vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=252)
-   -   Is there anything wrong with this code? (https://vborg.vbsupport.ru/showthread.php?t=228878)

vietfancy 11-25-2009 05:56 PM
Is there anything wrong with this code?
 
is there anything wrong with this code, if there is please point it out for me. Thanks

PHP Code:
   if (isset($_POST["submit"])){
    $id=$_POST["id"];
    $day=$_POST["day"];
    $time=$_POST["time"];
    $ampm=$_POST["ampm"];
    $class=$_POST["class"];
    $level=$_POST["level"];
    $instructor=$_POST["instructor"];
    $link=$_POST["link"];
    $display=$_REQUEST["display"];
    $live=$_POST["live"];
      //replace classes

    $db->query_write("UPDATE " TABLE_PREFIX "schedule SET day = $day, time = $time, ampm = $ampm, class = $class, level = $level, instructor = $instructor, link = $link, display = $display, live = $live WHERE id=$id")or die(mysql_error());
         $done "Schedule updated";
         header("location: index.php?do=submit");
    } 

Lynne 11-25-2009 06:02 PM
You should be running all your variables through the vbulletin cleaner - https://vborg.vbsupport.ru/showthread.php?t=154411

vietfancy 11-25-2009 07:00 PM
so instead of the code above. you want me to use this below? I tried to replace it. But it still doesn't do the trick.

PHP Code:
$vbulletin->input->clean_array_gpc('p', array(
    'day' => TYPE_NOHTML,
    'time' => TYPE_NOHTML,
    'ampm' => TYPE_NOHTML,
    'class' => TYPE_NOHTML,
    'level' => TYPE_NOHTML,
    'instructor' => TYPE_NOHTML,
    'link' => TYPE_NOHTML,
    'display' => TYPE_NOHTML,
    'live' => TYPE_NOHTML,
    'id' => TYPE_INT
));

    $day $vbulletin->input->clean_gpc('p''day'TYPE_NOHTML);
    $time $vbulletin->input->clean_gpc('p''time'TYPE_NOHTML);
    $ampm $vbulletin->input->clean_gpc('p''ampm'TYPE_NOHTML);
    $class $vbulletin->input->clean_gpc('p''class'TYPE_NOHTML);
    $level $vbulletin->input->clean_gpc('p''level'TYPE_NOHTML);
    $instructor $vbulletin->input->clean_gpc('p''instructor'TYPE_NOHTML);
    $link $vbulletin->input->clean_gpc('p''link'TYPE_NOHTML);
    $display $vbulletin->input->clean_gpc('p''display'TYPE_NOHTML);
    $live $vbulletin->input->clean_gpc('p''live'TYPE_NOHTML);
    $id $vbulletin->input->clean_gpc('p''id'TYPE_UINT);
    
$db->query_write("
    UPDATE " TABLE_PREFIX "schedule SET
        day = '" $db->escape_string($vbulletin->GPC['day']) . "',
        time = '" $db->escape_string($vbulletin->GPC['time']) . "',
        ampm = '" $db->escape_string($vbulletin->GPC['ampm']) . "',
        class = '" $db->escape_string($vbulletin->GPC['class']) . "',
        level = '" $db->escape_string($vbulletin->GPC['level']) . "',
        instructor = '" $db->escape_string($vbulletin->GPC['instructor']) . "',
        link = '" $db->escape_string($vbulletin->GPC['link']) . "',
        display = '" $db->escape_string($vbulletin->GPC['display']) . "',
        live = '" $db->escape_string($vbulletin->GPC['live']) . "',
    WHERE id = " $vbulletin->GPC['id'] . "
"); 

Lynne 11-25-2009 07:54 PM
You never said anything was wrong, you just asked *if* anything was wrong and I told you that you at least need to secure it by running it through the cleaner. What is wrong?

And once you've assigned it ($day = ....), then you can just use that variable $day.

This is actually the article I meant to link you to, sorry - https://vborg.vbsupport.ru/showthrea...hlight=cleaner

vietfancy 11-25-2009 08:53 PM
here is what i'm trying to do. I try to edit/modify/update a class from the schedule table.

So far i have:
http://qtresources.com/tienganh/ese/schedule.php << working fine
http://qtresources.com/tienganh/ese/schedule.php?do=add << working fine
http://qtresources.com/tienganh/ese/...e.php?do=admin << everything is ok, but when I tried to edit a class....I'm able to pull it up, but when i submit it, nothing change.

ex: http://qtresources.com/tienganh/ese/...?do=edit&id=49

here is my php code:

PHP Code:
// Show Edit Page
if ($ese_schedule['do'] == "edit"){

   if (!isset($_POST["submit"])){
       $id $_REQUEST["id"];
    $result $db->query_read("SELECT * FROM " TABLE_PREFIX "schedule WHERE id=$id");
    while($r $db->fetch_array($result)){
        $day "$r[day]";
        $time "$r[time]";
        $ampm "$r[ampm]";
        $class "$r[class]";
        $level "$r[level]";
        $instructor "$r[instructor]";
        $link "$r[link]";
        $live "$r[live]";
        $display "$r[display]";}
   }

   if (isset($_POST["submit"])){
//    $id=$_POST["id"];
//    $day=$_POST["day"];
//    $time=$_POST["time"];
//    $ampm=$_POST["ampm"];
//    $class=$_POST["class"];
//    $level=$_POST["level"];
//    $instructor=$_POST["instructor"];
//    $link=$_POST["link"];
//    $display=$_REQUEST["display"];
//    $live=$_POST["live"];
    
    // new code
$vbulletin->input->clean_array_gpc('p', array(
    'day' => TYPE_STR,
    'time' => TYPE_STR,
    'ampm' => TYPE_STR,
    'class' => TYPE_STR,
    'level' => TYPE_STR,
    'instructor' => TYPE_STR,
    'link' => TYPE_STR,
    'display' => TYPE_STR,
    'live' => TYPE_STR,
    'id' => TYPE_INT,
));

 // check for missing fields
if (empty($vbulletin->GPC['day'])
OR empty($vbulletin->GPC['time'])
OR empty($vbulletin->GPC['ampm'])
OR empty($vbulletin->GPC['class']))
OR empty($vbulletin->GPC['level'])
OR empty($vbulletin->GPC['instructor'])
OR empty($vbulletin->GPC['link']))
OR empty($vbulletin->GPC['display'])
OR empty($vbulletin->GPC['live'])
)
{
// show message
}
    $day $vbulletin->input->clean_gpc('p''day'TYPE_STR);
    $time $vbulletin->input->clean_gpc('p''time'TYPE_STR);
    $ampm $vbulletin->input->clean_gpc('p''ampm'TYPE_STR);
    $class $vbulletin->input->clean_gpc('p''class'TYPE_STR);
    $level $vbulletin->input->clean_gpc('p''level'TYPE_STR);
    $instructor $vbulletin->input->clean_gpc('p''instructor'TYPE_STR);
    $link $vbulletin->input->clean_gpc('p''link'TYPE_STR);
    $display $vbulletin->input->clean_gpc('p''display'TYPE_STR);
    $live $vbulletin->input->clean_gpc('p''live'TYPE_STR);
    $id $vbulletin->input->clean_gpc('p''id'TYPE_INT);
    
$db->query_write("
    UPDATE " TABLE_PREFIX "schedule SET
        day = '" $db->escape_string($vbulletin->GPC['day']) . "',
        time = '" $db->escape_string($vbulletin->GPC['time']) . "',
        ampm = '" $db->escape_string($vbulletin->GPC['ampm']) . "',
        class = '" $db->escape_string($vbulletin->GPC['class']) . "',
        level = '" $db->escape_string($vbulletin->GPC['level']) . "',
        instructor = '" $db->escape_string($vbulletin->GPC['instructor']) . "',
        link = '" $db->escape_string($vbulletin->GPC['link']) . "',
        display = '" $db->escape_string($vbulletin->GPC['display']) . "',
        live = '" $db->escape_string($vbulletin->GPC['live']) . "',
    WHERE id = " $vbulletin->GPC['id'] . "
");
//end new code
      //update classes
      

//    $db->query_write("UPDATE " . TABLE_PREFIX . "schedule SET day = '$day', time = '$time', ampm = '$ampm', class = '$class', level = '$level', instructor = '$instructor', link = '$link', display = '$display', live = '$live' WHERE id=$id")or die(mysql_error());
     // echo "Thank you! Schedule updated.";
         header("location: schedule.php?do=admin");
    }
}

if ($ese_schedule['do'] == 'edit'){
    $navbits construct_navbits(array('' => 'Edit'));
    $navbar render_navbar_template($navbits);
    $templater vB_Template::create('schedule_edit');
    $templater->register_page_templates();
    $templater->register('navbar'$navbar);
    $templater->register('pagetitle''Edit A Class');
    $templater->register('id'$id);
    $templater->register('day'$day);
    $templater->register('time'$time);
    $templater->register('ampm'$ampm);
    $templater->register('class'$class);
    $templater->register('level'$level);
    $templater->register('instructor'$instructor);
    $templater->register('link'$link);
    $templater->register('display'$display);
    $templater->register('live'$live);
    print_output($templater->render());
}

// End Edit Page 
here is my edit templete:
PHP Code:
<!-- add form -->
<form action="schedule.php?do=admin"  method="post">
<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
<input type="hidden" name="id" value="{vb:raw id}" />
<table class="tborder" cellpadding="0" cellspacing="6" border="0" width="100%" align="center">
    <tr valign="top">
        <td class="alt1" width="20%" align="left" nowrap="nowrap">
        <div style="padding:3px;">Day/Time/Am-Pm:</div>
        <div style="padding:3px;">Class:</div>
        <div style="padding:3px;">Level:</div>
        <div style="padding:3px;">Instructor:</div>
        <div style="padding:3px;">Link</div>
        <div style="padding:3px;">Display:</div>
        <div style="padding:3px;">Live:</div>
        </td>
        <td class="alt2" width="35%">
        <div style="padding:3px;">
        <input type="text" name="day" value="{vb:raw day}"size="6" maxlength="25" autocomplete="off" />

/ <input type="text" name="time" value="{vb:raw time}" size="6" maxlength="5" autocomplete="off" />
/ <input type="text" name="ampm" value="{vb:raw ampm}" size="6" maxlength="5" autocomplete="off" />
</div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="class" value="{vb:raw class}" autocomplete="off" /></div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="level" value="{vb:raw level}" autocomplete="off" /></div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="instructor" value="{vb:raw instructor}" autocomplete="off" /></div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="link" value="{vb:raw link}" autocomplete="off" /></div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="display" value="{vb:raw display}" autocomplete="off" /></div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="live" value="{vb:raw live}" autocomplete="off" /></div>
        </td>
        <td class="alt1" width="45%" align="left" nowrap="nowrap">
        <div style="padding:3px;">text go here</div>

        </td>
    </tr>
    <tr valign="top">
        <td class="alt2" colspan="3" width="100%" align="center" style="padding-top:20px;">
        <input type="submit" class="button" value="Submit" accesskey="s" />
        <input type="hidden" class="button" value="Reset" accesskey="s" />
        </td>
    </tr>
</table>
</form>
<!-- end add form --> 

Lynne 11-25-2009 09:16 PM
Like I said, if you already assigned $day to the cleaned variable, you can just use $day. Have you tried just:
PHP Code:
day $day
in your query? Or, if you feel the need to escape it,
PHP Code:
day '" . $db->escape_string($day) . "',, 


All times are GMT. The time now is 09:13 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01233 seconds
  • Memory Usage 1,893KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (6)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (6)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete