1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Adding something to a script

Discussion in 'PHP & Perl' started by Firestorm, Jun 18, 2010.

  1. Firestorm

    Firestorm Regular Member

    Joined:
    Jan 1, 2008
    Messages:
    293
    Likes Received:
    4
    Hello ,

    I would like to know how to add the facebook like icon next to all the pages like in presslike.net .. My website is petvillelove.com and code is

    <?
    include ("config.php");
    if ($_POST["like"]) {
    $like=$_POST["like"];
    mysql_query("INSERT INTO fblike VALUES(NULL, '$like', '1')");
    $x=mysql_query("SELECT * FROM fblike ORDER BY id DESC LIMIT 1");
    while ($y=mysql_fetch_assoc($x)){
    $id=$y['id'];
    }
    ?>
    <script type="text/javascript"> window.location.href="<?=$url_site?>like.php?id=<?=$id?>";</script>
    <?
    }
    ?>

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
    <html lang="en">
    <head>
    <title>LikeItNow - What do you like?</title>

    <link rel="stylesheet" href="styles.css">

    <script type="text/javascript" src="js/jquery.js"></script>
    <script type="text/javascript" src="js/jquery.corner.js"></script>
    <script type="text/javascript" src="js/main.js"></script>


    </script>
    </head>

    <body>
    <div id="fb-root"></div>
    <script>
    window.fbAsyncInit = function() {
    FB.init({appId: '48272f6b9a278d88b2ec480da8790513', status: true, cookie: true,
    xfbml: true});
    };
    (function() {
    var e = document.createElement('script'); e.async = true;
    e.src = document.location.protocol +
    '//connect.facebook.net/en_US/all.js';
    document.getElementById('fb-root').appendChild(e);
    }());
    </script>

    <div id="header">
    <a href="index.php" id="branding"><span>LikeItNow</span></a>
    <p id="total_pages" class="rounded"><span id="count"> <?
    $x=mysql_query("SELECT * FROM fblike ORDER BY id DESC LIMIT 0,1");
    $nr=0;
    while ($y=mysql_fetch_assoc($x)) {
    $id=$y['id'];
    $like=$y['like'];
    ?>

    <?=$id?><? echo substr(0,44);?>

    <?
    }
    ?></span> pages created</p>
    </div>

    <div id="page_details" class="rounded">
    <h2>Create a New Page</h2>
    <p id="character_count"><span id="characters">50</span> characters available</p>
    <form method="POST" action="index.php">
    <input type="text" name="like" class="comments" maxlength="50" value="Type your page name here ...">
    <p id="url"></p>

    <button id="create_button" type="submit"></button>
    </form>
    </div>

    <div id="popular_pages" class="rounded box_420">
    <h2>Most Popular Pages</h2>
    <ul>
    <?
    $x=mysql_query("SELECT * FROM fblike ORDER BY hits DESC LIMIT 0,10");
    $nr=0;
    while ($y=mysql_fetch_assoc($x)) {
    $id=$y['id'];
    $like=$y['like'];
    ?>

    <li><a href='like.php?id=<?=$id?>'><? echo substr($like, 0,44);?></a><br>
    </li>
    <?
    }
    ?>
    </ul>
    </div>

    <div id="new_pages" class="rounded box_420">
    <h2>New Pages</h2>
    <ul>
    <?
    $x=mysql_query("SELECT * FROM fblike ORDER BY id DESC LIMIT 0,10");
    $nr=0;
    while ($y=mysql_fetch_assoc($x)) {
    $id=$y['id'];
    $like=$y['like'];
    ?>

    <li><a href='like.php?id=<?=$id?>'><? echo substr($like, 0,44);?></a><br></li>
    <?
    }
    ?>


    </ul>
    </div>

    <p id="footer" class="rounded">LikeItNow © 2010. LikeItNow is not related to Facebook</p>

    </body>
    </html>

    [/PHP]
     
    Last edited: Jun 18, 2010
  2. voyevoda

    voyevoda Regular Member Premium Member

    Joined:
    Mar 21, 2010
    Messages:
    217
    Likes Received:
    97
    Location:
    Eastern Front
    You may want to take a look at this function, too:

    http://us3.php.net/mysql_real_escape_string

    You need to sanitize input being used to build SQL queries. In line 5 of your code, I could inject a SQL query to drop your database, alter the data in it, or write out new files on the filesystem (SELECT "exploit code" INTO OUTFILE ...) and potentially take over your server... all because $like is inserted into the SQL statement without being escaped.

    As for your actual question, I have no idea. :)
     
  3. syns0r

    syns0r Junior Member

    Joined:
    Mar 31, 2007
    Messages:
    141
    Likes Received:
    31
    Here is something from facebook about it:
    "The basic Like button is available via a simple iframe you can drop into your page easily. A fuller-featured Like button is available via the <fb:like> XFBML tag (which requires you use the new JavaScript SDK). "
    Code:
    http://developers.facebook.com/docs/reference/plugins/like
     
  4. plasmaflux

    plasmaflux Registered Member

    Joined:
    Feb 20, 2010
    Messages:
    91
    Likes Received:
    37
    Thanks for the unaltered code!

    I just took control of your site and database. How much are you willing to pay to get it back?

    I keed, I keed. But seriously, at least obfuscate your variables and wrap that junk in some code tags!