[horllasskid]

<?php require_once('Connections/book.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "comming")) {
    if($_POST['coding'] == 19){
  $insertSQL = sprintf("INSERT INTO bcomments (id, bid, commentin, fname, mail) VALUES (1, %s, %s, %s, %s)",
                GetSQLValueString($_POST['id'], "int"),
                       GetSQLValueString($_POST['bid'], "int"),
                       GetSQLValueString($_POST['comments'], "text"),
                       GetSQLValueString($_POST['fname'], "text"),
                       GetSQLValueString($_POST['mail'], "text"));

  mysql_select_db($database_book, $book);
  $Result1 = mysql_query($insertSQL, $book) or die(mysql_error());

  $insertGoTo = "books/".$_POST['url'];
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
    }else{

        $insertGoTo = "books/".$_POST['url']."/error";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
    }
}


$colname_authordetails = "-1";
if (isset($_GET['q'])) {
  $colname_authordetails = $_GET['q'];
}
mysql_select_db($database_book, $book);
$query_authordetails = sprintf("SELECT * FROM book WHERE url = %s", GetSQLValueString($colname_authordetails, "text"));
$authordetails = mysql_query($query_authordetails, $book) or die(mysql_error());
$row_authordetails = mysql_fetch_assoc($authordetails);
$totalRows_authordetails = mysql_num_rows($authordetails);

$colname_commenting = "-1";
if (isset($row_authordetails['id'])) {
  $colname_commenting = $row_authordetails['id'];
}
mysql_select_db($borders_db, $book);
$query_commenting = sprintf("SELECT * FROM bcomments WHERE id = %s ORDER BY id DESC", GetSQLValueString($colname_commenting, "int"));
$commenting = mysql_query($query_commenting, $book) or die(mysql_error());
$row_commenting = mysql_fetch_assoc($commenting);
$totalRows_commenting = mysql_num_rows($commenting);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR...nsitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googleta...07-1"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-103795307-1');
</script>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width" />
<meta name="description" content="Review of <?php echo $row_africanpublishedbooks['title']; ?> by Olatoun Williams" />
<title>Borders Literature Online | Review of <?php echo $row_africanpublishedbooks['title']; ?> by Olatoun Williams</title>
<link href="imaging/favicon.ico" rel="shortcut icon" />
<base href="http://<?php echo $_SERVER['HTTP_HOST']; ?>/" />
<link href="Scripting/normalize.css" rel="stylesheet" type="text/css" media="all" />
<link href="Scripting/getdevice.css" rel="stylesheet" type="text/css" media="all" />
<link href="SpryAssets/SpryValidationTextField.css" rel="stylesheet" type="text/css" />
<link href="SpryAssets/SpryValidationTextarea.css" rel="stylesheet" type="text/css" />
<link href="jQuery/css/style.css" rel="stylesheet" type="text/css" />
<script src="SpryAssets/SpryValidationTextField.js" type="text/javascript"></script>
<script src="SpryAssets/SpryValidationTextarea.js" type="text/javascript"></script>
<script type="text/javascript">var switchTo5x=true;</script>
<script type="text/javascript" src="http://w.sharethis.c...s.js"></script>
<script type="text/javascript">stLight.options({publisher: "09a46005-f45b-400f-9230-7a1c97d221c2", doNotHash: false, doNotCopy: false, hashAddressBar: false});</script>
<style>
#commentss {
    padding-top: 20px;
    border-top-width: 1px;
    border-top-style: solid;
    border-top-color: #CCC;
    margin-bottom: 30px;
}
#dcomment {
    margin-bottom: 15px;
    border-bottom-width: 1px;
    border-bottom-style: dotted;
    border-bottom-color: #CCC;
}
#dcomment span {
    display: block;
    margin-bottom: 5px;
    font-weight: bold;
}
#tit{
    line-height:24px;
}
</style>
</head>

<body>
<div id="topdiv">
  <div class="wrapper">
  <a href="index.php"><img name="" src="imaging/border-logo.png" width="215" height="84" alt="" /></a>
  </div>
</div>
<div id="nav">
  <div class="wrapper">
    <div id="navbar">
  <ul>
   <li style="margin-left:0px;"><a href="/">Home</a></li>
    <li><a href="about">About Us</a></li>
    <li><a href="Book_Reviews_and_Podcasts">Book Reviews & Podcast</a></li>
    <li><a href="Book_Trade_Interviews">Book Trade Interviews</a></li>
    <li><a href="Africanist_and_Global">Africanist & Global</a></li>
<li><a href="Independent_Comment_About_Borders">Comment About Borders</a></li>
    <li><a href="contact">Contact Us</a></li>
    <li><a href="links">Links</a></li>
    <li><a href="faq">Faq</a></li>
  </ul>
  <div class="clr"></div>
    </div>
  </div>
</div>
<div class="wrapper">
<div style="background-color:#FFF; margin-top:2%;"">
        <div id="scon">
      <h3><?php echo $row_authordetails['title']; ?></h3>
      <div id="navin">
        <a href="/">Home /  </a><a href="Book_Reviews_and_Podcasts">Book Reviews & Podcast </a><span><?php echo $row_africanpublishedbooks['title']; ?></span>
        </ul>
        <div class="clr"></div>
      </div>
      <span style="display:block; padding:10px; font-size:16px; margin-bottom:25px; background-color:#E7E7E7"><strong>By </strong><a href="authors/<?php echo "".$row_authordetails['author']; ?>"><?php echo $row_authordetails['name']; ?></a> | <strong>Reviewed by:</strong> <?php echo $row_authordetails['reviewed']; ?> | <span class='st_facebook' displayText='Facebook'></span>
<span class='st_twitter' displayText='Tweet'></span>
<span class='st_linkedin' displayText='LinkedIn'></span>
<span class='st_googleplus' displayText='Google +'></span>
<span class='st_email' displayText='Email'></span></span></span>
      <div style="font-size:16px; line-height:23px;"><img name="" src="uploads/<?php echo $row_authordetails['img']; ?>" alt="" style="float:left; margin-right:20px; padding:1px; border:solid 1px #999" /><?php echo $row_authordetails['details']; ?>
      <div class="clr"></div>
      <div style="margin-top:20px; border-top:solid 1px #CCC; padding-top:2px">
      <div id="commentss">
      <span class="sfont"><?php echo $totalRows_commenting; ?> Comment(s) </span>
      <div class="uling">
        <?php
        if($totalRows_commenting == 0){

            echo "No Comments";
        }else{

        do { ?>
          <div id="dcomment">
            <span>Posted by <?php echo $row_commenting['fname']; ?> | <?php $ddate = strtotime($row_commenting['adate']);
                        echo date("d.F.Y G:i:s", $ddate); ?></span>
            <?php echo $row_commenting['commentin']; ?>

          </div>
          <?php } while ($row_commenting = mysql_fetch_assoc($commenting));  } ?>
      </div>
      </div>
      <div id="addcomment">
      <h3 class="font1">Add A Comment</h3>
      <div>
      <form id="comming" name="comming" method="POST" action="<?php echo $editFormAction; ?>">
      <table width="100%" cellpadding="10" cellspacing="0">
    <tr>
        <td colspan="2" align="center" style="color:#900"><?php if(isset($_GET['err'])){ echo "Please Fill in all fields and make sure the secret code is correct";  } ?></td>
    </tr>
    <tr>
        <td width="36%"><strong>Preferred Display Name:</strong></td>
        <td width="64%">
            <span id="sprytextfield1">
            <input name="fname" type="text" class="txt" id="fname" />
            <span class="textfieldRequiredMsg">*</span></span>
        </td>
  </tr>
    <tr>
        <td><strong>Email Address:</strong></td>
        <td><span id="sprytextfield2">
        <label for="mail"></label>
        <input name="mail" type="text" class="txt" id="mail" />
        <span class="textfieldRequiredMsg">*</span><span class="textfieldInvalidFormatMsg">Invalid email.</span></span></td>
    </tr>
  <tr>
    <td valign="top"><strong>Your Comment:</strong></td>
    <td><span id="sprytextarea1">
      <label for="comments"></label>
      <textarea name="comments" cols="45" rows="5" class="txt" id="comments"></textarea>
      <span class="textareaRequiredMsg">*</span></span></td>
  </tr>
  <tr>
    <td valign="top">Please add up this figures.</td>
    <td><img name="" src="imaging/barcode.jpg" width="150" height="40" alt="" /><br />
<span id="sprytextfield3">
      <label for="coding"></label>
      <input type="text" name="coding" id="coding" />
      <span class="textfieldRequiredMsg">*</span></span></td>
  </tr>
  <tr>
    <td><input name="id" type="hidden" value="<?php echo $row_authordetails['id']; ?>" />
      <input type="hidden" name="urls" id="" value="<?php echo $row_authordetails['urls']; ?>" /></td>
    <td><input name="button" type="submit" class="btn" id="button" value="Submit" /></td>
  </tr>
</table>
      <input type="hidden" name="MM_insert" value="comming" />
      </form>
</div>
      </div>
      </div>
      </div>
      <div class="clr"></div>
        </div>
</div>
</div>
<div id="footer">
  <div class="wrapper">
    <div id="foot-opt">
      <div class="escobar">
      <h3>Contact </h3>
      <span><strong>Email</strong> : <d>[email protected]</d></span>
      <span><strong> Tel</strong> :  0803 344 7167</span>
      <div style="margin-left:0px">
<!-- Begin MailChimp Signup Form -->
<link href="//cdn-images.mailchimp.com/embedcode/classic-10_7.css" rel="stylesheet" type="text/css">
<div id="mc_embed_signup" style="margin-left:0px">
<form action="https://bordersliter...;id=3a4dae69e0"method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank" novalidate>
    <div id="mc_embed_signup_scroll" style="margin:0px">
<div class="mc-field-group" style="margin-bottom:0px">
     <label for="mce-EMAIL" style="font-size:16px; color:#CCC">Subscribe to our mailing list</label>
    <input type="email" value="" name="EMAIL" style="width:90%" class="required email" id="mce-EMAIL">
</div>
   <!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
    <div style="position: absolute; left: -5000px;" aria-hidden="true; margin:0px"><input type="text" name="b_cac56622774697b1fab193719_3a4dae69e0" tabindex="-1" value=""></div>
    <div class="clear"><input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button" style="width:94%"></div>
    </div>
</form>
</div>
<script type='text/javascript' src='//s3.amazonaws.com/downloads.mailchimp.com/js/mc-validate.js'></script><script type='text/javascript'>(function($) {window.fnames = new Array(); window.ftypes = new Array();fnames[0]='EMAIL';ftypes[0]='email';fnames[1]='FNAME';ftypes[1]='text';fnames[2]='LNAME';ftypes[2]='text';fnames[3]='BIRTHDAY';ftypes[3]='birthday';}(jQuery));var $mcj = jQuery.noConflict(true);</script>
<!--End mc_embed_signup-->
      </div>
      </div>
      <div class="shyne">
      <h3 style="text-align:center;">Services</h3>
      <div><a href="http://www.write-upc...ications.co.uk"target="_blank">Proofreading & Copy editing</a>
        <a href="Book_Trade_Interviews">Author Interviews</a><a href="gallery">Literature Appreciation Workshops</a>
       </div>
      <div> <a href="Book_Reviews_and_Podcasts">Book Reviews</a>
        <a href="http://www.write-upc...ications.co.uk"target="_blank">Copywriting</a></div>
      <div class="clr"></div>
      </div>
      <div class="escobar" id="last">
      <h3>Connect With Us</h3>
   <span> We're on Social Networks. Follow us & get in touch.</span>
   <div><a href="https://www.facebook...eratureonline/"target="_blank" title="Join us on Facebook"> <img name="" src="imaging/facebook-icon.png" width="31" height="31" alt="" /></a>
   <a href="https://twitter.com/bordersliterat1"target="_blank" title="Follow us on twitter"><img name="" src="imaging/twitter-icon.png" width="31" height="31" alt="" /></a>
   <a href="https://bristol.acad...latounWilliams"target="_blank" title="Read more on academia"><img name="" src="imaging/academia-icon.png" width="31" height="31" alt="" /></a>
   </div>
      </div>
      <div class="clr"></div>
      </div>
    <div id="footext"><span>Copyright © Olatoun Williams | National Copyright Commission Number: LW0620</span></div>
  </div>
</div>
<script type="text/javascript">
var sprytextfield1 = new Spry.Widget.ValidationTextField("sprytextfield1");
var sprytextfield2 = new Spry.Widget.ValidationTextField("sprytextfield2", "email");
var sprytextarea1 = new Spry.Widget.ValidationTextarea("sprytextarea1");
var sprytextfield3 = new Spry.Widget.ValidationTextField("sprytextfield3");
</script>
</body>
</html>
<?php
mysql_free_result($authordetails);
?>

[Advertisements]

I am not a PHP person. Just wanted to ask you if you have specific errors being reported? Maybe listing any errors would help to narrow down where the code is causing the problem. Just a thought.

[AstraNut]

I am not a PHP person. Just wanted to ask you if you have specific errors being reported? Maybe listing any errors would help to narrow down where the code is causing the problem. Just a thought.

[horllasskid]

Ok thanks for the advice

[AstraNut]

I take it you are getting no specific errors??? What is exactly happening with the comments section. I can't run your code here and checking line by line is very tedious.

[AstraNut]

8 functions in your code that have been deprecated in the current version of PHP :

 

• mysql_error()
• mysql_escape_string()
• mysql_fetch_assoc()
• mysql_free_result()
• mysql_num_rows()
• mysql_query()
• mysql_real_escape_string()
• mysql_select_db()

 

FATAL ERROR: syntax error, unexpected 'is' (T_STRING), expecting ')' on line number 4 ( function GetSQLValueString($thSomething is wrongue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") )

 

Just a guess at this point, but try updating the PHP to latest version before continuing.

==============================================

 

Update: Running,using PHP version 7.2.4, I got this:

 

<br />
<b>Warning</b>:  require_once(Connections/book.php): failed to open stream: No such file or directory in <b>[...][...]</b> on line <b>1</b><br />
<br />
<b>Fatal error</b>:  require_once(): Failed opening required 'Connections/book.php' (include_path='.

 

==============================================

Not sure if this will help but running again:

 

Line 49: SQL Injection in 'mysql_query' via '$insertSQL'
Line 49: SQL Injection in 'mysql_query' via '$insertSQL'
Line 49: SQL Injection in 'mysql_query' via '$insertSQL'
Line 49: SQL Injection in 'mysql_query' via '$insertSQL'
Line 49: SQL Injection in 'mysql_query' via '$insertSQL'
Line 56: Header Injection in 'header' via '$insertGoTo'
Line 64: Header Injection in 'header' via '$insertGoTo'
Line 75: SQL Injection in 'mysql_query' via '$query_authordetails'
Line 106: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
Line 169: Cross-Site Scripting (XSS) in 'echo' via '$row_authordetails'
Line 175: Cross-Site Scripting (XSS) in 'echo' via '$row_authordetails'
Line 175: Cross-Site Scripting (XSS) in 'echo' via '$row_authordetails'
Line 175: Cross-Site Scripting (XSS) in 'echo' via '$row_authordetails'
Line 180: Cross-Site Scripting (XSS) in 'echo' via '$row_authordetails'
Line 180: Cross-Site Scripting (XSS) in 'echo' via '$row_authordetails'
Line 205: Cross-Site Scripting (XSS) in 'echo' via '$editFormAction'
Line 241: Cross-Site Scripting (XSS) in 'echo' via '$row_authordetails'
Line 242: Cross-Site Scripting (XSS) in 'echo' via '$row_authordetails'

Edited by AstraNut, 17 May 2018 - 05:26 PM.

[horllasskid]

What really happened was that am not the one who wrote the code from beginning. Please check the website www.bordersliteratureonline.net

When you open the book review of the site click on any of the book review and check the comments section. You will see the error.

[AstraNut]

What really happened was that am not the one who wrote the code from beginning. Please check the website www.bordersliteratureonline.net

When you open the book review of the site click on any of the book review and check the comments section. You will see the error.

I don't think I'm seeing what you are seeing. Attaching a photo of the Comment Section I got after clicking Book Review for "The .Seed Thief". What error am I suppose to see?

 

Update just for this page but only for your information (FYI): There about 70+ HTML errors on the page that should be easily correctable. Didn't check CSS.

Attached Thumbnails

• 

Edited by AstraNut, 18 May 2018 - 06:55 PM.