Input Cleaner Question (do i need it)?

[aggiefan]

I'm working on porting my product over to 3.6 and I know that there are now input cleaners for $_get and other commands.

Basically, what I'm trying to do is use the url the person is on to capture a value. So, if they're on the following real url, I want to grab the contest and week values.

http://www.aggiefans.com/forums/vbco...t=TESTA&week=1
(if you visit, ignore the mysql errors. It's because I haven't finished coding the % of votes for the other 14 games).

Then when they submit, I want to record the contest name (TESTA) and the week # (1) to the database (these values are in the url address bar only).

I found that using $contestname = $_GET['contest']; and $week = $_GET['week']; pull the information from the url correctly as I can use it to query. I've pulled out the array using the following ($contestkey is simply "$contestname$week"):

Code:

$contestnameresult = $db->query_first("SELECT contestname from " . TABLE_PREFIX . "vbcontest_matchups WHERE contest_key='$contestkey'");
$contestname1 = $contestnameresult[contestname];
$weekresult = $db->query_first("SELECT weekid from " . TABLE_PREFIX . "vbcontest_matchups where contest_key='$contestkey'");
$week1 = $weekresult[weekid];

If I do a print "$contestname1" it prints TESTA at the top of my page (you can see it on the link above). However, when I put write to db for $contestname1, it comes across blank. Help would be appreciated.

And to clarify, this is my values being written to the database. Every value is being recorded (17 others, except the first two).

Code:

$db->query_write ("INSERT INTO " . TABLE_PREFIX . "vbcontest_picks (contestname, weekid, username, userid, game1, game2, game3, game4, game5, game6, game7, game8, game9, game10, game11, game12, game13, game14, game15)

         VALUES ('$contestname1', '$week1', '$yourname', '$yourid', '$radioanswer1', '$radioanswer2', '$radioanswer3', '$radioanswer4', '$radioanswer5', '$radioanswer6', '$radioanswer7', '$radioanswer8', '$radioanswer9', '$radioanswer10', '$radioanswer11', '$radioanswer12', '$radioanswer13', '$radioanswer14', '$radioanswer15')");

[pyro.699]

I dont understand your question. But, as for input cleaners, i use it on every $_POST (except $_POST['do']). There is no real reason to have it for a $_GET value, because its being submitted by your own site? right?

Yes, you need to use the input cleaners to avoid SQL Injections and other security exploits.

[aggiefan]

Quote:

Originally Posted by pyro.699

I dont understand your question. But, as for input cleaners, i use it on every $_POST (except $_POST['do']). There is no real reason to have it for a $_GET value, because its being submitted by your own site? right?

I'm not sure, and one reason I'm asking for help. This code worked on vbulletin 3.0, and I'm pretty sure on 3.5, but now it's not. What would I put to pull those values in the URL to writable variables in the database?

Again, if I navigate to http://www.aggiefans.com/forums/vbco...t=TESTA&week=1 I would want the variable $contestname1 to write TESTA and $week1 to write 1 to the database.

If they navigate and submit the form from http://www.aggiefans.com/forums/vbco...grocks&week=34 I would want $contestname1 to write vbulletinorgrocks and $week1 to write 34 to the database.

I'm available on Yahoo IM at vlyrockaf if you think it'll be easier to clarify and resolve the problem.

Thanks again for the replies so far.

[aggiefan]

anybody?

[Sean S]

I don't know, but can't you just use $_REQUEST instead of $_GET? Maybe something like this would work?

Code:

$vbulletin->input->clean_array_gpc('r', array('action' => TYPE_INT));
$action = $vbulletin->GPC['action'];

[aggiefan]

Just so everybody knows I finally got this to work. The $_get works just as fine as the variable above, but i used the above statement anyways. However, that didn't write it to the database.

So, what I did to make it work was pass the output of the input cleaner through the template (but hidden so the user can't touch or change):

The input cleaners:

Code:

$vbulletin->input->clean_array_gpc('g', array('contest' => TYPE_STR));
$contestname = $vbulletin->GPC['contest'];

$vbulletin->input->clean_array_gpc('g', array('week' => TYPE_STR));
$week = $vbulletin->GPC['week'];

The template

Code:

<input type="hidden" value="$contestname" name="contestname" />
<input type="hidden" value="$week" name="getweek" />

You have to clean that through the form in the PHP file

Code:

$vbulletin->input->clean_array_gpc('p', array( 
'contestname' => STR,
'getweek' => STR,
(more array cleaning here...)
));

$contestname1 = $vbulletin->GPC['contestname'];
$currentweek = $vbulletin->GPC['getweek'];

The write to db code:

Code:

$db->query_write ("INSERT INTO " . TABLE_PREFIX . "xxx (............)
         VALUES ('$contestname1', '$currentweek')

So basically, pass the input cleaner through the template to submit it as part as the form (when they hit submit)...

Even though the posts above didn't directly help, they got me thinking -- so thanks to all who posted. Hope the above makes sense and helps somebody.

[Sean S]

nice job aggiefan

[aggiefan]

Just hope somebody finds it useful.