The Arcive of Official vBulletin Modifications Site.

kobescoresagain · #1 06-19-2006, 03:24 PM

I have some posts variables that would be like this
$_POST[name1]
$_POST[name2]
$_POST[name3]
$_POST[name4]
$_POST[name5]
$_POST[name6]
$_POST[name7]
$_POST[name8]
$_POST[name9]

I want to loop through them. I will alays know how many there will be. I was trying to do something like
$_POST[name$i]
then increment through. But that won't work. What do I need to do?

MarkPW · #2 06-19-2006, 03:35 PM

$_POST[name$i] won't work.. try this way: $_POST['name'.$i]

kobescoresagain · #3 06-19-2006, 03:44 PM

$sql = "UPDATE user SET username = \"$_POST['username'.$i]\", access = \"$_POST['access'.$i]\", owner= \"$_POST['owner'.$i]\" WHERE id= \"$_POST['userid'.$i]\"";

I tried that and got this error Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING the error is on that line for sure

MarkPW · #4 06-19-2006, 04:07 PM

Change to:

PHP Code:


			
$sql = "UPDATE user SET username = \"".$_POST['username'.$i]."\", access = \"".$_POST['access'.$i]."\", owner= \"".$_POST['owner'.$i]."\" WHERE id= \"".$_POST['userid'.$i]."\"";

Paul M · #5 06-19-2006, 04:12 PM

You need to escape the input first to avoid SQL injections.

The Geek · #6 06-19-2006, 04:17 PM

on a side note... at the very LEAST you should be running them through addslahes() if not $db->escape_string() (which is better).

Otherwise you have a gargantuan security hole there.

Your best bet is something like this (assuming its vb integrated)

PHP Code:


			
    $vbulletin->input_clean_array_gpc('p', array(

        'name1'    => TYPE_STR,

        'name2'    => TYPE_STR,

        'name3' => TYPE_STR,

        'name4' => TYPE_STR,

        'name5' => TYPE_STR,

        'name6' => TYPE_STR,

        'name7' => TYPE_STR,

        'name8' => TYPE_STR,

        'name9' => TYPE_STR,

    );



    $name1 = $db->escape_string($vbulletin->GPC['name1']);

    ...etc...



    $sql = "UPDATE " . TABLE_PREFIX . "mytable SET name1='$name1' WHERE id=1";

However if I understand what youre trying to do, I would suggest posting the variables like this:

Code:

<input type="text" name="name[1]" value="" />

Then do this to catch and cleanse:

PHP Code:


			
    $vbulletin->input_clean_array_gpc('p', array(

        'name'    => TYPE_ARRAY_STR,

    );



    $prepped_name = array();



    if (is_array($vbulletin->GPC['name']))

    {

        foreach($vbulletin->GPC['name'] as $key => $value)

        {

            $prepped_name[$key] = $db->escape_string($value);

        }

    }

Thats just off the cuff, so dont quote me on that... just trying to help

kobescoresagain · #7 06-19-2006, 04:21 PM

Ya, Iw ould have done this differently if I was doing it from the beginning. But I am finishing something someone else started. I figured it out withyour guys help. Thanks

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.09616 seconds Memory Usage 2,234KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_code (3)bbcode_php (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (7)post_thanks_box (7)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (7)post_thanks_postbit_info (7)postbit (7)postbit_onlinestatus (7)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!