PDA

View Full Version : Is this code safe to use?


Itworx4me
06-20-2008, 05:20 AM
I was wondering if someone would look over this code and tell me if it is secure to use? As in its coded to the standards of 3.7.1.


<?php
// ######################## SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
@set_time_limit(0);

// #################### PRE-CACHE TEMPLATES AND DATA ######################
$phrasegroups = array('style');
$specialtemplates = array('products');

// ########################## REQUIRE BACK-END ############################
require_once('./global.php');
require_once(DIR . '/includes/adminfunctions_template.php');

$id = $vbulletin->input->clean_gpc('r', 'id', TYPE_INT);

switch ( $_REQUEST['do'] )
{
case 'add':
print_add_form( $id );
break;

case 'update':
do_add_sql( $id );
break;
default:
print_main_form();
}

function do_add_sql( $id = 0 )
{
global $vbulletin;

$url = $vbulletin->input->clean_gpc('r', 'url', TYPE_STR);
$image = $vbulletin->input->clean_gpc('r', 'image', TYPE_STR);
$title = $vbulletin->input->clean_gpc('r', 'title', TYPE_STR);

print_cp_header();

print_table_start();
print_table_header("Ad Management");
echo '<tr><td class="alt1" colspan="2">';
echo 'Adding --' . $url . '....<br/>';

if ( $id == 0 )
{
$sql ='INSERT INTO ' . TABLE_PREFIX . 'ads (url,image,title) VALUES ("' . $url . '","' . $image . '","' . $title . '")';
} else {
$sql ="UPDATE " . TABLE_PREFIX . "ads SET url='".$url."', image='".$image."',title='".$title."' WHERE id=" . $id;
}

$foo = $vbulletin->db->query_write($sql);

echo '</td></tr>';

print_table_footer(2, '', '', 0);

}

function print_add_form( $id = 0 )
{
global $vbulletin;

if ( $id > 0 )
{
$sql ='SELECT * FROM ' . TABLE_PREFIX . 'ads WHERE id=' . $id;
$foo = $vbulletin->db->query_first($sql);
}

print_cp_header();

print_table_start();
print_table_header("Sponsored Ad Management");

print_form_header('ad_management', 'update');

print_input_row('URL to Link to', 'url', $foo['url']);
print_input_row('Image Location', 'image', $foo['image']);
print_input_row('HoverOver ToolText', 'title', $foo['title']);
if ( $id > 0 )
{
echo '<input type="hidden" name="id" value="'.$id.'" />';
}

print_submit_row();

}

function print_main_form()
{
global $vbulletin;

$sql ='SELECT id,url FROM ' . TABLE_PREFIX . 'ads';
$foo = $vbulletin->db->query_read($sql);

print_cp_header();

print_table_start();
print_table_header("Ad Management");
while ($var = $vbulletin->db->fetch_array($foo))
{
$id = $var['id'];
$url = '<a href="ad_management.php?do=add&id=' . $id . '">' . $var['url'] . '</a>';
print_label_row($id, $url, '', 'middle', null, false);
}

print_table_footer(2, '', '', 0);
}




?>


Thanks,
Itworx4me

MoT3rror
06-20-2008, 05:57 AM
The script has no sql protection, any input can be used as sql injection.

Michael Biddle
06-20-2008, 06:29 AM
Correct. I would definately not use it. It does not even escape strings.

Dismounted
06-20-2008, 10:05 AM
And to answer your standards question, no, it is not coded according to the vBulletin Coding Standards.

Itworx4me
06-20-2008, 11:33 PM
Anyone willing to fix it. I would pay...Need to know how much first.

Thank,
Itworx4me

Dismounted
06-21-2008, 03:33 AM
Please post in the correct forum for paid requests.

Requests For Paid Services (https://vborg.vbsupport.ru/forumdisplay.php?f=30)