Okay, here i'm back again with my website (http://www.exca.be)

I have a problem with the shoutbox.
It stores all the data into the SQL itself. When you put in a message, it's all in CAPITALL LETTERS. I don't know why, but I have to rewrite all messages in myphpadmin to normal, because that's so ugly.

Secondly; I would like the names to appear in blue color (I guess that has to be done in the red sentence in the code below).
Third problem: in the statusbar you can see that the when on the page of the shoutbox the website is loading, and loading, and loading... and keeps on loading (it bothers me)

Please help, this can't be much for someone who knows it.

To be complete:
Below are the codes used on for the shoutbox if you would need them:

ACTIONSCRIPT GENERAL:

code:

---

instname.onSetFocus= function() { if (instname.text=="Name") { instname.text=""; } };
instmessage.onSetFocus= function() { if (instmessage.text=="Message") { instmessage.text=""; } };

content.text = "Loading Shouts...";
myData = new LoadVars();
myData.onLoad = Fillvalues;
myData.load("http://www.exca.be/website/shout.php");

function Fillvalues() {
            content.text = eval("myData.content");
            error = eval("myData.error");
}

---

code:

---

on (release) {
    if (name eq "Name" || name eq "" || shout eq "Message" || shout eq "") {
        error = "REQUIRED FIELDS MISSING";
    } else {
        myData.name = name;
        myData.shout = shout;
        myData.sendAndLoad("http://www.exca.be/website/shout.php", myData, "POST");
        error = "SENDING DATA";
        myData.onLoad = Check;
    }
    function Check() {
        myData.load("http://www.exca.be/website/shout.php");
        myData.onLoad = Fillvalues;
    }
}

---

code:

---

<?
// BEKIJK README VOOR DETAILS

require("config.php");

if (!empty($_POST['name']) && !empty($_POST['shout'])) {
    $name=strtoupper($_POST['name']);
    $shout=strtoupper($_POST['shout']);
    $now=time();
    $sql=mysql_query("INSERT INTO shoutbox (id,date,name,shout) VALUES ('','$now','$name','$shout')")
     or die("&error=ERROR: ERROR INSERTING&content=SEE ERROR DETAILS");
   
    echo"&error=RECEIVED YOUR SHOUT";
}
else {
    $sql=mysql_query("SELECT * FROM shoutbox ORDER BY id DESC LIMIT 50")
     or die("&error=ERROR: WRONG QUERY&content=SEE ERROR DETAILS");
   
    if(mysql_numrows($sql)==0) {
        echo"&error=ERROR: RETURNED EMPTY&content=SEE ERROR DETAILS";
    }
    else {
        while($row=mysql_fetch_array($sql)) {
            $content="$content"."$row[name]:\n$row[shout]\n\n";
        }
        echo"&content=$content";
    }
}
?>

---

code:

---

<?
$host="localhost";
$user="exca_be";
$pass="***************";
$db="exca_be";

mysql_connect($host,$user,$pass) or die("&error=ERROR: CAN'T CONNECT&content=SEE ERROR DETAILS");
mysql_select_db($db) or die("&error=ERROR: CAN'T SELECT DB&content=SEE ERROR DETAILS");
?>

---

quote:

---

Originally posted by Exca
SHOUT.PHP

code:

---

<?
// BEKIJK README VOOR DETAILS

require("config.php");

if (!empty($_POST['name']) && !empty($_POST['shout'])) {
    $name=strtoupper($_POST['name']);
    $shout=strtoupper($_POST['shout']);
    $now=time();
    $sql=mysql_query("INSERT INTO shoutbox (id,date,name,shout) VALUES ('','$now','$name','$shout')")
     or die("&error=ERROR: ERROR INSERTING&content=SEE ERROR DETAILS");
   
    echo"&error=RECEIVED YOUR SHOUT";
}
else {
    $sql=mysql_query("SELECT * FROM shoutbox ORDER BY id DESC LIMIT 50")
     or die("&error=ERROR: WRONG QUERY&content=SEE ERROR DETAILS");
   
    if(mysql_numrows($sql)==0) {
        echo"&error=ERROR: RETURNED EMPTY&content=SEE ERROR DETAILS";
    }
    else {
        while($row=mysql_fetch_array($sql)) {
            $content="$content"."$row[name]:\n$row[shout]\n\n";
        }
        echo"&content=$content";
    }
}
?>

---

---

Wow, and what does there has to be? Nothing or something else?

nothing,

this is what that function does: http://php.net/manual/en/function.strtoupper.php

Okay thanks! Do you also know something about problem two and three?

quote:

---

Secondly; I would like the names to appear in blue color (I guess that has to be done in the red sentence in the code below).
Third problem: in the statusbar you can see that the when on the page of the shoutbox the website is loading, and loading, and loading... and keeps on loading (it bothers me)

---

2:
$content="$content"."<span style='color:#0000ff'>$row[name]</span>:\n$row[shout]\n\n";

i think that should do it...

dont know about number 3 sorry

OKay thank you very much!

Too bad... the code doesn't seem to work (http://www.exca.be)

oh, that code is for html... i forgot that your site is flash, sorry that wont work

Well actually its the shout.php file which builds the text in the dynamic text field...

There must be a way

Not on the flash side of things, but I wanted to point out a major vulnerability your script has: SQL Injection.

You don't sanitize any quotes or anything before you insert raw data in to the database.

Add the following before your insert query..

code:

---

$name = mysql_real_escape_string($_POST['name']);
$shout = mysql_real_escape_string($_POST['shout']);

---

I don't quite understand... the shoutbox works now?

You can read Wikipedia: SQL injection to find out what Chris is talking about. Translations of it are available, if you find that easier

Oh, so it's a security matter.

In that case... where should I paste it? Probably on the shoutbutton, but I'm just a regular guy trying to make some website

It would go on the lines right before mysql_query("INSERT INTO...");

Yes, you're just a regular guy, but it is those regular guys whose websites get hacked because they don't know things like this.

Essentially any information you save to a database from user input needs to be sanitized to prevent special characters performing unwanted things (SQL injection etc)

So essentially any incoming data you run mysql_real_escape_string on before you insert or run a query using it. If you're inserting an integer from user input, typecast it to an integer first.

For example:
String: My test' string

Result unescaped: INSERT INTO test ('abc') VALUES ('My test' string');
After mysql real escape string: INSERT INTO test ('abc') VALUES('My test\' string');

Notice how in the unescaped version there is an extra quote in there? We don't want that, it is bad and cause malicious things.

Second example of typecasting:

Incoming Integer (number): abc

Notice how it isn't a number?

Query: "SELECT * FROM test WHERE test=".$_POST['integer'].";";
Resulting Query: SELECT * FROM test WHERE test=abc.

Now we have a problem. Because we want to be querying using an integer and a malicious user has entered a text string and we aren't quoting and escaping the value (you don't have to for integers) then whatever they enter can be executed as an additional query.

Solution?

Query: "SELECT * FROM test WHERE test=".(int)$_POST['integer'].";";
Resulting Query: SELECT * FROM test WHERE test=0

Because we've casted the data to an integer and abc is not an integer (and doesn't contain any), 0 is returned, thus in this example we're protected.

This is only a subset of what you need to look out for but it covers the basics.

Chris

Ok thank you for the information. Ive implemented it, so it should be okay now.
You can check the shout.php that the shoutbox uses at http://www.exca.be/website/shout.php

While i'm here, I also have another thing to solve, I started on the contactpage. www.exca.be => contact

I followed this tutorial: http://foamers.net/blogger/archives/45.

The actionscript I have on the submit-button is:

code:

---

on (release) {
    _parent.getURL("http://www.exca.be/website/contact.php","_blank","GET");
    _parent.message="Your message has been sent. Thanks for contacting!";
}

---

code:

---

lastname
firstname
email
message

---

code:

---

<?php
    $your_lastname = $_GET[‘lastname’];
    $your_firstname = $_GET[‘firstname’];
    $your_email = $_GET[‘email’];
    $your_message = $_GET[‘message’];

    $recipient_email = "info@exca.be"

    $subject = "From " . $your_email;
    $headers = "From: " . $your_name . " <" . $your_email . ">\n";
    $headers .= ‘Content-type: text/html; charset=iso-8859-1';

    $content = "<html><head><title>Contact letter</title></head><body><br />";
    $content .= "Last Name: <b>" . $your_lastname . "</b><br />";
    $content .= "First Name: <b>" . $your_firstname . "</b><br />";
    $content .= "E-mail: <b>" . $your_email . "</b><br /><hr /><br />";
    $content .= $your_message;
    $content .= "<br /></body>";

    mail($recipient_email,$subject,$content,$headers);
?>

<html>
<body bgcolor="#282E2C">
<div align="center" style="margin-top:60px;color:#FFFFFF;font-size:11px;
font-family:Tahoma;font-weight:bold">
            Your message was sent. Thank you.
        </div>
    </body>
</html>
<script>resizeTo(300, 300)</script>

---

quote:

---

Originally posted by Chris Boulton
Not on the flash side of things, but I wanted to point out a major vulnerability your script has: SQL Injection.

You don't sanitize any quotes or anything before you insert raw data in to the database.

---