Profiel pagina / guestbook. HELP!

[jurre35]

Door je vreemde taalgebruik begrijp ik niet helemaal wat je bedoelt, maar ik zal toch even reageren:

php zal variabelen tussen dubbele quotes altijd parsen. In je reply van 12:03 viel je de topicstarter aan in verband met een mogelijk veiligheidslek door het gebruik van een variabele voor de bestandsnaam. Echter is de variabele $guestbook in dit geval een vaste waarde die in regel 5 al wordt opgegeven en later niet wordt aangepast. Kortom, die aanval was niet nodig.

hoi flitsflitsflits,

zou jij misschien de php willen aanpassen zodat hij wel geheel werkt?
zou heel erg fijn zijn, want hij werkt nog niet goed.

vooral het verwijderen van files werkt niet naar behoren.
ww: test123

 

[jurre35]

een goed werkend orgineel!!!

hey allemaal,

ik heb eingelijk het orgineel werkend gekregen!!
Hieronder heb ik het werkende php script staan.

het probleem is nu echter dat de indeling van het formulier niet naar wens is bij dit orgineel.

zou iemand het onderstaande orgineel willen aanpassen aan het script die ik hiervoor heb geplaatst met de invul vragen zoals deze hier te zien zijn:
http://www.rally-web.nl/Guestbook/guestbook.php

<?php
	# You must set this correctly to a
	# location where you are allowed to
	# create a file! 
	$guestbook = 'guestbook.dat';
	# Choose your own password
	$adminPassword = 'test123';
        # Hide harmless warning messages that confuse users.
        # If you have problems and you don't know why,
        # comment this line out for a while to get more
        # information from PHP
        error_reporting (E_ALL ^ (E_NOTICE | E_WARNING));

	# No changes required below here

	$admin = 0;
	if ($adminPassword == 'CHANGEME') {
		die("You need to change \$adminPassword first.");
	}

	# Undo magic quotes - useless for flat files,
	# and inadequate and therefore dangerous for databases. See:
	# http://www.boutell.com/newfaq/creating/magicquotes.html
	
	function stripslashes_nested($v)
	{
		if (is_array($v)) {
			return array_map('stripslashes_nested', $v);
		} else {
			return stripslashes($v);
		}
	}

	if (get_magic_quotes_gpc()) {
		$_GET = stripslashes_nested($_GET);
		$_POST = stripslashes_nested($_POST);
	}
?>
<html>
<head>
<title>Really Simple PHP Guestbook</title>
</head>
<body>
<h1 align="center">Really Simple PHP Guestbook</h1>
<div align="center">
<?php
	$password = "";
	if ($_POST['password'] == $adminPassword) {
		$admin = 1;
		$password = $adminPassword;
	} else if (strlen($_POST['password'])) {
		echo("<h2>Login Failed (Bad Password)</h2>\n");
	}
?>	
<table border="0" cellpadding="3" cellspacing="3">
<tr><th>Date</th><th>Name</th><th>Email</th><th>Comment</th>
<?php
	if ($admin) {
		echo "<th>Controls</th>";
	}
?>
</tr>
<?php
	if ($_POST['submit']) {
		$file = fopen($guestbook, "a");
		if (!$file) {
			die("Can't write to guestbook file");
		}
		$date = date('F j, Y, g:i a');
		$id = rand();
		$name = $_POST['name'];
		$email = $_POST['email'];
		$comment = $_POST['comment'];
		$name = clean($name, 40);
		$email = clean($email, 40);
		$comment = clean($comment, 40);
		fwrite($file, 
			"$date\t$name\t$email\t$comment\t$id\n");
		fclose($file);	
	}
	$file = fopen($guestbook, 'r');
	$tfile = null;
	$delete = 0;
	$deleteId = '';
	if ($admin && $_POST['delete']) {
		$delete = 1;
		$deleteId = $_POST['id'];
		$tfile = @fopen("$guestbook.tmp", 'w');
		if (!$tfile) {
			die("Can't create temporary file for delete operation");
		}
	}
	if ($file) {
		while (!feof($file)) {
			$line = fgets($file);
			$line = trim($line);
			list ($date, $name, $email, $comment, $id) = 
				split("\t", $line, 5);
			if (!strlen($date)) {
				break;
			}
			if (!strlen($id)) {
				// Support my old version
				$id = $date;
			}	
			if ($delete) {
				if ($id == $deleteId) {
					continue;
				} else {
					fwrite($tfile, 
						"$date\t$name\t$email\t$comment\t$id\n");
				}
			}
			echo "<tr><td>$date</td><td>$name</td>";
			echo "<td>$email</td><td>$comment</td>";
			if ($admin) {
				echo "<td>";
				echo "<form action=\"guestbook.php\" " .
					"method=\"POST\">";
				passwordField();
				hiddenField('id', $id);
				echo "<input type=\"submit\" " .
					"value=\"Delete\" " .
					"name=\"delete\">";
				echo "</form>";
				echo "</td>";
			}
			echo "</tr>\n";
		}
		fclose($file);
		if ($delete) {
			fclose($tfile);
			unlink($guestbook);
			rename("$guestbook.tmp", $guestbook);
		}	
	}
	function clean($name, $max) {
		# Turn tabs and CRs into spaces so they can't 
		# fake other fields or extra entries
		$name = ereg_replace("[[:space:]]", ' ', $name);
		# Escape < > and and & so they 
		# can't mess withour HTML markup
		$name = ereg_replace('&', '&amp;', $name);
		$name = ereg_replace('<', '&lt;', $name);
		$name = ereg_replace('>', '&gt;', $name);
		# Don't allow excessively long entries
		$name = substr($name, 0, $max);
		# Undo PHP's "magic quotes" feature, which has
		# inserted a \ in front of any " characters.
		# We undo this because we're using a file, not a
		# database, so we don't want " escaped. Those
		# using databases should do the opposite:
		# call addslashes if get_magic_quotes_gpc()
		# returns false.
		return $name;
	}
	function passwordField() {
		global $admin;
		global $password;
		if (!$admin) {
			return;
		}
		hiddenField('password', $password);
	}
	function hiddenField($name, $value) {
		echo "<input type=\"hidden\" " .
			"name=\"$name\" value=\"$value\">";
	}
?>
</table>
<?php
	if (!$admin) {
?>
<form action="guestbook.php" method="POST">
<b>Admin Login</b>
<p>
Admin Password: <input type="password" name="password">
<input type="submit" name="login" value="Log In">
</form>
<?php
	}
?>
<form action="guestbook.php" method="POST">
<table border="0" cellpadding="5" cellspacing="5">
<tr>
<td colspan="2">Sign My Guestbook!</td>
</tr>
<tr>
<th>Name</th><td><input name="name" maxlength="40"></td>
</tr>
<tr>
<th>Email</th><td><input name="email" maxlength="40"></td>
</tr>
<tr>
<th>Comment</th><td><input name="comment" maxlength="40"></td>
</tr>
<tr>
<th colspan="2">
<input type="submit" name="submit" value="Sign the Guestbook">
</th>
</tr>
</table>
<?php
	passwordField();
?>
</form>
</div>
</body>
</html>