Created my one-file-blog (php/mysql) - Feedback and Injections? -


this first attempt write simple (one-file) blog-engine, build php , mysql. want make , have simple , don't want include hundreds of files, classes , on, because want publish text , that's is. don't need plugins, changing templates, apis or that. script working , running fine, i'm novice , have started php/mysql. :)

so want feedback, i've done wrong, maybe complicated or if there possibility of injections or similiar? , feedback welcome (and sorry poor english!).

i've include comments, that's easier follow thoughts:

<?php ///////////////////////////////////////////////////// base  // whats name of blog , how many recent articles should shown on front $blogname = 'the basic blogname'; $anzahl = '3';  // alright, let's connect database  include_once 'include/connect.php';  // use generate german date (e.g.: march --> märz) setlocale (lc_all, 'de_de@euro.utf8', 'de_de.utf8', 'de.utf8', 'ge.utf8');  ///////////////////////////////////////////////////// start >>> if  // using htaccess modrewrite, want know, page-name user requested if (isset($_get['slug'])) {  // i'm not sure, if makes sense (mysqli_/mysql_?) avoid injections? welcome! $blog = mysql_escape_string($_get['slug']);  // alright, check database , ask if sitename exist , if status "online" (published/draft) $result = mysqli_query($con,"select * entries slug='$blog' , status = 'online'");  // call result , check, if there article in database $num_results = mysqli_num_rows($result);  if ($num_results > 0){   // include header-file, because there have $title-variable site / browsertab include 'header.php'; include_once 'markdown.php';  // create variables database-fields, convert content markdown while($row = mysqli_fetch_array($result)){ $title = $row['title']; $content = $row['content']; $my_html = markdown($content); $date = $row['date'];     $date = strftime('%d. %b %g', strtotime($date));  // , final: show article on website echo '<h2>' . $title . '</h2>'; echo '<div id="date">' . $date . '</div>'; echo '<div id="content">' . $my_html . '</div>'; echo '<div id="link"><a href="/simple/"' . $slug . '">back front-page</a></div>';  // inlucde footer, have complete page - header/content/footer include 'footer.php'; }  ///////////////////////////////////////////////////// else  >>>  // if there no entry in database pagename... } else {  // again need header include 'header.php';  // say: echo '<h2>error</h2>'; echo '<div id="content">there no article name!</div>'; echo '<div id="link"><a href="/simple/"' . $slug . '">back front</a></div>';  // , include footer include 'footer.php'; }  ///////////////////////////////////////////////////// else >>>  // if user open blog , don't request name, want show him last articles (3 - see top)... } else {  // again call database , request last published entries , sort them, limited amount of given entries $result = mysqli_query($con,"select * entries status = 'online' order id desc limit $anzahl");  // again include header , markdown include 'header.php'; include_once "markdown.php";  // generate variables datebase during loop, convert excerpt markdown while($row = mysqli_fetch_array($result)){  $title = $row['title']; $slug = $row['slug']; $excerpt = $row['excerpt']; $my_html = markdown($excerpt); $date = $row['date'];  $date = strftime('%d. %b %g', strtotime($date));  // , publish them on website echo '<h2><a href="/simple/' . $slug . '">' . $title . '</a></h2>'; echo '<div id="date">' . $date . '</div>'; echo '<div id="content">' . $my_html . '</div>'; echo '<div id="link"><a href="/simple/' . $slug . '">read more...</a></div>';  } // last time, include footer again. include 'footer.php'; }  ///////////////////////////////////////////////////// <<< finish ?>

thanks - , yes, i'm willing learn! :))

by using sql abstraction library , templates can make code more tidy

$sql = "select * entries slug=?s , status = 'online'"; $row = $db->getrow($sql, $_get['slug']); if ($row) {      $title   = $row['title'];     $content = markdown($row['content']);     $date    = strftime('%d. %b %g', strtotime($row['date']));     $tpl = 'single.tpl.php';     include 'main.tpl.php' } else {     include '404.php'; }

and list

$sql  = "select * entries status = 'online' order id desc limit ?i"; $data = $db->getall($sql, $anzahl); $tpl = 'list.tpl.php'; include 'main.tpl.php'

Comments

Post a Comment

Popular posts from this blog

android - Get AccessToken using signpost OAuth without opening a browser (Two legged Oauth) -

i using signpost oauth access data magento server. have read various tutorials on same , reach point open browser user can enter credentials. however, per requirement have automate part. hence, user should not browser page. have set-up done on server side ( magento ), hit url , returned call page. same through program in android. i have tried below, consumer = new commonshttpoauthconsumer(key, secret); provider = new commonshttpoauthprovider(oauth_init_url,access_token_url, authorize_url); try { provider.retrieverequesttoken(consumer, oauth.out_of_band); log.d("tokens" , consumer.gettoken() + " -- " + consumer.gettokensecret()); } and request tokens. dont know how bypass next step. tried directly accessing accesstoken (stupid of me) provider.retrieveaccesstoken(consumer, "mycallback://callback"); no luck, ends in oauth.signpost.exception.oauthnotauthorizedexception: authorization failed (server replied 401). ...
Read more

org.mockito.exceptions.misusing.InvalidUseOfMatchersException: mockito -

getting error org.mockito.exceptions.misusing.invaliduseofmatchersexception: invalid use of argument matchers! 1 matchers expected, 2 recorded. exception may occur if matchers combined raw values: //incorrect: somemethod(anyobject(), "raw string"); when using matchers, arguments have provided matchers. example: //correct: somemethod(anyobject(), eq("string matcher")); at when( getprogramservice .callservice(any(getprogramtype.class))) .thenreturn(jaxbresponse); please explain error , possible resolution the code posted looks fine; don't see problem it. code before or above causing exception. key here: invalid use of argument matchers! 1 matchers expected, 2 recorded. any , used above, doesn't return "special kind of null" or "special kind of getprogramtype"; don't exist. instead, returns null , side effect puts matcher on stack. whe...
Read more

google shop client API returns 400 bad request error while adding an item -

i'm working on solution add items in google shopping market java application. following tutorial real mess because of missing classes of laste release, after setting 1.5-beta maven managed make base example typecheck correctly classes. still can make simple task of adding 1 item. instead of posting whole code i'm posting part creates product feed. private product createproduct(string id) { product product = new product(); product.title = "red wool sweater"; product.content = new content( "text", "comfortable , soft, sweater keep warm on " + "cold winter nights. red , blue stripes."); product.appcontrol = new appcontrol(); product.appcontrol.addrequireddestination("productads"); product.externalid = id; product.lang = "it"; product.country = "it"; product.condition = "nuovo"; product.price = new price("eu...
Read more