vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Having problems with clean_gpc function (https://vborg.vbsupport.ru/showthread.php?t=205295)

Jaxel 02-14-2009 12:48 AM
Having problems with clean_gpc function
 
I am using the following code...

Code:
function update_event($event)
{
        global $vbulletin, $db;

        $venue        = htmlspecialchars($vbulletin->input->clean_gpc('p', 'venue', TYPE_STR));
        $name                = htmlspecialchars($vbulletin->input->clean_gpc('p', 'name', TYPE_STR));
        $split        = htmlspecialchars($vbulletin->input->clean_gpc('p', 'split', TYPE_UINT));
        $game                = htmlspecialchars($vbulletin->input->clean_gpc('p', 'game', TYPE_UINT));
        $category        = htmlspecialchars($vbulletin->input->clean_gpc('p', 'category', TYPE_UINT));

        $day                = htmlspecialchars($vbulletin->input->clean_gpc('p', 'day', TYPE_UINT));
        $month        = htmlspecialchars($vbulletin->input->clean_gpc('p', 'month', TYPE_STR));
        $year                = htmlspecialchars($vbulletin->input->clean_gpc('p', 'year', TYPE_UINT));
        $time                = htmlspecialchars($vbulletin->input->clean_gpc('p', 'time', TYPE_STR));
        $timestamp = $day." ".$month." ".$year." ".$time." ".date('T');

        $db->query_write("UPDATE rank_events SET gameID='".$game."' WHERE eventID='".$event['eventID']."'");
        $db->query_write("UPDATE rank_events SET categoryID='".$category."' WHERE eventID='".$event['eventID']."'");
        $db->query_write("UPDATE rank_events SET eDate='".strtotime($timestamp)."' WHERE eventID='".$event['eventID']."'");
        $db->query_write("UPDATE rank_events SET eVenue='".$venue."' WHERE eventID='".$event['eventID']."'");
        $db->query_write("UPDATE rank_events SET eName='".$name."' WHERE eventID='".$event['eventID']."'");
        $db->query_write("UPDATE rank_events SET eSplit='".$split."' WHERE eventID='".$event['eventID']."'");
}

I thought this code would "sanitize" my inputs so that I wouldn't have any poisoning going on... but I still get the following error when I try to input something with a ' in it...

Code:
Database error in vBulletin 3.8.1:

Invalid SQL:
UPDATE rank_events SET eVenue='Gamer's Edge' WHERE eventID='4';

MySQL Error  : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Edge' WHERE eventID='4'' at line 1
Error Number  : 1064

How do I fix this?

TigerC10 02-14-2009 02:00 AM
Code:
clean_gpc(array $source, string $varname, [integer $vartype = TYPE_NOCLEAN])
You're calling it like so:
Code:
[S]clean_gpc('p', 'venue', TYPE_STR)[/S] //bad call
'p' is a literal char, not an array. You should use it more like this...

Code:
clean_gpc($vbulletin, 'ProductOptionName', TYPE_STR)

//or

clean_gpc($vbulletin, 'Input', TYPE_STR)


But what you really need to consider is the addslashes function.
Code:
addslashes($input);
Much simpler, it'll automatically escape the quote characters...

Jaxel 02-14-2009 02:31 AM
I simply changed it to the following...

Code:
$venue        = htmlspecialchars($vbulletin->input->clean_gpc('p', 'venue', TYPE_STR),ENT_QUOTES);
According to the VB manual... this is the way to do it
https://vborg.vbsupport.ru/showthread.php?t=119372

Code:
clean_gpc('p', 'venue', TYPE_STR)
The 'p' is a subsitute for $_POST... g would be for $_GET, r would be for $_RETRIEVE, etc...

TigerC10 02-14-2009 02:45 AM
That article is from 2006, are you sure that's how they're still calling the function?

What about sticking $_POST in there instead of 'p' ??

Have you tried addslashes? That's the function that replaced magic_quotes.


The other thing that article talks about is that you retrieve the value like so:
Code:
$vbulletin->GPC['value']
So your call should be this:
Code:
$vbulletin->input->clean_gpc('p', 'venue', TYPE_STR);
$venue = htmlspecialchars($vbulletin->GPC['venue']);
EDIT:
Yeah, I think I had it wrong at first, I misunderstood the API. The code sample above should be appropriate.

Dismounted 02-14-2009 05:03 AM
htmlspecialchars() is for sanitising HTML, that function should be used on display, and not when inserting into the database. You should be using $db->escape_string() on the variable.

Jaxel 02-15-2009 03:17 PM
Thanks Dismounted... you've solved all of my problems... escape_string is what I was looking for.


All times are GMT. The time now is 07:46 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01765 seconds
  • Memory Usage 1,733KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (10)bbcode_code_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (6)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete