Not sure why this plugin isn't submitting the data to database. Yes, all form fields have names. 3 of the fields are arrays.




if ($foruminfo['forumid'] >= 18 AND $foruminfo['forumid'] <= 68)
{

$t_id = $newpost['threadid'];
$posttype = $vbulletin->input->clean_gpc('p', "posttype", TYPE_STR);
$area = $vbulletin->input->clean_gpc('p', "area", TYPE_STR);
$price = $vbulletin->input->clean_gpc('p', "price", TYPE_NUM);
$posttype = $vbulletin->input->clean_gpc('p', "posttype", TYPE_STR);
$posttype_firearm = $vbulletin->input->clean_gpc('p', "posttype_firearm", TYPE_STR);


$caliber = $vbulletin->input->clean_gpc('p', "caliber", TYPE_ARRAY_STR);
$manufacturer = $vbulletin->input->clean_gpc('p', "manufacturer", TYPE_ARRAY_STR);
$action = $vbulletin->input->clean_gpc('p', "action", TYPE_ARRAY_STR);
$type = $vbulletin->input->clean_gpc('p', "type", TYPE_STR);

if (!empty($caliber[0]))
{ $caliber2 = $caliber[0];
} elseif (!empty($caliber[1]))
{ $caliber2 = $caliber[1];
} else { $caliber2 = $caliber[2]; }

if (!empty($manufacturer[0]))
{ $manufacturer2 = $manufacturer[0];
} elseif (!empty($manufacturer[1]))
{ $manufacturer2 = $manufacturer[1];
} else { $manufacturer2 = $manufacturer[2]; }

if (!empty($action[0]))
{ $action2 = $action[0];
} else { $action2 = $action[1]; }


$vbulletin->db->query_write("
INSERT INTO " . TABLE_PREFIX . "`thread_classifieds` (
`threadid` ,
`price` ,
`area` ,
`posttype` ,
`posttype_firearm` ,
`caliber` ,
`manufacturer` ,
`action` ,
`type`
)
VALUES (
'" . $t_id . "',
'" . $price . "',
'" . $area . "',
'" . $posttype . "',
'" . $posttype_firearm . "',
'" . $caliber2 . "',
'" . $manufacturer2 . "',
'" . $action2 . "',
'" . $type . "'
)
");

}

I didn't study the entire thing, but I think the first line of your SQL needs the backquote moved to before the prefix, like:

INSERT INTO `" . TABLE_PREFIX . "thread_classifieds` (


ETA: also you should use escape_string() for all those values, like:

'" . $vbulletin->db->escape_string($t_id) . "',
'" . $vbulletin->db->escape_string($price) . "',
etc

doesn't the clean_gpc do that?

--------------- Added 1360438869 at 1360438869 ---------------

BTW the issue was a { in my elseif statement

BEFORE:
if (!empty($caliber[0]))
{ $caliber2 = $caliber[0];
} elseif { (!empty($caliber[1]))
{ $caliber2 = $caliber[1];
} else { $caliber2 = $caliber[2]; }

AFTER:
if (!empty($caliber[0]))
{ $caliber2 = $caliber[0];
} elseif (!empty($caliber[1]))
{ $caliber2 = $caliber[1];
} else { $caliber2 = $caliber[2]; }

doesn't the clean_gpc do that?


If you use TYPE_STR it only trims spaces off the ends, so it can still contain any character. Also, even if you use the db escape_string function, it could still contain html tags, so you need to be careful what you do with after you read it from the database.

its multiple dropdowns like this [pictured in attachments]

Oh, right. Well, it's true I don't know the details of your application or who would have access to it, so maybe it's not an issue for you. But it is possible for a hacker to submit whatever string they want for any parameter, even if it's supposed to be coming from dropdown. Anyway, just thought I'd mention it.

Would you recommend this?

htmlspecialchars()


$vbulletin->db->query_write("
INSERT INTO " . TABLE_PREFIX . "`thread_classifieds` (
`threadid` ,
`price` ,
`area` ,
`posttype` ,
`posttype_firearm` ,
`caliber` ,
`manufacturer` ,
`action` ,
`type`
)
VALUES (
'" . $vbulletin->db->escape_string(htmlspecialchars($t_id)) . "',
'" . $vbulletin->db->escape_string(htmlspecialchars($price)) . "',
'" . $vbulletin->db->escape_string(htmlspecialchars($area)) . "',
'" . $vbulletin->db->escape_string(htmlspecialchars($posttype)) . "',
'" . $vbulletin->db->escape_string(htmlspecialchars($posttype_firearm)) . "',
'" . $vbulletin->db->escape_string(htmlspecialchars($caliber2)) . "',
'" . $vbulletin->db->escape_string($manufacturer2) . "',
'" . $vbulletin->db->escape_string(htmlspecialchars($action2)) . "',
'" . $vbulletin->db->escape_string(htmlspecialchars($type)) . "'
)
");

That works. You only need to do that if at some point you're going to display the values on a page. In fact now that I think about it, if you use a template and use {vb:var ...} and not {vb:raw }, I believe that takes care of it as well.

I guess another way would be, if they are coming from dropdown menus, make sure they match one of the expected values and if they don't, show an error or use a default.

Anyway, sorry, I feel like I've made your task more difficult, and you didn't even ask about that.