I was wondering if someone would look over this code and tell me if it is secure to use? As in its coded to the standards of 3.7.1.
PHP Code:
<?php
// ######################## SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
@set_time_limit(0);
// #################### PRE-CACHE TEMPLATES AND DATA ######################
$phrasegroups = array('style');
$specialtemplates = array('products');
// ########################## REQUIRE BACK-END ############################
require_once('./global.php');
require_once(DIR . '/includes/adminfunctions_template.php');
$id = $vbulletin->input->clean_gpc('r', 'id', TYPE_INT);
switch ( $_REQUEST['do'] )
{
case 'add':
print_add_form( $id );
break;
case 'update':
do_add_sql( $id );
break;
default:
print_main_form();
}
function do_add_sql( $id = 0 )
{
global $vbulletin;
$url = $vbulletin->input->clean_gpc('r', 'url', TYPE_STR);
$image = $vbulletin->input->clean_gpc('r', 'image', TYPE_STR);
$title = $vbulletin->input->clean_gpc('r', 'title', TYPE_STR);
print_cp_header();
print_table_start();
print_table_header("Ad Management");
echo '<tr><td class="alt1" colspan="2">';
echo 'Adding --' . $url . '....<br/>';
if ( $id == 0 )
{
$sql ='INSERT INTO ' . TABLE_PREFIX . 'ads (url,image,title) VALUES ("' . $url . '","' . $image . '","' . $title . '")';
} else {
$sql ="UPDATE " . TABLE_PREFIX . "ads SET url='".$url."', image='".$image."',title='".$title."' WHERE id=" . $id;
}
$foo = $vbulletin->db->query_write($sql);
echo '</td></tr>';
print_table_footer(2, '', '', 0);
}
function print_add_form( $id = 0 )
{
global $vbulletin;
if ( $id > 0 )
{
$sql ='SELECT * FROM ' . TABLE_PREFIX . 'ads WHERE id=' . $id;
$foo = $vbulletin->db->query_first($sql);
}
print_cp_header();
print_table_start();
print_table_header("Sponsored Ad Management");
print_form_header('ad_management', 'update');
print_input_row('URL to Link to', 'url', $foo['url']);
print_input_row('Image Location', 'image', $foo['image']);
print_input_row('HoverOver ToolText', 'title', $foo['title']);
if ( $id > 0 )
{
echo '<input type="hidden" name="id" value="'.$id.'" />';
}
print_submit_row();
}
function print_main_form()
{
global $vbulletin;
$sql ='SELECT id,url FROM ' . TABLE_PREFIX . 'ads';
$foo = $vbulletin->db->query_read($sql);
print_cp_header();
print_table_start();
print_table_header("Ad Management");
while ($var = $vbulletin->db->fetch_array($foo))
{
$id = $var['id'];
$url = '<a href="ad_management.php?do=add&id=' . $id . '">' . $var['url'] . '</a>';
print_label_row($id, $url, '', 'middle', null, false);
}
print_table_footer(2, '', '', 0);
}
?>
Thanks,
Itworx4me