homemade comments feature

[garrensilverwing]

hi guys i hope you missed me i am trying to create a comments feature for my website that will allow registered users to leave comments on certain pages, right now i am in the stage of getting everything to show up when a user visits that page. The problem i am having is when i go to the page there is nothing displayed (other than the login feature which is working perfectly), i do not get a SQL error and the database has information in it but no comments or images or anything show up, if you need additional information i can give it to you, here is my code:

Code:

function login()
    {
    if(isset($_SESSION['user']))
        {
        $user = $_SESSION['user'];
        echo "You are currently logged in as $user!";
        }
    else{
        if(!$_POST['submit'])
            {
?>
            <form method="post" action="index.php" class="form">
            Username 
            <input type="text" name="username" maxlength="32" style="height: 19px; width: 90px" />
            Password 
            <input type="password" name="password" maxlength="32" style="height: 18px; width: 90px" />
            <input type="submit" name="submit" value="Login" style="height: 20px" />
            </form>
<?php 
            }
        else {
            $user = protect($_POST['username']);
            $pass = protect($_POST['password']);
            if($user && $pass)
                {
                $sql="SELECT * FROM `testusers` WHERE `username`='$user' AND `password`='$pass'";
                $query=mysql_query($sql) or die(mysql_error());
                 if(mysql_num_rows($query) == 1)
                    {
                         $row = mysql_fetch_assoc($query);
                        $_SESSION['user'] = $row['username'];
                        $_SESSION['admin'] = $row['admin'];
                        echo "$first, you are now logged in!";
                    }
                else {
                    echo "The username and/or password you entered is invalid.";
                    echo "<a href=\"javascript:history.go(-1)\">Try again</a> ";
                    }
                }
            }
        }
    }
?>

<?php
//locate page comments
function pagecomments($thread)
    {
        if(isset($_SESSION['user']))
            {
                $sql="SELECT * FROM comments WHERE 'thread' LIKE '$thread'";
                $query=mysql_query($sql) or die(mysql_error());
                echo "<ol>";
                while($row = mysql_fetch_array($query))
                    {
                        $username=$row['username'];
                        $text=$row['comment'];
                        echo "<div class=\"commentbox\">";
                        echo "<li><i>Posted by: $username at ".$row['time']."</i><br>";
                        echo "<strong>$text</strong>";
                        echo "<i>Last Modified: ".$row['modified']."</i></li>";
                        echo "</div>";
                        commentoptions($username,$text);
                    }
                echo "</ol>";
            }
        else
            {
                echo "<i>You must be logged in to view comments.</i>";
            }
    }
function commentoptions($username,$text)
    {
?>
    <div id="commentwrapper" style="position:relative; height:3em; width:25em; margin-right:auto; margin-left:auto; text-align:left;">
        <div style="position: relative; z-index: 1; width: 25em; height: 1em;" id="options">
        <div style="position: relative; z-index: 1; float: left;" id="viewer">
            <img alt="reply" src="images/commenticons/comment_add.png" />
            <img alt="quote" src="images/commenticons/comment_quote.png" />
            <img alt="report" src="images/commenticons/comment_warning.png" />
        </div>
<?php
    if($username == $_SESSION['user'])
        {
?>        
        <div style="position: relative; z-index: 1; float: left;" id="poster">
            <img alt="edit" src="images/commenticons/comment_edit.png" />
            <img alt="notify" src="images/commenticons/comment_email.png" />
        </div>
<?php
        }
    if($_SESSION['admin'] == 1)        
        {
?>
        <div style="position: relative;  z-index: 1; float: right;" id="admin">
            <img alt="delete" src="images/commenticons/comment_remove.png" />
            <img alt="warn" src="images/commenticons/comment_error.png" />
            <img alt="lock" src="images/commenticons/lock.png" />
            <img alt="sticky" src="images/commenticons/bulb_on.png" />
            <img alt="edit" src="images/commenticons/comment_edit.png" />
        </div>
<?php
        }
?>        
    </div>
</div>
<?php
    }
?>

[garrettroyce]

Is the query returning any results? Is your function pagecomments() called in your page? Is $thread correct?
Edit:
Also, welcome back

[garrensilverwing]

Is the query returning any results? Is your function pagecomments() called in your page? Is $thread correct?
Edit:
Also, welcome back

$query = resource id #4

here is the code for the page

Code:

<?php
require "php.php";
$thread = "test";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="styles.css" />
</head>

<body>

<link rel="stylesheet" type="text/css" href="styles.css" />
<?php
login();
pagecomments($thread);
?>
</body>
</html>

and all the thread columns in my database are "test" so they should all show up but there are only 3 entries so i dont know where it is getting resource id #4 lol

ps: thanks :D

[garrettroyce]

No prob

I wouldn't worry about #4. I think it means it's the fourth resource that's been created. Is the <ol> tag and the subsequent <ul> tags showing up in the page source?

[garrensilverwing]

it is like it is skipping over function pagecomments($thread);

[misson]

PHP Code:

                $sql="SELECT * FROM comments WHERE 'thread' LIKE '$thread'"; 


Single quotes delineate string literals, so this query is comparing the string 'thread' to (e.g.) 'test', which will always fail and thus return no rows. The only time it would succeed is if $thread == 'thread', in which case every row from `comments` would be returned. Use either back quotes (`) or no quotes around column names.

The EXPLAIN statement can help in cases like this. If you used EXPLAIN on your query (in phpMyAdmin or on your local development server), you would have gotten a result like:

Code:

+----+-------------+-------+------+---------------+------+---------+------+------+------------------+
| id | select_type | table | type | possible_keys | key  | key_len | ref  | rows | Extra            |
+----+-------------+-------+------+---------------+------+---------+------+------+------------------+
|  1 | SIMPLE      | NULL  | NULL | NULL          | NULL | NULL    | NULL | NULL | Impossible WHERE | 
+----+-------------+-------+------+---------------+------+---------+------+------+------------------+

The "Impossible WHERE" tells you that something makes your WHERE clause impossible to fulfill.

PHP Code:

                echo "<ol>";
                while($row = mysql_fetch_array($query))
                    {
                        $username=$row['username'];
                        $text=$row['comment'];
                        echo "<div class=\"commentbox\">"; 


The only valid children of <ol> are whitespace, comments and <li>. You can't have a <div> as the immediate child of <ol>. The <div> elements aren't structural and are unnecessary for style; any styling of div.commentbox can be applied to li.commentbox.

It looks like you're storing people's passwords in the table as plaintext. This is terribly insecure, because if someone steals the database, they have everyone's password, and some of your users will use the same passwords on other sites, thus compromising the other sites. Store the passwords as a salted hash so that even if someone steals the DB, they still need to brute force each password separately.

@zillionth: Don't threadjack and don't spam. It makes me want to break your site.

[garrensilverwing]

hey mission, thanks for the help, one note: i am just using a test database that i created on my home computer to test out the script and using arbitrary username/passwords, on my real site it is encrypted

it is working perfectly now that i took the single quotes out :D