PDA

View Full Version : Apostrophe and special characters in validfields?


007
09-21-2014, 05:13 PM
What is wrong with this code I'm using?

$this->validfields['customfield'] = array(TYPE_STR, REQ_NO);

I am having issues with text that contains an apostrophe. This is being used in a few locations including threaddata_start and threadfpdata_start.

I've also put the following code under edit_post_update_start

$vbulletin->input->clean_gpc('p', 'customfield', TYPE_STR);
$edit['customfield'] =& $vbulletin->GPC['customfield'];

Still, I get database errors when submitting text with apostrophes in this custom field.

Thoughts?

Dave
09-21-2014, 05:53 PM
The clean_gpc function of vbulletin only checks for the type of the variable. (String, integer, etc.)
Now you are vulnerable to SQL injection, you need to escape your string with something like $db->escape_string($var);

tbworld
09-21-2014, 06:44 PM
What is wrong with this code I'm using?

$this->validfields['customfield'] = array(TYPE_STR, REQ_NO); I am having issues with text that contains an apostrophe. This is being used in a few locations including threaddata_start and threadfpdata_start.

I've also put the following code under edit_post_update_start

$vbulletin->input->clean_gpc('p', 'customfield', TYPE_STR);
$edit['customfield'] =& $vbulletin->GPC['customfield']; Still, I get database errors when submitting text with apostrophes in this custom field.

Thoughts?

There is not enough code here to see what you are doing. The array "$edit" is not saved to the database directly, it is processed through the datamanager. $edit['customfield'] will not be stored by the datamanager without additional code so the datamanager can process it. At least, I believe this to be so. I will check it out when I get a chance. :)

007
09-22-2014, 03:51 AM
Thanks for the tip Dave. I'm not using this code in a life environment yet since I'm still testing it. I'll make sure to escape it properly before going live.

tbworld, part of the problem is the code seems to be unfinished. I'm not sure where else I need to use a hook and what code to put there in order to achieve this.

tbworld
09-22-2014, 04:28 AM
tbworld, part of the problem is the code seems to be unfinished. I'm not sure where else I need to use a hook and what code to put there in order to achieve this.

Unfortunately, I am unsure what you are trying to achieve? Is there another part of this post somewhere?

007
09-22-2014, 04:58 AM
Oh, sorry. I'm adding an extra text field to threads for my own internal use and I want to be able to use apostrophes in it. I thought it would be simple (and it probably is), but I'm a little rusty and aren't sure how to achieve this with hooks.

tbworld
09-22-2014, 05:05 AM
Is this a display field or an input field and what template / form is this to be positioned in? If an input field what values would this field hold?

I forgot what I learned last week, so your not alone. :)

007
09-22-2014, 05:12 AM
It'll appear in the SHOWTHREAD template. It would hold custom text of varying characters. Just an extra field I'm creating for SEO purposes in some meta tags.

Thanks in advance for any ideas!

tbworld
09-22-2014, 05:17 AM
Is it just a display field. No input required from the user?

007
09-22-2014, 05:26 AM
I'll be the only one editing it and users won't even see it. I plan to add some conditions in the appropriate editor templates so others can't see it. It's just a display field that will show up when viewing the source of the page, but not even on the visible page itself.

tbworld
09-22-2014, 06:01 AM
Okay, that is what I thought. Last question and then I think I can point you in the right direction tomorrow -- as it is getting late for me. Why did you pick that particular hook? It does not make sense for the explanation you have just given, unless when editing a post you are trying to save information to the database from your page query parameter.

What am I missing? :)

007
09-22-2014, 06:51 AM
You're likely not missing anything. :) I'm open to being completely wrong about the hook(s) I chose. If you recommend something different, I'm all ears.

I know I need to save this somehow, but I'm not sure where. I've already set up validfields for the new field. I just need to properly save it now without throwing database errors for the special characters.