Forums are great communication tools for the exchange of ideas, for people teaching others about a specific area of interest, or even for just general social communication. The fact that they are usually so specialized helps get them high up in search results as well as contributing considerably to bodies of knowledge. True, there's a lot of misinformation and putdowns, but this invariably occurs when people communicate. One must learn to take what one learns with a grain of salt.

On to the PHP code. As usual, we start with config.php, since without it, the MySQL-based forum would not be viable. You cannot relate to a db without knowing the magic words. Next, the security of the page is dealt with by ensuring the page visitor has a username that's in the database. Note that the various pages on our forum app use both forms and URL query strings to transfer data between pages, so both POST and GET are checked for username, and if neither works, the visitor is sent to the login script. Not only is the db checked for a valid username, the username is checked to make sure it has only 6 to 20 letters, numbers or underscore in it and no other characters—otherwise, it's off to the login script. If a hacker has put something nasty in the query string, he'll end up at the login script. All our forum app scripts have this same username checker at the top of the PHP section—except for the login script.

After getting the POSTed topic, name, email, and detail data of the topic being added to the db, the data is validated, including trimming the topic field (which titles the topic) to 255 characters, trimming name and email to 65 characters, and trimming detail to 10,000 characters. The name, email, detail, and topic fields POSTed to the script get the mysql_real_escape_string() function run on them, with name and email and topic getting it as they're POSTed in but the detail field getting it right before it goes into the db. The strip_tags() and htmlspecialchars() functions are run on the name and email and topic but the detail data itself gets only strip_tags() and the preg_replace() function to filter out unwanted characters. The following characters are allowed in detail (the main topic content): a-z A-Z 0-9 . , ! ; - _ " ? ' : ( ) / and space. (The 047 and 057 in the preg_replace() are single quote and forward slash, by the way.) It's a good thing the mysql_real_escape_string() function is run before the data gets into the db. Since some of the allowed characters—especially single quote—can be used to exploit and harm MySQL databases, we need to escape them. The preg_match() function is run on the name and topic and email data, and input validation is thereby accomplished before inserting the data into the db.

SAVE THIS PAGE AS: cms-add-topic.php

<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<TITLE>Add Forum Topic—Content Management System (CMS)</TITLE>
<meta name="description" content="Add Forum Topic—Content Management System (CMS)">
<meta name="keywords" content="forums,forum,Content Management System,Content Management System Articles,php,CMS,javascript, dhtml, DHTML">
</head>
<body>

<?php
include_once"config.php";

$U=$_POST['username'];if (!isset($U)){$U=$_GET['username'];}
if (isset($U)&&preg_match("/[A-Za-z0-9_]{6,20}$/",$U)){$check_user_data = mysql_query("SELECT * FROM members WHERE username='$U'") or die(mysql_error());if(mysql_num_rows($check_user_data)==0){unset($U);}}else{unset($U);}
if (!isset($U)){echo '<script language="javascript">alert("Please login.");window.location="login.php"; </script>';}

$tbl_name="forum_question";

$topic=mysql_real_escape_string(substr($_POST['topic'],0,255));
$detail=substr($_POST['detail'],0,10000);
$name=mysql_real_escape_string(substr($_POST['name'],0,65));
$email=mysql_real_escape_string(substr($_POST['email'],0,65));

$datetime=date("d/m/y h:i:s");

$name = strip_tags($name);
$name = htmlspecialchars($name, ENT_QUOTES);
if (!preg_match("/[A-Za-z0-9_ ]{6,20}$/",$name)) {
echo '<script language="javascript">alert("Please enter 6 to 20 letters, space, numbers and underline for name."); window.location = "cms-create-topic.php?id='.$id.'&username='.$U.'"; </script>';}

$topic = strip_tags($topic);
$topic = htmlspecialchars($topic, ENT_QUOTES);
if (!preg_match("/[A-Za-z0-9! \:\;\.\?\,_-]{6,255}$/",$topic)) {
echo '<script language="javascript">alert("Please enter 6 to 255 letters, numbers, hyphen, space, question mark, exclamation mark, semicolon, colon, comma and underline for the topic."); window.location = "cms-create-topic.php?id='.$id.'&username='.$U.'"; </script>';}

$detail = strip_tags($detail);
$pattern2 = '/[^a-zA-Z0-9\\s\\.\\,\\!\\;\\-\\_\\"\\?\\047\\:\\(\\)\\057]/i';
$detail=preg_replace($pattern2, "", $detail);
$detail=mysql_real_escape_string($detail);
if (strlen($detail)<6) {
echo '<script language="javascript">alert("Please enter 6 to 10000 characters for details."); window.location = "cms-create-topic.php?id='.$id.'&username='.$U.'"; </script>';}

$email = strip_tags($email);
$email = htmlspecialchars($email, ENT_QUOTES);
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) {
echo '<script language="javascript">alert("That email address is not valid."); window.location = "cms-create-topic.php?id='.$id.'&username='.$U.'"; </script>';

}else{

$sql="INSERT INTO $tbl_name(topic, detail, name, email, datetime, topics_username)VALUES('$topic', '$detail', '$name', '$email', '$datetime', '$U')";
$result=mysql_query($sql);

if($result){echo '<script language="javascript">window.location = "cms-forum.php?username='.$U.'"; </script>';

}else{
echo '<script language="javascript">alert("ERROR updating database tables"); window.location = "cms-forum.php?username='.$U.'"; </script>';}
}

mysql_close();
?>

</body>
</html>