Integration of a script within a page

**RFH Reseller: UKFlyer** · 24th December 2008, 11:46 AM

I am trying to add a guestbook to a php cart.

I have a file located here:
http://www.grbcollectables.co.uk/gue...hp?action=sign

Which is the working model.

Try and include the same file using
<? include("guestbookorig.php"); ?>

into this file here:
http://www.grbcollectables.co.uk/gue...hp?action=sign

and the security image dissapears.

Been playing around with this all morning - and have found that if there is a space on line 1 of the guestbookorig.php file, the same result happens. Remove the space and all works fine

Any ideas of what would cause this and how to overcome it?

**RFH Reseller: SKILLIT** · 25th December 2008, 07:29 AM

I think it might be an encoding problem [The space causing a different assumption].

Firstly add the missing headers -
Doctype, html, content-type, etc.

If an include is at the start of a file and then content-type is unknown the the content-type in not yet set then I think it will be determined when the first character is output and if it is a leading space that will do it.

Happy Christmas,
David.

**RFH Reseller: UKFlyer** · 27th December 2008, 02:50 PM

I took out the headers when playing with the script on the main page which contains the includes file - I have put them back in just to check... but no difference...

What I found is anything placed before:

<? include("guestbookorig.php"); ?>

causes the security image not to work. The file I am trying to include is as follows (if that helps!) like I said it works as a standalone file...

<?php
if ( !file_exists("config.php") )
{
die( 'Please run <a href="./install.php">install.php</a> before using this guestbook.' );
}
require_once("config.php");

if ( !file_exists($config["signguestbook"]) )
{
die( "The file ".$config["signguestbookl"]." does not exists." );
}
if ( !file_exists($config["guestbook"]) )
{
die( "The file ".$config["guestbook"]." does not exists." );
}
if ( !file_exists($config["guestbooksignerror"]) )
{
die( "The file ".$config["guestbooksignerror"]." does not exists." );
}
if ( !file_exists($config["guestbookthankyou"]) )
{
die( "The file ".$config["guestbookthanksyou"]." does not exists." );
}
if ( !file_exists($config["guestbookpost"]) )
{
die( "The file ".$config["guestbookpost"]." does not exists." );
}

$signlink = $_SERVER['PHP_SELF']."?action=sign";

if (isset($_GET["refid"]) && $_GET["refid"] != "")
{
$referenceid = stripslashes($_GET["refid"]);
}
else
{
$referenceid = md5(mktime()*rand());
}
$font = 'courbd.ttf';
function checkSecurityImage($referenceid, $enteredvalue)
{
global $config;
$referenceid = mysql_escape_string($referenceid);
$enteredvalue = mysql_escape_string($enteredvalue);
$tempQuery = mysql_query("SELECT ID FROM `".$config['mysqlspamimgtable']."` WHERE referenceid='".$referenceid."' AND hiddentext='".$enteredvalue."'") or die(mysql_error());
if (mysql_num_rows($tempQuery) != 0)
{
return true;
}
else
{
return false;
}
}

if ( (!isset( $_GET['action'] )) || (empty( $_GET['action'] )) || ($_GET['action'] === "veiw" ))
{
$posttoreplace = array(
"/{emailorurl}/",
"/{name}/",
"/{comments}/",
"/{date}/",
);
$fp = fopen( $config["guestbookpost"], "r" );
$posttpl = fread( $fp, filesize( $config["guestbook"] ) );
fclose( $fp );
if( !isset($_GET['num']) || !is_numeric($_GET['num']) )
{
$start = 0;
$end = $config["numpostsperpage"];
}
else
{
$start = $_GET['num'] * $config["numpostsperpage"];
$end = $start + $config["numpostsperpage"];
}
$title = "Guestbook";
if( $config["newestfirst"] === "yes" )
{
$order = " ORDER BY `ID` DESC ";
}
else
{
$order = " ORDER BY `ID` ASC ";
}
$query = mysql_query( "SELECT * FROM ".$config["mysqlguestbooktable"]."".$order."LIMIT ".$start.",".$end."" );
$isresults = FALSE;
$i = 0;
$posts = "";
while( $post = mysql_fetch_array( $query, MYSQL_ASSOC ) )
{
if( strstr ( $post["EMAILORURL"], "@" ) )
{
$emailorurl = "mailto:".stripslashes( $post["EMAILORURL"] );
}
else
{
if( preg_match( "/http:\/\//i", $post["EMAILORURL"] ) )
{
$emailorurl = stripslashes( $post["EMAILORURL"] );
}
else
{
$emailorurl = "http://".stripslashes( $post["EMAILORURL"] );
}
}
$comments = preg_replace($smiles, $rsmiles, stripslashes( $post["COMMENTS"] ));
$name = stripslashes( $post["NAME"] );
$postreplace = array(
$emailorurl,
$name,
$comments,
$post["DATE"]
);
$posts .= preg_replace($posttoreplace, $postreplace, $posttpl);
$i++;
}
$text .= "<br /><br />";
if( $i >= $config["numpostsperpage"] )
{
$isresults = TRUE;
}
if( $start >= $config["numpostsperpage"] )
{
$prev = ($start / $config["numpostsperpage"]) - 1;
$posts .= "<a href=\"".$_SERVER['PHP_SELF']."?num=".$prev."\">Prev.</a> ";
}
if( $isresults )
{
$next = ($start / $config["numpostsperpage"]) + 1;
$posts .= " <a href=\"".$_SERVER['PHP_SELF']."?num=".$next."\">Next</a>\n";
}
$fp = fopen( $config["guestbook"], "r" );
$tpl = fread( $fp, filesize( $config["guestbook"] ) );
fclose( $fp );
$toreplace = array(
"/{title}/",
"/{signlink}/",
"/{posts}/",
);
$replace = array(
$title,
$signlink,
$posts,
);
$tpl = preg_replace($toreplace, $replace, $tpl);
echo $tpl;
}
elseif( $_GET['action'] === "sign" )
{
$fp = fopen( $config["signguestbook"], "r" );
$tpl = fread( $fp, filesize( $config["signguestbook"] ) );
fclose( $fp );
if($config['spamimg'])
{
$wheresend = $_SERVER['PHP_SELF']."?action=dosign&refid=".$referenceid;
$getspamimage = $_SERVER['PHP_SELF']."?action=img&refid=".$referenceid;
$toreplace = array(
"/{wheresend}/",
"/{getspamimage}/",
"/{title}/"
);
$replace = array(
$wheresend,
$getspamimage,
"Sign our guestbook"
);
}
else
{
$wheresend = $_SERVER['PHP_SELF']."?action=dosign";
$toreplace = array(
"/{wheresend}/",
"/{title}/"
);
$replace = array(
$wheresend,
"Sign our guestbook"
);
}

$tpl = preg_replace($toreplace, $replace, $tpl);
echo $tpl;
}
elseif( $_GET['action'] === "img" )
{
$bgurl = rand(1, 5);
$im = ImageCreateFromPNG("bg/".$bgurl.".PNG");
$chars = array("a","A","b","B","c","C","d","D","e","E","f", "F","g","G",
"h","H","i","I","j","J","k",
"K","l","L","m","M","n","N","o","O","p","P","q","Q ","r",
"R","s","S","t","T","u","U","v",
"V","w","W","x","X","y","Y","z","Z","1","2","3","4 ","5",
"6","7","8","9");
$length = 8;
$textstr = "";
for ($i=0; $i<$length; $i++)
{
$textstr .= $chars[rand(0, count($chars)-1)];
}
$size = rand(12, 16);
$angle = rand(-5, 5);
$color = ImageColorAllocate($im, rand(0, 100), rand(0, 100), rand(0, 100));
$textsize = imagettfbbox($size, $angle, $font, $textstr);
$twidth = abs($textsize[2]-$textsize[0]);
$theight = abs($textsize[5]-$textsize[3]);
$x = (imagesx($im)/2)-($twidth/2)+(rand(-20, 20));
$y = (imagesy($im))-($theight/2);
ImageTTFText($im, $size, $angle, $x, $y, $color, $font, $textstr);
header("Content-Type: image/png");
ImagePNG($im);
imagedestroy($im);
mysql_query("INSERT INTO `".$config['mysqlspamimgtable']."` (insertdate, referenceid, hiddentext) VALUES (now(), '".make_query_safe( $referenceid )."', '".make_query_safe( $textstr )."')");
mysql_query("DELETE FROM `".$config['mysqlspamimgtable']."` WHERE insertdate < date_sub(now(), interval 1 day)");
}
elseif( $_GET['action'] === "dosign" )
{
if( (!isset($_POST['name'])) || (rtrim($_POST['name']) == "") )
{
$error = " Sorry you need to enter a name.";
$fp = fopen( $config["guestbooksignerror"], "r" );
$tpl = fread( $fp, filesize( $config["guestbooksignerror"] ) );
fclose( $fp );
}
elseif( (!isset($_POST['comments'])) || (rtrim($_POST['comments']) == "") )
{
$error = " Sorry you need to enter some comments.";
$fp = fopen( $config["guestbooksignerror"], "r" );
$tpl = fread( $fp, filesize( $config["guestbooksignerror"] ) );
fclose( $fp );
}
elseif( (!isset($_POST['emailorurl'])) || (rtrim($_POST['emailorurl']) == "") )
{
$error = " Sorry you need to enter an email address or url.";
$fp = fopen( $config["guestbooksignerror"], "r" );
$tpl = fread( $fp, filesize( $config["guestbooksignerror"] ) );
fclose( $fp );
}
elseif( ($config['spamimg'] == true) && ((!isset($_POST['security_try'])) || (!isset($_GET['refid']))))
{
$error = "Sorry there was an error with the anti spam image.";
$fp = fopen( $config["guestbooksignerror"], "r" );
$tpl = fread( $fp, filesize( $config["guestbooksignerror"] ) );
fclose( $fp );
}
elseif( ($config['spamimg'] == true) && (checkSecurityImage($_GET['refid'], $_POST['security_try'] ) == false) )
{
$error = "Sorry you did not enter the anti spam image correctly please hit the back button and try again.";
$fp = fopen( $config["guestbooksignerror"], "r" );
$tpl = fread( $fp, filesize( $config["guestbooksignerror"] ) );
fclose( $fp );
}
else
{
$checkforban = mysql_query( "SELECT * FROM `".$config["mysqlbantable"]."` WHERE `ip` LIKE '".make_query_safe( getenv('REMOTE_ADDR') )."%'" ) or die ( "ERROR: Cannot query database" );
if ( mysql_num_rows ( $checkforban ) > 0 )
{
$error = " Sorry your IP has been baned from posting in this guestbook.";
$fp = fopen( $config["guestbooksignerror"], "r" );
$tpl = fread( $fp, filesize( $config["guestbooksignerror"] ) );
fclose( $fp );
}
else
{
$check = mysql_query("SELECT * FROM `" . $config['mysqlantispamtable'] . "` WHERE `NAME` = '".make_query_safe( $_POST['name'] )."' OR `EMAILORURL` = '".make_query_safe( $_POST['emailorurl'] )."' OR `IP` = '".make_query_safe( getenv('REMOTE_ADDR') )."' OR '".make_query_safe( $_POST['comments'] )."' LIKE CONCAT( '%', `COMMENTS` , '%' )") or die(mysql_error());
if( mysql_num_rows($check) > 0)
{
$error = " Sorry it appears you have been banned from signing this guestbook becasue your a spambot. This maybe 'cause your IP is black listed or the comments your trying to leave have a phrase that is banned.";
$error .= " if you are not a spam bot please email us at admin@free-php.org.uk with what you were trying to post. Thanks!";
$fp = fopen( $config["guestbooksignerror"], "r" );
$tpl = fread( $fp, filesize( $config["guestbooksignerror"] ) );
fclose( $fp );
}
else
{
$word = array();
$wordreplacement = array();
$banedwords = mysql_query( "SELECT `WORD`, `REPLACEMENT` FROM `".$config["mysqlbantable"]."` WHERE `WORD` != ''" ) or die ( "ERROR: Cannot query database" );
while ( $banned = mysql_fetch_assoc( $banedwords ) )
{
$word[] = "/".preg_quote($banned['WORD'], '/')."/i";
$wordreplacement[] = $banned['REPLACEMENT'];
}
$comments = nl2br(htmlspecialchars(preg_replace($word, $wordreplacement, $_POST['comments'])));
$emailorurl = htmlspecialchars(preg_replace($word, $wordreplacement, $_POST['emailorurl']));
$name = htmlspecialchars(preg_replace($word, $wordreplacement, $_POST['name']));
$error = "";
mysql_query( "INSERT INTO `".$config["mysqlguestbooktable"]."` ( `ID` , `NAME` , `EMAILORURL` , `IP` , `COMMENTS` , `DATE` ) VALUES ( '', '".make_query_safe( $name )."', '".make_query_safe( $emailorurl )."', '".make_query_safe( getenv('REMOTE_ADDR') )."', '".make_query_safe( $comments )."', NOW( ) )" ) or die ( "ERROR: cannot insert into database." );
$fp = fopen( $config["guestbookthankyou"], "r" );
$tpl = fread( $fp, filesize( $config["guestbookthankyou"] ) );
fclose( $fp );
}
}
}
$toreplace = array(
"/{backlink}/",
"/{message}/"
);
$replace = array(
$_SERVER['PHP_SELF']."?action=veiw",
$error
);
$tpl = preg_replace($toreplace, $replace, $tpl);
echo $tpl;
}
?>

**RFH Reseller: SKILLIT** · 27th December 2008, 04:33 PM

If you display the properties with your browser I see that when included it no longer seems to know that the image is a PNG.

Strange ... will think about this but some suggestions:

I do also see that you have declared the content as UTF-8 which line 102 is not

<span title="reconoce mayúsculas y minúsculas">Case Sensitive</span>.

I think that you need to open the include and force it to be saved as UTF-8 (my browser says it uses Western Europen (Windows) encoding and not UTF-8)

Lastly put the complete file thru the validator:
http://validator.w3.org/check?uri=ht...idator%2F1.606

What browser are you using?

p.s. - you may want to go in the other direction - if all of the content of the cart software is not UTF-8 - i.e. change the content to Western Europen (Windows).

David.