Hello there

Actually I've been trying to code some modification, which requires member to fill a form in a vbulletin powered page, this form collects data & inserts it in the database.

However it turned out that I'm not qualified enough to bring my idea to life :D
So I had to ignore lots of quality standards such as normalization, & other security issues, & I couldn't, finally I thought that best way to get started by making a very simple version of my idea, hence I created a very simple table called testtable with just 2 columns one was id, & the other was: testcoulmn

id column was the primary key & auto incremented, the other (i.e., testcolumn) was varchar with length of 100


and I made my page as explained here in vb.org, and here is my code:

<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE & ~8192);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'test'); // change this depending on your filename

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array(

);

// get special data templates from the datastore
$specialtemplates = array(

);

// pre-cache templates used by all actions
$globaltemplates = array(
'TEST',
);

// pre-cache templates used by specific actions
$actiontemplates = array(

);

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');

// ################################################## #####################
// ######################## START MAIN SCRIPT ############################
// ################################################## #####################

$navbits = array();
$navbits[$parent] = 'Test Page';

$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('TEST') . '");');

$testtable = "testtable";
$testform = $_POST['testform'];
if ($_REQUEST['do'] == "save")
{
$db->query_write("INSERT INTO " . TABLE_PREFIX . "" . $testtable . "(testcolumn) VALUES (" . $testform . ")");
}

?>


associated with this template called TEST


$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
<title>$vboptions[bbtitle]</title>
$headinclude
</head>
<body>
$header

$navbar

<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
<tr>
<td class="tcat">Title</td>
</tr>
<tr>
<td class="alt1"><form name="someform" method="POST" action="test.php?do=save">
<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">

<tr>
<td class="alt2" align="center">The Test Form</td>
<td class="alt2" align="center">
<input size="20" name="testform" dir="rtl"></td>
</tr>

<tr>
<td cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]"colspan="2" class="tfoot" align="center">
<input type="submit" value="Submit"></td>
</tr>
</table>
</form></td>
</tr>
</table>

$footer
</body>
</html>

but every time I try to insert data I don't find any data inserted in this testtable, even though when I try to insert it through the phpmyadmin, it looks just fine, I put data only in the testcolumn field and I find the table filled in both id & testcolumn fields, and the id value is incremented and every thing looks just fine

Conclusion: I hope to get help in inserting data through a form into data base, just like what I'm trying to do.

waiting for your help, guys

thanks in advanced :)

Is my question this much difficult or is it constructed wrong or in inappropriate forum??

any way is it related to the data manger?? so data can't be inserted without datamanger techniques??? any hint please??

You need to do your inserting before any print_output() calls. print_output() will immediately end the execution of the script.

Also, your script will be vulnerable to SQL injection attacks. You must escape any data inserted into a database with escape_string() (except for confirmed integers).

well, I'm not concerned about any injections threats right now, so let us concentrate on the simple inserting process only
I wonder how can I bring the form template into my custom page without print_output() function

of course the inserting is going to be after hitting the submit button, but the submit button & its form won't be shown without fetching its template by calling the print_output() function

--------------- Added 1252135692 at 1252135692 ---------------

I managed to change this fragment:

$navbits = array();
$navbits[$parent] = 'Test Page';

$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('TEST') . '");');

$testtable = "testtable";
$testform = $_POST['testform'];
if ($_REQUEST['do'] == "save")
{
$db->query_write("INSERT INTO " . TABLE_PREFIX . "" . $testtable . "(testcolumn) VALUES (" . $testform . ")");
}

by this fragment:

$navbits = array();
$navbits[$parent] = 'Test Page';

$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');

$testtable = "testtable";
$testform = $_POST['testform'];
if ($_REQUEST['do'] == "add")
{
eval('print_output("' . fetch_template('TEST') . '");');
}

elseif ($_REQUEST['do'] == "save")
{
$vbulletin->input->clean_array_gpc('p', array(
'testform' => TYPE_STR
));

$db->query_write("INSERT INTO " . TABLE_PREFIX . "" . $testtable . "(testcolumn) VALUES (" . $vbulletin->GPC['testform'] . ")");

}

so when I take my browser into test.php it doesn't show the template, however when I go to test.php?do=add it shows me the form

and of course the action of the form is test.php?do=save should not show any template but every time I try to insert data it gives me sql syntax error if you have any idea about how to come over it

If you want to show the form after they hit save, then don't put the do==add around that eval statement and put it at the end of the page, after the do==save part.

As for the mysql error, if you don't tell us what it is, we can't help you with it.

Well I think of making a template that tells the user that his input has been inserted into the database
so let's say this template has the name test_user_message

then after query insert statement I'd put this statement

eval('print_output("' . fetch_template('test_user_message') . '");');

but what I really would like to concentrate on, right now, is inserting data into the data base table

here is the error message it shows me:

Database error in vBulletin 3.8.4:

Invalid SQL:
INSERT INTO testtable(testcolumn) VALUES (How could it work);

MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'could it work)' at line 1
Error Number : 1064

I think you need quotes around your string that your are inserting.

beautiful, Lynne data has been inserted now

after changing this:

VALUES (" . $vbulletin->GPC['testform'] . ")

by this

VALUES ('" . $vbulletin->GPC['testform'] . "')

as you recommended, thanks a lot guyes, Dismounted, & Lynne :)

Again - I'll stress that security should not be an afterthought, you should be applying it while programming. Your script is still vulnerable to SQL injections.

thanks for your care, but did you notice that I used this function:

$vbulletin->input->clean_array_gpc()

so the input becomes:

$vbulletin->GPC['testform']

instead of:

$testform

do you recommend more security restrictions? what exactly

Yes I did notice that, and you also specified TYPE_STR. This, however, does nothing for SQL injection, it merely verifies that it is a string. You need to escape dangerous characters (such as single quotes).
$db->query_write("
INSERT INTO " . TABLE_PREFIX . "$testtable
(testcolumn)
VALUES
(" . $db->escape_string($vbulletin->GPC['testform']) . ")
");

Actually I replaced my write query with yours, but the script started giving me database error

so I surrounded the value by single quot, so it became like this:

('" . $db->escape_string($vbulletin->GPC['testform']) . "')

and it seemed to be just fine however when I check the table through the phpMyAdmin I found new record has been added as it supposed to be, except that it is empty

do you have any idea