The Arcive of Official vBulletin Modifications Site.

Kirk Y · #1 05-27-2006, 01:01 AM

Hey gents. Okay, I've got a text field whose data is being retrieved via $_POST[message]. I'm inserting its contents into a DB using:

PHP Code:


			
$db->query_write("INSERT INTO table_name (user, message, date) VALUES 

('$username', '$message', '$date')");

Everything works dandy -- that is, until someone inputs a single/double quote! Eeek! I've been trying different solutions, but as of yet, have had no success whatsoever. I'm almost ready to pull my hair out, all the stripslashes, addslashes, preg_replace... ack! Please someone lend an assist!

Adrian Schneider · #2 05-27-2006, 01:48 AM

PHP Code:


			
$db->query_write("
    INSERT INTO table_name
        (user, message, date)
    VALUES (
        '" . $db->escape_string($username) . "',
        '" . $db->escape_string($message) . "',
        '" . $db->escape_string($date) . "'
    )
");

You probably won't have to escape $date though (you should be saving it as a Unix timestamp).

Edit: instead of using raw $_POST values, use vBulletin's cleaning functions (read more here: https://vborg.vbsupport.ru/showthread.php?t=98047).

Kirk Y · #3 05-27-2006, 02:25 AM

Thanks SirAdrian. I got the stripping half of your post working great, but I'm having some trouble with the cleaning functions. It'll post the submitted text, but if the text contains any ' or ", it won't be outputted.

PHP Code:


			
$message2 =& $vbulletin->input->clean_gpc('p', 'message', TYPE_NOTRIM);



if(isset($_POST[info])){

  $F43296slq = $db->query_write("

    INSERT INTO blastmsg

        (user, message, date)

    VALUES (

        '" . $db->escape_string($username) . "',

        '" . $db->escape_string($vbulletin->GPC['message']) . "',

        '" . $db->escape_string($date) . "'

    )

");

Let me see if I'm understanding this right:

Code:

$message2 = $vbulletin->input->clean_gpc('p', 'message', TYPE_NOTRIM);

'p' refers to $_POST
'message' refers to the name I've given to my textfield (equivalent to $_POST[message]
TYPE_NOTRIM refers to a regular 'ol string, is that what I should be using?

Thanks for you help, though.

Adrian Schneider · #4 05-27-2006, 02:43 AM

If you use clean_array_gpc() it sends it to $vbulletin->GPC, but if you use clean_gpc() it just returns it (in your case to $message2). You should probably use TYPE_STR or TYPE_NOHTML depending on your needs (it is usually good to have the string trimmed!). Your code looks fine, just change $vbulletin->GPC['message'] to $message2.

Kirk Y · #5 05-27-2006, 02:51 AM

Oh, didn't have time to edit. The code was fine, it was an error on my part in regard to my SELECT query used to pull the data from the database. Up until now, I was just selecting the data by it's timestamp, but as it only goes out to minutes, if two messages were posted within that same minute, the SELECT query would choose the previous one, instead of the most recent. I fixed that now with an auto_increment column. The strange thing though, I was using $message2 originally, but it wouldn't show up -- after I looked in the vB.com manual supplied in the thread you gave me, I tried using $vbulletin->GPC and that worked.

Thanks again for all your help, it's working swimmingly now!

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.03908 seconds Memory Usage 2,210KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_code (3)bbcode_php (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (5)post_thanks_box (5)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (5)post_thanks_postbit_info (5)postbit (5)postbit_onlinestatus (5)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!