PHP Code for Open or Close Topic in Database
Content Management System: Blogs
- regular blog: home page
- small blog: home page
- tiny blog: home page
- blog: search
- blog: login
- blog: topic and replies viewing page
- blog: add topic to database
- blog: add reply to database
- blog: edit topic in database
- blog: create topic in database
- blog: delete topic in database
- blog: delete reply in database
- blog: create categories in database
- blog: edit categories in database
- blog: open or close topic
- blog: delete user account in members table
The blog's topic opening and closing page whose code is on this web page is very simple. Its only goal is to put either a 1 or a 0 in the topics table of the MySQL db. If your username matches the administrator's username, the topics table is consulted, and the topic which has this open/close flag to change has its id learned from a PHP GET statement and its open/close flag is changed in the topics table of the MySQL db using the SQL UPDATE and SET commands once the user indicates via an HTML form on this page whether he is opening or closing the topic.
On to the PHP code. As usual, we start with config.php, since without it, the MySQL-based blog would not be viable. You cannot relate to a db without knowing the magic words. Next, the security of the page is dealt with by ensuring the page visitor has the administrator's username. Note that the various pages on our blog app use both forms and URL query strings to transfer data between pages, so both POST and GET are checked for username, and if neither works, the visitor is sent to the login script. Not only is the username checked to ensure it is the administrator's username, the username is checked to make sure it has only 6 to 20 letters, numbers or underscore in it and no other characters—otherwise, it's off to the login script. If a hacker has put something nasty in the query string, he'll end up at the login script. All our blog app scripts have this same (almost) username checker at the top of the PHP section—except for the login script. We say "almost" because most pages (like this one) only allow the administrator access because most pages are about adding, deleting, or editing topics, replies, or categories. So, seeing if the username is the administrator's is in the user checker on most of these blog app pages.
The administrator's username is a bit silly, as you see. Feel free to change it (to AfDqC_1f3_DkI3j5k9N_ for example) when you register the administrator username and password, but you must use search and replace on ALL blog app pages searching for our silly name and replacing it with your not-as-silly name or you'll have more problems than a pregnant nun.
Next comes GETting the topic id gotten from the URL query string that brought us to this open/close flag changing page. Depending on which topic's Open/Close Topic link is clicked on the topic and replies viewing page, its corresponding topic id number will be sent via query string (along with the username) to this blog topic open/close flag changing page and only this one topic's flag will be vulnerable to alteration. Next the topic title is learned from the db table for displaying to the user so s/he verifies which topic is being opened or closed. Then the HTML form with radio buttons allowing a choice between opening and closing the topic is displayed. The form's radio button input tag is named "open" and when the form is submitted either a 1 or a 0 gets POSTed to the PHP variable $open.
If your username matches the administrator's username, you'll be let into the script where you'll make a selection in the form, and once you submit this form the $open flag variable will get set, and the open/close flag, whose topic id is learned from a PHP GET statement, is changed in the "open" field of the topics table, named blog_question. If changes have occured you get a message regarding the success or failure of this operation.
There is a JavaScript later on the page that sticks the username and current topic id into hidden fields in the HTML form. Note that no UPDATEing will occur unless the form has been submitted (and the POSTed username is found to be the administrator's) and the $open variable is set. The codes u=u.replace(/\\/g,''); and i=i.replace(/\\/g,''); are for backslash removal, and they are needed if the mysql_real_escape_string() or anything else adds slashes to ids or usernames. It happens.
SAVE THIS PAGE AS: cms-open-or-close-blog-topic.php
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<TITLE>Open or Close Blog Topic—Content Management System (CMS)</TITLE>
<meta name="description" content="Open or Close Blog Topic—Content Management System (CMS)">
<meta name="keywords" content="open topic,close topic,blogs,blog,Content Management System,Content Management System Articles,php,CMS,javascript, dhtml, DHTML">
<style type="text/css">
BODY {margin-left:0; margin-right:0; margin-top:0;text-align:left;background-color:#ccc}
p, li {font:13px Verdana; color:black;text-align:left}
h1 {font:bold 28px Verdana; color:black;text-align:center}
h2 {font:bold 24px Verdana;text-align:center}
td {font:normal 13px Verdana;text-align:left;background-color:#eee}
.topic {text-align:left;background-color:#fff}
.mid {text-align:center;background-color:#aaa}
.right {text-align:right;}
.form {position:absolute;top:140px;left:240px;width:704px;border:1px solid blue;padding:6px;background-color:#eee}
.info {position:absolute;top:19px;left:2px;width:188px;border:1px solid blue;padding:6px;background-color:#bbb;word-wrap:break-word}
</style>
<script type="text/javascript">
function textCounter(field, countfield, maxlimit) {
if (field.value.length > maxlimit){field.value = field.value.substring(0, maxlimit);}
else{countfield.value = maxlimit - field.value.length;}}
</script>
</head>
<body>
<?php
include_once"config.php";
$U=$_POST['username'];if (!isset($U)){$U=$_GET['username'];}
if (isset($U)&&preg_match("/[A-Za-z0-9_]{6,20}$/",$U)){if($U<>"DIRTY_dog_DROPPINGS_"){unset($U);}}else{unset($U);}
if (!isset($U)){echo '<script language="javascript">alert("You are not the Administrator. Go login again but you can only add replies or just read topics.");window.location="blog-login.php"; </script>';}
$open=$_POST['open'];
$tbl_name="blog_question";
$id=mysql_real_escape_string($_GET['id']);
$result3=mysql_query("SELECT topic FROM $tbl_name WHERE id='$id'") or die('Error ,editing failed');
$rows=mysql_fetch_array($result3);
$topic=$rows['topic'];
?>
<div class='form'>
<form id="form1" name="form1" method="post" action="cms-open-or-close-blog-topic.php?id=<? echo stripslashes($id); ?>&username=<? echo stripslashes($U); ?>">
<table width="400" border="1" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCC">
<tr><td valign="top" class='mid'><b>Open or Close Topic:</b> <? echo stripslashes($topic); ?></td></tr>
<tr><td>
<input type='radio' name='open' value='1' checked> <b>Open Topic</b></td></tr><tr><td>
<input type='radio' name='open' value='0'> <b>Close Topic</b><br></td></tr><tr><td>
<input type="hidden" name="username" value=" "><input type="hidden" name="id" value=" ">
</td></tr>
<tr><td><input type="submit" name="submit" value="submit"></td></tr><tr><td class='mid' colspan=2><b><a href="cms-view-blog-topic.php?username=<? echo stripslashes($U); ?>&id=<? echo stripslashes($id); ?>">Return to Topic—don't open or close topic</a></b></td></tr>
</table>
</form>
</div>
<?php
if(isset($open)){
$rc = mysql_query("UPDATE $tbl_name SET open = '$open' WHERE id='$id'") or die('Error ,editing failed');
if($rc){echo '<script language="javascript">alert("The editing was successfully accomplished.");window.location = "cms-view-blog-topic.php?id='.$id.'&username='.$U.'"; </script>';}
else{echo '<script language="javascript">alert("Editing failed.");window.location = "cms-view-blog-topic.php?id='.$id.'&username='.$U.'"; </script>';}
}
mysql_close();
?>
<script language="javascript">
var u = <?php echo json_encode($U); ?>;
u=u.replace(/\\/g,'');
document.form1.username.value=u;
var i = <?php echo json_encode($id); ?>;
i=i.replace(/\\/g,'');
document.form1.id.value=i;
</script>
</body>
</html>