vb.org Archive - Issue with query

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB4 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=252)

- - Issue with query (https://vborg.vbsupport.ru/showthread.php?t=294939)

Issue with query

Not sure why this plugin isn't submitting the data to database. Yes, all form fields have names. 3 of the fields are arrays.

PHP Code:


		
			
if ($foruminfo['forumid'] >= 18 AND $foruminfo['forumid'] <= 68) 

{  



$t_id = $newpost['threadid']; 

$posttype = $vbulletin->input->clean_gpc('p', "posttype", TYPE_STR); 

$area = $vbulletin->input->clean_gpc('p', "area", TYPE_STR); 

$price = $vbulletin->input->clean_gpc('p', "price", TYPE_NUM); 

$posttype = $vbulletin->input->clean_gpc('p', "posttype", TYPE_STR); 

$posttype_firearm = $vbulletin->input->clean_gpc('p', "posttype_firearm", TYPE_STR); 





$caliber = $vbulletin->input->clean_gpc('p', "caliber", TYPE_ARRAY_STR); 

$manufacturer = $vbulletin->input->clean_gpc('p', "manufacturer", TYPE_ARRAY_STR); 

$action = $vbulletin->input->clean_gpc('p', "action", TYPE_ARRAY_STR); 

$type = $vbulletin->input->clean_gpc('p', "type", TYPE_STR); 



if (!empty($caliber[0])) 

{ $caliber2 = $caliber[0]; 

} elseif (!empty($caliber[1])) 

{ $caliber2 = $caliber[1]; 

} else { $caliber2 = $caliber[2]; } 



if (!empty($manufacturer[0])) 

{ $manufacturer2 = $manufacturer[0]; 

} elseif (!empty($manufacturer[1])) 

{ $manufacturer2 = $manufacturer[1]; 

} else { $manufacturer2 = $manufacturer[2]; } 



if (!empty($action[0])) 

{ $action2 = $action[0]; 

} else { $action2 = $action[1]; } 





$vbulletin->db->query_write(" 

    INSERT INTO  " . TABLE_PREFIX . "`thread_classifieds` ( 

    `threadid` , 

    `price` , 

    `area` , 

    `posttype` , 

    `posttype_firearm` , 

    `caliber` , 

    `manufacturer` , 

    `action` , 

    `type` 

    ) 

    VALUES ( 

    '" . $t_id . "',   

    '" . $price . "',   

    '" . $area . "',   

    '" . $posttype . "',   

    '" . $posttype_firearm . "',   

    '" . $caliber2 . "',   

    '" . $manufacturer2 . "',   

    '" . $action2 . "',   

    '" . $type . "' 

    ) 

"); 



  }

I didn't study the entire thing, but I think the first line of your SQL needs the backquote moved to before the prefix, like:

Code:

INSERT INTO `" . TABLE_PREFIX . "thread_classifieds` (

ETA: also you should use escape_string() for all those values, like:

Code:

    '" . $vbulletin->db->escape_string($t_id) . "',   

    '" . $vbulletin->db->escape_string($price) . "',    

etc

doesn't the clean_gpc do that?

--------------- Added [DATE]1360438869[/DATE] at [TIME]1360438869[/TIME] ---------------

BTW the issue was a { in my elseif statement

BEFORE:

PHP Code:


		
			
if (!empty($caliber[0]))  
{ $caliber2 = $caliber[0];  
} elseif { (!empty($caliber[1]))  
{ $caliber2 = $caliber[1];  
} else { $caliber2 = $caliber[2]; }

AFTER:

PHP Code:


		
			
if (!empty($caliber[0]))  
{ $caliber2 = $caliber[0];  
} elseif (!empty($caliber[1]))  
{ $caliber2 = $caliber[1];  
} else { $caliber2 = $caliber[2]; }

Quote:

Originally Posted by LifesGreatestGift (Post 2403137)

doesn't the clean_gpc do that?

If you use TYPE_STR it only trims spaces off the ends, so it can still contain any character. Also, even if you use the db escape_string function, it could still contain html tags, so you need to be careful what you do with after you read it from the database.

its multiple dropdowns like this [pictured in attachments]

Oh, right. Well, it's true I don't know the details of your application or who would have access to it, so maybe it's not an issue for you. But it is possible for a hacker to submit whatever string they want for any parameter, even if it's supposed to be coming from dropdown. Anyway, just thought I'd mention it.

Would you recommend this?

htmlspecialchars()

PHP Code:


		
			
$vbulletin->db->query_write("  
    INSERT INTO  " . TABLE_PREFIX . "`thread_classifieds` (  
    `threadid` ,  
    `price` ,  
    `area` ,  
    `posttype` ,  
    `posttype_firearm` ,  
    `caliber` ,  
    `manufacturer` ,  
    `action` ,  
    `type`  
    )  
    VALUES (  
    '" . $vbulletin->db->escape_string(htmlspecialchars($t_id)) . "',    
    '" . $vbulletin->db->escape_string(htmlspecialchars($price)) . "',    
    '" . $vbulletin->db->escape_string(htmlspecialchars($area)) . "',    
    '" . $vbulletin->db->escape_string(htmlspecialchars($posttype)) . "',    
    '" . $vbulletin->db->escape_string(htmlspecialchars($posttype_firearm)) . "',    
    '" . $vbulletin->db->escape_string(htmlspecialchars($caliber2)) . "',    
    '" . $vbulletin->db->escape_string($manufacturer2) . "',    
    '" . $vbulletin->db->escape_string(htmlspecialchars($action2)) . "',    
    '" . $vbulletin->db->escape_string(htmlspecialchars($type)) . "'  
    )  
");

That works. You only need to do that if at some point you're going to display the values on a page. In fact now that I think about it, if you use a template and use {vb:var ...} and not {vb:raw }, I believe that takes care of it as well.

I guess another way would be, if they are coming from dropdown menus, make sure they match one of the expected values and if they don't, show an error or use a default.

Anyway, sorry, I feel like I've made your task more difficult, and you didn't even ask about that.

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_code_printable (4)bbcode_php_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (8)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.02242 seconds Memory Usage 1,774KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_code_printable (4)bbcode_php_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (8)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: