<?php require_once("includes/connection.php");?>
<?php require_once("includes/functions.php"); ?>
<?php
$menu_name = mysql_prep($_POST['menu_name']); // this three lines are problem ,i can't escape the string ......
$position = mysql_prep($_POST['position']);
$visible =mysql_prep($_POST['visible']);
?>
<?php
$query = "INSERT INTO subjects (
menu_name, position, visible
) VALUES (
'{$menu_name}', {$position }, {$visible} // Check this line also
)";
$result = mysql_query($query, $connection);
if ($result){
//Success!
header("Location: content.php");
exit;
}else {
//Display error message.
echo"<p>Subject creation failed.</p>";
echo "<p>" .mysql_error() . "<p>" ;
}
?>
<?php mysql_close($connection); ?>
<?php
// This file is the place to store basic functions
function mysql_prep($vlaue){
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysql_real_escape_string");// i.e PHP >=V4.3.0
if($new_enough_php){ // PHP v4.3.0 or higher
// undo any magic quote effects so mysql_real_escape_string can do the work
if( $magic_quotes_active) { $vlaue = stripslashes($value);}
$value = mysql_real_escape_string($value);
}else{ //before PHP v4.3.0
// if magic quote aren't already on the add slashes manually
if( !$magic_quotes_active) { $value = addslashes($value); }
// if magic quotes are active , then the slashes already exist
}
return $value;
}
function confirm_query($result_set){
if (!$result_set)
{
die("Database query failed:" . mysql_error());
}
}
function get_all_subjects(){
global $connection;
$query = "SELECT *
FROM subjects
ORDER BY position ASC";
$subject_set = mysql_query($query, $connection);
confirm_query($subject_set);
return $subject_set;
}
function get_pages_for_subjects($subject_id){
global $connection;
$query = "SELECT *
FROM pages
WHERE subject_id ={$subject_id}
ORDER BY position ASC";
$page_set = mysql_query($query, $connection);
confirm_query($page_set);
return $page_set;
}
function get_subject_by_id($subject_id){
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id=" . $subject_id . " ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// REMEMBER:
// if no rows are returned , fetch_arry will return false
if ($subject = mysql_fetch_array($result_set))
{
return $subject;
} else
{
return null;
}
}
function get_page_by_id($page_id){
global $connection;
$query = "SELECT * ";
$query .= "FROM pages ";
$query .= "WHERE id=" . $page_id . " ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// REMEMBER:
// if no rows are returned , fetch_arry will return false
if ($page = mysql_fetch_array($result_set))
{
return $page;
} else
{
return null;
}
}
function find_selected_page() {
global $sel_subject;
global $sel_page;
if(isset($_GET['subj'])){
$sel_subject = get_subject_by_id($_GET['subj']);
$sel_page = NULL;
} elseif(isset($_GET['page'])){
$sel_subject = NULL;
$sel_page = get_page_by_id($_GET['page']);
} else {
$sel_subject = Null;
$sel_page =NULL;
}
}
function navigation( $sel_subject,$sel_page){
$output ="<ul class=\"subjects\">";
// 3. Perform database query
$subject_set = get_all_subjects();
while ($subject= mysql_fetch_array($subject_set)) {
$output .= "<li";
if($subject["id"]== $sel_subject['id']){
$output .= " class=\"selected\"" ;
}
$output .= "><a href=\"content.php?subj=".urlencode($subject["id"])."\">
{$subject["menu_name"]}</a></li>";
$page_set = get_pages_for_subjects($subject["id"]);
$output .= "<ul class=\"pages\" >";
while ($page = mysql_fetch_array($page_set)) {
$output .= "<li";
if($page["id"]==$sel_page['id']){
$output .= " class=\"selected \"" ;
}
$output .= "><a href=\"content.php?page=".urlencode($page["id"])."\">
{$page["menu_name"]}</a></li>";
}
$output .="</ul>";
}
$output .=" </ul>";
return $output;
}
?>
<?php require_once("includes/functions.php"); ?>
<?php
$menu_name = mysql_prep($_POST['menu_name']); // this three lines are problem ,i can't escape the string ......
$position = mysql_prep($_POST['position']);
$visible =mysql_prep($_POST['visible']);
?>
<?php
$query = "INSERT INTO subjects (
menu_name, position, visible
) VALUES (
'{$menu_name}', {$position }, {$visible} // Check this line also
)";
$result = mysql_query($query, $connection);
if ($result){
//Success!
header("Location: content.php");
exit;
}else {
//Display error message.
echo"<p>Subject creation failed.</p>";
echo "<p>" .mysql_error() . "<p>" ;
}
?>
<?php mysql_close($connection); ?>
function.php
<?php
// This file is the place to store basic functions
function mysql_prep($vlaue){
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysql_real_escape_string");// i.e PHP >=V4.3.0
if($new_enough_php){ // PHP v4.3.0 or higher
// undo any magic quote effects so mysql_real_escape_string can do the work
if( $magic_quotes_active) { $vlaue = stripslashes($value);}
$value = mysql_real_escape_string($value);
}else{ //before PHP v4.3.0
// if magic quote aren't already on the add slashes manually
if( !$magic_quotes_active) { $value = addslashes($value); }
// if magic quotes are active , then the slashes already exist
}
return $value;
}
function confirm_query($result_set){
if (!$result_set)
{
die("Database query failed:" . mysql_error());
}
}
function get_all_subjects(){
global $connection;
$query = "SELECT *
FROM subjects
ORDER BY position ASC";
$subject_set = mysql_query($query, $connection);
confirm_query($subject_set);
return $subject_set;
}
function get_pages_for_subjects($subject_id){
global $connection;
$query = "SELECT *
FROM pages
WHERE subject_id ={$subject_id}
ORDER BY position ASC";
$page_set = mysql_query($query, $connection);
confirm_query($page_set);
return $page_set;
}
function get_subject_by_id($subject_id){
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id=" . $subject_id . " ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// REMEMBER:
// if no rows are returned , fetch_arry will return false
if ($subject = mysql_fetch_array($result_set))
{
return $subject;
} else
{
return null;
}
}
function get_page_by_id($page_id){
global $connection;
$query = "SELECT * ";
$query .= "FROM pages ";
$query .= "WHERE id=" . $page_id . " ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// REMEMBER:
// if no rows are returned , fetch_arry will return false
if ($page = mysql_fetch_array($result_set))
{
return $page;
} else
{
return null;
}
}
function find_selected_page() {
global $sel_subject;
global $sel_page;
if(isset($_GET['subj'])){
$sel_subject = get_subject_by_id($_GET['subj']);
$sel_page = NULL;
} elseif(isset($_GET['page'])){
$sel_subject = NULL;
$sel_page = get_page_by_id($_GET['page']);
} else {
$sel_subject = Null;
$sel_page =NULL;
}
}
function navigation( $sel_subject,$sel_page){
$output ="<ul class=\"subjects\">";
// 3. Perform database query
$subject_set = get_all_subjects();
while ($subject= mysql_fetch_array($subject_set)) {
$output .= "<li";
if($subject["id"]== $sel_subject['id']){
$output .= " class=\"selected\"" ;
}
$output .= "><a href=\"content.php?subj=".urlencode($subject["id"])."\">
{$subject["menu_name"]}</a></li>";
$page_set = get_pages_for_subjects($subject["id"]);
$output .= "<ul class=\"pages\" >";
while ($page = mysql_fetch_array($page_set)) {
$output .= "<li";
if($page["id"]==$sel_page['id']){
$output .= " class=\"selected \"" ;
}
$output .= "><a href=\"content.php?page=".urlencode($page["id"])."\">
{$page["menu_name"]}</a></li>";
}
$output .="</ul>";
}
$output .=" </ul>";
return $output;
}
?>
0 comments