <tr>
30 ¦ ¦ ¦ <td>Content:</td>
31 ¦ ¦ ¦ <td><textarea name= "content" rows= "3" cols= "35"></textarea></td>
32 ¦ ¦ </tr>
33 ¦ ¦ <tr>
34 ¦ ¦ ¦ <td colspan= "8" align= "center"><input type= "submit" name= "post"/></td>
35 ¦ ¦ </tr>
36 ¦ </table>
37 </form>
38 </body>
39 </html>