SOLVED! - starting help, using php <-> templates <-> db

[Lynne]

When you just do a query (query_read), the result is just a pointer to where that data is. You then need to tell it that you would like to please see the actual data. You do that with fetch_array or similar. vBulletin does have a special way of doing both of those steps together if the result is just one item. That would be query_first in place of query_read.

[Vaupell]

so your saying i need to

1) Query
$getcontentA= $vbulletin->db->query_first(" ....

2) Start an array ?
while ($data = $vbulletin->db->fetch_array($getcontentB){

3) Then eval
eval('$data.= "' . fetch_template('test_testa') .'";');

4) end the while
}

Just to display a single row of colums, which i allready have selected in the query using WHERE.

... well of to bed, dosent make sence at all.

EDIT just tryed something else..

PHP Code:

$result = $vbulletin->db->query_read("SELECT RID, Rtitle, Rdesc, Rscore, Ruid, Rlink, FROM " . TABLE_PREFIX ."evireviewpost WHERE RID = 1");
while ($row = $db->fetch_array($result))
{
    $rowid = $row['RID']; 
    $Rtitle = $row['Rtitle']; 
    $Rdesc = $row['Rdesc']; 
    $Rscore = $row['Rscore']; 
    $Ruid = $row['Ruid']; 
    $Rlink = $row['Rlink']; 
    eval('print_output .= "' . fetch_template('test_testa') . '";');
} 


But this just gives me a unspecified error at last line ?> EDIT 2, ; error,, parseing,

getting db errro instead. 'FROM evireviewpost WHERE RID = 1' at line 1
just checking this out..
EDIT 3 DB error sorte, its now working..

back to a "blank" page as result.. lol wTH..

working query

PHP Code:

$result = $vbulletin->db->query_read("SELECT RID, Rtitle, Rdesc, Rscore, Ruid, Rlink FROM " . TABLE_PREFIX . "evireviewpost WHERE RID = 1");
while ($row = $vbulletin->db->fetch_array($result))
{
    $rowid = $row['RID']; 
    $Rtitle = $row['Rtitle']; 
    $Rdesc = $row['Rdesc']; 
    $Rscore = $row['Rscore']; 
    $Ruid = $row['Ruid']; 
    $Rlink = $row['Rlink']; 
    eval('$row .= "' . fetch_template('test_testa') .'";');
} 


partial from the template

Code:

	<td class="tcat"> TEST </td>
</tr><tr>
<td> $rowid - $Rdesc</td>
</tr><tr>
<td> normal text </td>

--------------- Added [DATE]1234656725[/DATE] at [TIME]1234656725[/TIME] ---------------

allright GOT IT WORKING..

ADDED php]eval('print_output("' . fetch_template('test_testa') . '");');[/php]
at the end,, taddaa it "pint" the whole ting.

omg, crazy,, i think i got it..

[Lynne]

Um, what I said at the end was to get just one result, use query_first instead of query_read. If it was several rows you were after, you would need to do the while statement.

[Dismounted]

Reading and wrapping your head around vBulletin's default code will get you some good knowledge. Also see the vBulletin Code Standards section of the vBulletin Manual.

[Vaupell]

well i figured out to get a list diplayed proberly,

using

Code:

		eval('$tabel_list .= "' . fetch_template('test_testtabel') .'";');

and the $tabel_testtabel ONLY contains the table formatting not table begin or end

then i made ANOTHER template named test_testa and i place a link/hook/ahm location
named $tabel_testtabel where i wanted the list displayed and it actually works.

which means i really only need one main template with the reference to the
others, and call them from the php file, depending what im trying to display.

Gonna make a complete mini test mod now


@Dismounted : yep, thats where i got the final solution
was looking through the forumhome and trying to figure out how it
shows the categories.

just going back and forth until it made some sort of sense.. !

next step - adding user imput to the db with sql injection protection.

[Dismounted]

Quote:

Originally Posted by Vaupell

next step - adding user imput to the db with sql injection protection.

"SQL injection protection" shouldn't really be an afterthought - it should already be part of your habits. However, the "Creating Secure Mods" article will get you started.

[Vaupell]

Quote:

Originally Posted by Dismounted

"SQL injection protection" shouldn't really be an afterthought - it should already be part of your habits. However, the "Creating Secure Mods" article will get you started.

im a newb

i now use
'Rdesc' => TYPE_NOHTML,
when getting data from user
and when running query i use

WHERE RUID = '" . $db->escape_string($vbulletin->GPC['RUID']) . "'"

[Dismounted]

TYPE_NOHTML should be used when you are not entering data into the database, but displaying it. You should be using TYPE_STR, and use htmlspecialchars_uni() when fetching and displaying the data.

[Vaupell]

Quote:

Originally Posted by Dismounted

TYPE_NOHTML should be used when you are not entering data into the database, but displaying it. You should be using TYPE_STR, and use htmlspecialchars_uni() when fetching and displaying the data.

ahh thats how its supposed to be understod.. tx was confused by the article.

Exsample..

- retrive data

PHP Code:

$result = $vbulletin->db->query_read("SELECT someinfo, ...........

// run the array

while ($row = $vbulletin->db->fetch_array($result))
  {
    $Rtitle = htmlspecialchars_uni($row['someinfo'])
  } 


And when reciving it from a user to add to the db
i would do

PHP Code:

    $vbulletin->input->clean_array_gpc('p', array(
        'someinfo'             => TYPE_STR,

$someinfo =& =& htmlspecialchars_uni($vbulletin->GPC['someinfo']);

$db->query_write("INSERT ignore into table someinfo.................. 


does this also secure agains XSS crazy people ?

[Dismounted]

You don't use htmlspecialchars() when inserting into the DB.

PHP Code:

$someinfo = $db->escape_stting($vbulletin->GPC['someinfo']);