BitGuy
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 41
Joined: Fri Oct 02, 2015 4:38 pm
Contact: Website

Do some code in PHP

Tue Dec 15, 2015 8:00 pm

Hi
I have a PHP code in which people can submit unlimited entries for giveaways,i want you to edit that code so people can submit only one entry for there IP for each giveaway.I mean one entry per IP per giveaway.

Here is processEntry.php code:

Code: Select all

<?php $host="localhost"; // Host name $username="root"; // Mysql username $password=""; // Mysql password $db_name="coinbudy"; // Database name $tbl_name="entries"; // Table name // Connect to server and select database. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Get values from form $giveaway_id=$_POST['giveaway_id']; $email=$_POST['email']; $payment=$_POST['payment']; $proof=$_POST['proof']; // Insert data into mysql $sql="INSERT INTO $tbl_name(giveaway_id ,email, payment, proof)VALUES('$giveaway_id', '$email', '$payment', '$proof')"; $result=mysql_query($sql); // if successfully insert data into database, displays message "Successful". if($result){ $msg="Successfully Updated!!"; echo "<script type='text/javascript'>alert('$msg');</script>"; header('Location:admin.php'); } else { $errormsg="Something went wrong, Try again"; echo "<script type='text/javascript'>alert('$errormsg');</script>"; header('Location:admin.php'); } ?> <?php // close connection mysql_close(); ?> <?php
Try Incurex.com for currency exchange

User avatar
coinableS
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 65
Joined: Wed Sep 30, 2015 6:06 am

Donate BTC of your choice to 1J9ikqFuwrzPbczsDkquA9uVYeq6dEehsj

Contact: Website Twitter

Re: Do some code in PHP

Sat Dec 19, 2015 6:16 pm

mysql is deprecated, use mysqli or PDO.
Define a charset to prevent multibit injection
Escape all user input ie $_POST
Pull their IP address, then check it against your table prior to inserting.

Code: Select all

<?php $host="localhost"; // Host name $username="root"; // Mysql username $password=""; // Mysql password $db_name="coinbudy"; // Database name $tbl_name="entries"; // Table name //connect to the DB $conn = mysqli_connect("$host", "$username", "$password", "$db_name"); if (mysqli_connect_errno()){ echo "Connection to DB failed" . mysqli_connect_error(); } // Get values from form mysqli_set_charset($conn,"utf8"); $giveaway_id = mysqli_real_escape_string($conn, $_POST['giveaway_id']); $email = mysqli_real_escape_string($conn, $_POST['email']); $payment = mysqli_real_escape_string($conn, $_POST['payment']); $proof = mysqli_real_escape_string($conn, $_POST['proof']); $ip = $_SERVER['REMOTE_ADDR']; //check if IP already exists in table $checkIpp = mysqli_query($conn, "SELECT * FROM $tbl_name WHERE ip = '$ip'"); $numrowIpp = mysqli_num_rows($checkIpp); if($numrowIpp > 0) { die("Duplicate IP Detected"); } else if($numrowIpp == 0) { // Not a duplicate IP insert data into mysql $sql="INSERT INTO $tbl_name(giveaway_id ,email, payment, proof, ip)VALUES('$giveaway_id', '$email', '$payment', '$proof', '$ip')"; $result= mysqli_query($conn, $sql); } // if successfully insert data into database, displays message "Successful". if($result) { $msg="Successfully Updated!!"; echo "<script type='text/javascript'>alert('$msg');</script>"; header('Location:admin.php'); } else { $errormsg="Something went wrong, Try again"; echo "<script type='text/javascript'>alert('$errormsg');</script>"; header('Location:admin.php'); } // close connection mysqli_close($conn); ?>

User avatar
ronnieb
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 176
Joined: Sat Oct 03, 2015 6:15 pm
Location: Idaho
Contact: Website Facebook

Re: Do some code in PHP

Sat Dec 19, 2015 8:11 pm

mysql is deprecated, use mysqli or PDO.
Define a charset to prevent multibit injection
Escape all user input ie $_POST
Pull their IP address, then check it against your table prior to inserting.

Code: Select all

<?php $host="localhost"; // Host name $username="root"; // Mysql username $password=""; // Mysql password $db_name="coinbudy"; // Database name $tbl_name="entries"; // Table name //connect to the DB $conn = mysqli_connect("$host", "$username", "$password", "$db_name"); if (mysqli_connect_errno()){ echo "Connection to DB failed" . mysqli_connect_error(); } // Get values from form mysqli_set_charset($conn,"utf8"); $giveaway_id = mysqli_real_escape_string($conn, $_POST['giveaway_id']); $email = mysqli_real_escape_string($conn, $_POST['email']); $payment = mysqli_real_escape_string($conn, $_POST['payment']); $proof = mysqli_real_escape_string($conn, $_POST['proof']); $ip = $_SERVER['REMOTE_ADDR']; //check if IP already exists in table $checkIpp = mysqli_query($conn, "SELECT * FROM $tbl_name WHERE ip = '$ip'"); $numrowIpp = mysqli_num_rows($checkIpp); if($numrowIpp > 0) { die("Duplicate IP Detected"); } else if($numrowIpp == 0) { // Not a duplicate IP insert data into mysql $sql="INSERT INTO $tbl_name(giveaway_id ,email, payment, proof, ip)VALUES('$giveaway_id', '$email', '$payment', '$proof', '$ip')"; $result= mysqli_query($conn, $sql); } // if successfully insert data into database, displays message "Successful". if($result) { $msg="Successfully Updated!!"; echo "<script type='text/javascript'>alert('$msg');</script>"; header('Location:admin.php'); } else { $errormsg="Something went wrong, Try again"; echo "<script type='text/javascript'>alert('$errormsg');</script>"; header('Location:admin.php'); } // close connection mysqli_close($conn); ?>
I stole yours and added the PDO for fun

Code: Select all

<?php // Change variables to constants define('DB_HOST', 'localhost'); define('DB_NAME', 'coinbudy'); define('DB_USER', 'root'); define('DB_PASS', ''); define('DB_TABL', 'entries'); // DIE if bad IP. You can put a "do whatever here to let user know their IP address is not complying. if (!$ip = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { die('Invalid IP address.'); } // PDO class - very simple class oneTimeOnly { public function _dbPDOconnect() { $dbh = new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME, DB_USER, DB_PASS); $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); return $dbh; } public function goDB($sql,$array=false) { $dbh = $this->_dbPDOconnect(); $sth = $dbh->prepare($sql); !$array?$sth->execute():$sth->execute($array); if ($sth->columnCount()==0) return $sth->rowCount(); else return $sth->fetchAll(PDO::FETCH_ASSOC); } } // Instantiate class with PDO $do = new oneTimeOnly(); // check to see if IP exists in DB - if so DIE if($do->goDB("SELECT * FROM ".DB_TABL." WHERE ip = ? ", array($ip) )) { die("Duplicate IP Detected"); } // insert into DB if($do->goDB("INSERT INTO ".DB_TABL." (giveaway_id ,email, payment, proof, ip) VALUES ( ? , ? , ? , ? , ? )", array($_POST['giveaway_id'], $_POST['email'], $_POST['payment'], $_POST['proof'], $ip) )) { $msg="Successfully Updated!!"; echo "<script type='text/javascript'>alert('$msg');</script>"; //header('Location:admin.php'); } else { $errormsg="Something went wrong, Try again"; echo "<script type='text/javascript'>alert('$errormsg');</script>"; //header('Location:admin.php'); } ?>
You should always vet client variables before use!!

User avatar
coinableS
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 65
Joined: Wed Sep 30, 2015 6:06 am

Donate BTC of your choice to 1J9ikqFuwrzPbczsDkquA9uVYeq6dEehsj

Contact: Website Twitter

Re: Do some code in PHP

Sun Dec 20, 2015 7:26 pm

Awesome!
This thread is a great example of how open source software works 8-)
Starts somewhere and then additional people improve on the original code. Very cool!

User avatar
coinableS
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 65
Joined: Wed Sep 30, 2015 6:06 am

Donate BTC of your choice to 1J9ikqFuwrzPbczsDkquA9uVYeq6dEehsj

Contact: Website Twitter

Re: Do some code in PHP

Mon Dec 21, 2015 5:38 am

mysql is deprecated, use mysqli or PDO.
Define a charset to prevent multibit injection
Escape all user input ie $_POST
Pull their IP address, then check it against your table prior to inserting.

Code: Select all

<?php $host="localhost"; // Host name $username="root"; // Mysql username $password=""; // Mysql password $db_name="coinbudy"; // Database name $tbl_name="entries"; // Table name //connect to the DB $conn = mysqli_connect("$host", "$username", "$password", "$db_name"); if (mysqli_connect_errno()){ echo "Connection to DB failed" . mysqli_connect_error(); } // Get values from form mysqli_set_charset($conn,"utf8"); $giveaway_id = mysqli_real_escape_string($conn, $_POST['giveaway_id']); $email = mysqli_real_escape_string($conn, $_POST['email']); $payment = mysqli_real_escape_string($conn, $_POST['payment']); $proof = mysqli_real_escape_string($conn, $_POST['proof']); $ip = $_SERVER['REMOTE_ADDR']; //check if IP already exists in table $checkIpp = mysqli_query($conn, "SELECT * FROM $tbl_name WHERE ip = '$ip'"); $numrowIpp = mysqli_num_rows($checkIpp); if($numrowIpp > 0) { die("Duplicate IP Detected"); } else if($numrowIpp == 0) { // Not a duplicate IP insert data into mysql $sql="INSERT INTO $tbl_name(giveaway_id ,email, payment, proof, ip)VALUES('$giveaway_id', '$email', '$payment', '$proof', '$ip')"; $result= mysqli_query($conn, $sql); } // if successfully insert data into database, displays message "Successful". if($result) { $msg="Successfully Updated!!"; echo "<script type='text/javascript'>alert('$msg');</script>"; header('Location:admin.php'); } else { $errormsg="Something went wrong, Try again"; echo "<script type='text/javascript'>alert('$errormsg');</script>"; header('Location:admin.php'); } // close connection mysqli_close($conn); ?>
I stole yours and added the PDO for fun

Code: Select all

<?php // Change variables to constants define('DB_HOST', 'localhost'); define('DB_NAME', 'coinbudy'); define('DB_USER', 'root'); define('DB_PASS', ''); define('DB_TABL', 'entries'); // DIE if bad IP. You can put a "do whatever here to let user know their IP address is not complying. if (!$ip = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { die('Invalid IP address.'); } // PDO class - very simple class oneTimeOnly { public function _dbPDOconnect() { $dbh = new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME, DB_USER, DB_PASS); $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); return $dbh; } public function goDB($sql,$array=false) { $dbh = $this->_dbPDOconnect(); $sth = $dbh->prepare($sql); !$array?$sth->execute():$sth->execute($array); if ($sth->columnCount()==0) return $sth->rowCount(); else return $sth->fetchAll(PDO::FETCH_ASSOC); } } // Instantiate class with PDO $do = new oneTimeOnly(); // check to see if IP exists in DB - if so DIE if($do->goDB("SELECT * FROM ".DB_TABL." WHERE ip = ? ", array($ip) )) { die("Duplicate IP Detected"); } // insert into DB if($do->goDB("INSERT INTO ".DB_TABL." (giveaway_id ,email, payment, proof, ip) VALUES ( ? , ? , ? , ? , ? )", array($_POST['giveaway_id'], $_POST['email'], $_POST['payment'], $_POST['proof'], $ip) )) { $msg="Successfully Updated!!"; echo "<script type='text/javascript'>alert('$msg');</script>"; //header('Location:admin.php'); } else { $errormsg="Something went wrong, Try again"; echo "<script type='text/javascript'>alert('$errormsg');</script>"; //header('Location:admin.php'); } ?>
You should always vet client variables before use!!
Thanks for this, I learned a few things just from this one block of code from Ronnie. I'm now converting an existing script of mine to PDO and prepared stmts, using your method of IP filtering and defining constants instead of variables. Thanks for posting!

User avatar
ronnieb
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 176
Joined: Sat Oct 03, 2015 6:15 pm
Location: Idaho
Contact: Website Facebook

Re: Do some code in PHP

Mon Dec 21, 2015 4:40 pm

Thanks for this, I learned a few things just from this one block of code from Ronnie. I'm now converting an existing script of mine to PDO and prepared stmts, using your method of IP filtering and defining constants instead of variables. Thanks for posting!
Hey thanks!! Yeah, I was just messing around with the constants... I don't know that table names/variables should be constants but I always use constants for the DB parameters... but I was just messing around having fun!! Love coding!!!

BitGuy
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 41
Joined: Fri Oct 02, 2015 4:38 pm
Contact: Website

Re: Do some code in PHP

Mon Dec 21, 2015 5:49 pm

How do i show no of entries submitted for each giveaway?
This is my website: http://bitfreebie.com

each giveaway has its ID
Try Incurex.com for currency exchange

User avatar
nandibear
Global Moderator
Global Moderator
Posts: 2505
Joined: Sat Jan 30, 2016 7:04 am

Donate BTC of your choice to 1DYss8ztWEgcM93SJtnpfYVt6fp7cwmjBk

Contact: Website Twitter Telegram

Re: Do some code in PHP

Wed Feb 03, 2016 8:33 am

@ronnieb, @coinableS

Code: Select all

// insert into DB if($do->goDB("INSERT INTO ".DB_TABL." (giveaway_id ,email, payment, proof, ip) VALUES ( ? , ? , ? , ? , ? )", array($_POST['giveaway_id'], $_POST['email'], $_POST['payment'], $_POST['proof'], $ip) ))
I too use PDO prepare statements (PDO is the only way that I connect and interact with database) and I do understand that the method used in your above code (question mark placeholders) has effectively sanitized the input but would it be more effective (or essentially the same?) to bind variable / parameter:

Code: Select all

$q = "INSERT INTO DB_TABL (giveaway_id, email, payment, proof, ip) VALUES (:giveaway_id, :email, :payment, :proof, :ip);"; $query = $dbh->prepare($q); $results = $query->execute(array( ":giveaway_id" => $giveaway_id, ":email" => $email, ":payment" => $payment, ":proof" => $proof, ":ip" => $_SERVER['REMOTE_ADDR'] ));
Image

User avatar
nandibear
Global Moderator
Global Moderator
Posts: 2505
Joined: Sat Jan 30, 2016 7:04 am

Donate BTC of your choice to 1DYss8ztWEgcM93SJtnpfYVt6fp7cwmjBk

Contact: Website Twitter Telegram

Re: Do some code in PHP

Thu Feb 04, 2016 4:37 am

@coinbuddy
How do i show no of entries submitted for each giveaway?
This is my website: http://bitfreebie.com

each giveaway has its ID
Try something like this:

Code: Select all

$stmt = $dbh->prepare("SELECT * FROM db_table WHERE giveaway_id=:whatever ORDER BY giveaway_id DESC"); $stmt->bindParam(":whatever", $_GET['giveaway_id'], PDO::PARAM_INT); $stmt->execute(); $results = $stmt->fetchAll(); foreach($results as $r){ // you could close php here and add a div or some html and then open php again before echo echo $r['giveaway_id'] ; ?> //this should print out at your website all of the entries in the giveaway_id column and in order order of the most recent
Image

User avatar
ronnieb
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 176
Joined: Sat Oct 03, 2015 6:15 pm
Location: Idaho
Contact: Website Facebook

Re: Do some code in PHP

Wed Feb 10, 2016 11:38 pm


I too use PDO prepare statements (PDO is the only way that I connect and interact with database) and I do understand that the method used in your above code (question mark placeholders) has effectively sanitized the input but would it be more effective (or essentially the same?) to bind variable / parameter:

Code: Select all

$q = "INSERT INTO DB_TABL (giveaway_id, email, payment, proof, ip) VALUES (:giveaway_id, :email, :payment, :proof, :ip);"; $query = $dbh->prepare($q); $results = $query->execute(array( ":giveaway_id" => $giveaway_id, ":email" => $email, ":payment" => $payment, ":proof" => $proof, ":ip" => $_SERVER['REMOTE_ADDR'] ));
Yeah, that's golden too!! I do it both ways. I favor binding when I can reduce the workload e.g. duplication. I like ? because it's less typing. LOL... laZ coder right here!!!

Return to “Project Development”

Who is online

Users browsing this forum: No registered users and 1 guest