Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 08-30-2009, 06:17 PM
Come2Daddy Come2Daddy is offline
 
Join Date: May 2008
Posts: 128
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default How 2 Insert Data Into Forum's Database Via A Form

Hello there

Actually I've been trying to code some modification, which requires member to fill a form in a vbulletin powered page, this form collects data & inserts it in the database.

However it turned out that I'm not qualified enough to bring my idea to life
So I had to ignore lots of quality standards such as normalization, & other security issues, & I couldn't, finally I thought that best way to get started by making a very simple version of my idea, hence I created a very simple table called testtable with just 2 columns one was id, & the other was: testcoulmn

id column was the primary key & auto incremented, the other (i.e., testcolumn) was varchar with length of 100


and I made my page as explained here in vb.org, and here is my code:

PHP Code:
<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE & ~8192);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('NO_REGISTER_GLOBALS'1);
define('THIS_SCRIPT''test'); // change this depending on your filename

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array(

);

// get special data templates from the datastore
$specialtemplates = array(
    
);

// pre-cache templates used by all actions
$globaltemplates = array(
    
'TEST',
);

// pre-cache templates used by specific actions
$actiontemplates = array(

);

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');

// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################

$navbits = array();
$navbits[$parent] = 'Test Page';

$navbits construct_navbits($navbits);
eval(
'$navbar = "' fetch_template('navbar') . '";');
eval(
'print_output("' fetch_template('TEST') . '");');

$testtable "testtable";
$testform $_POST['testform'];
if (
$_REQUEST['do'] == "save")
{
$db->query_write("INSERT INTO " TABLE_PREFIX "" $testtable "(testcolumn) VALUES (" $testform ")");
}  

?>

associated with this template called TEST


HTML Code:
$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
<title>$vboptions[bbtitle]</title>
$headinclude
</head>
<body>
$header

$navbar

<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
<tr>
    <td class="tcat">Title</td>
</tr>
<tr>
    <td class="alt1"><form name="someform" method="POST" action="test.php?do=save">
    <table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]" border="0" width="100%" align="center">
        
        <tr>
            <td class="alt2" align="center">The Test Form</td>
            <td class="alt2" align="center">
            <input size="20" name="testform" dir="rtl"></td>
        </tr>
        
        <tr>
            <td cellpadding="$stylevar[cellpadding]" cellspacing="$stylevar[cellspacing]"colspan="2" class="tfoot" align="center">
            <input type="submit" value="Submit"></td>
        </tr>
  </table>
</form></td>
</tr>
</table>

$footer
</body>
</html>
but every time I try to insert data I don't find any data inserted in this testtable, even though when I try to insert it through the phpmyadmin, it looks just fine, I put data only in the testcolumn field and I find the table filled in both id & testcolumn fields, and the id value is incremented and every thing looks just fine

Conclusion: I hope to get help in inserting data through a form into data base, just like what I'm trying to do.

waiting for your help, guys

thanks in advanced
Reply With Quote
  #2  
Old 09-04-2009, 04:52 PM
Come2Daddy Come2Daddy is offline
 
Join Date: May 2008
Posts: 128
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Is my question this much difficult or is it constructed wrong or in inappropriate forum??

any way is it related to the data manger?? so data can't be inserted without datamanger techniques??? any hint please??
Reply With Quote
  #3  
Old 09-05-2009, 04:32 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You need to do your inserting before any print_output() calls. print_output() will immediately end the execution of the script.

Also, your script will be vulnerable to SQL injection attacks. You must escape any data inserted into a database with escape_string() (except for confirmed integers).
Reply With Quote
  #4  
Old 09-05-2009, 05:09 AM
Come2Daddy Come2Daddy is offline
 
Join Date: May 2008
Posts: 128
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

well, I'm not concerned about any injections threats right now, so let us concentrate on the simple inserting process only
I wonder how can I bring the form template into my custom page without print_output() function

of course the inserting is going to be after hitting the submit button, but the submit button & its form won't be shown without fetching its template by calling the print_output() function

--------------- Added [DATE]1252135692[/DATE] at [TIME]1252135692[/TIME] ---------------

I managed to change this fragment:
PHP Code:
$navbits = array();
$navbits[$parent] = 'Test Page';

$navbits construct_navbits($navbits);
eval(
'$navbar = "' fetch_template('navbar') . '";');
eval(
'print_output("' fetch_template('TEST') . '");');

$testtable "testtable";
$testform $_POST['testform'];
if (
$_REQUEST['do'] == "save")
{
$db->query_write("INSERT INTO " TABLE_PREFIX "" $testtable "(testcolumn) VALUES (" $testform ")");

by this fragment:

PHP Code:
$navbits = array();
$navbits[$parent] = 'Test Page';

$navbits construct_navbits($navbits);
eval(
'$navbar = "' fetch_template('navbar') . '";');

$testtable "testtable";
$testform $_POST['testform'];
if (
$_REQUEST['do'] == "add")
{
eval(
'print_output("' fetch_template('TEST') . '");');
}

elseif (
$_REQUEST['do'] == "save")
{
          
$vbulletin->input->clean_array_gpc('p', array(
                
'testform'    => TYPE_STR
      
));
    
$db->query_write("INSERT INTO " TABLE_PREFIX "" $testtable "(testcolumn) VALUES (" $vbulletin->GPC['testform'] . ")");


so when I take my browser into test.php it doesn't show the template, however when I go to test.php?do=add it shows me the form

and of course the action of the form is test.php?do=save should not show any template but every time I try to insert data it gives me sql syntax error if you have any idea about how to come over it
Reply With Quote
  #5  
Old 09-05-2009, 05:29 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If you want to show the form after they hit save, then don't put the do==add around that eval statement and put it at the end of the page, after the do==save part.

As for the mysql error, if you don't tell us what it is, we can't help you with it.
Reply With Quote
  #6  
Old 09-05-2009, 06:55 PM
Come2Daddy Come2Daddy is offline
 
Join Date: May 2008
Posts: 128
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well I think of making a template that tells the user that his input has been inserted into the database
so let's say this template has the name test_user_message

then after query insert statement I'd put this statement

PHP Code:
eval('print_output("' fetch_template('test_user_message') . '");'); 
but what I really would like to concentrate on, right now, is inserting data into the data base table

here is the error message it shows me:
Code:
Database error in vBulletin 3.8.4:

Invalid SQL:
INSERT INTO testtable(testcolumn) VALUES (How could it work);

MySQL Error   : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'could it work)' at line 1
Error Number  : 1064
Reply With Quote
  #7  
Old 09-05-2009, 07:08 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think you need quotes around your string that your are inserting.
Reply With Quote
  #8  
Old 09-05-2009, 11:21 PM
Come2Daddy Come2Daddy is offline
 
Join Date: May 2008
Posts: 128
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

beautiful, Lynne data has been inserted now

after changing this:

PHP Code:
VALUES (" . $vbulletin->GPC['testform'] . "
by this

PHP Code:
VALUES ('" . $vbulletin->GPC['testform'] . "'
as you recommended, thanks a lot guyes, Dismounted, & Lynne
Reply With Quote
  #9  
Old 09-06-2009, 01:43 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Again - I'll stress that security should not be an afterthought, you should be applying it while programming. Your script is still vulnerable to SQL injections.
Reply With Quote
  #10  
Old 09-06-2009, 02:20 AM
Come2Daddy Come2Daddy is offline
 
Join Date: May 2008
Posts: 128
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

thanks for your care, but did you notice that I used this function:

PHP Code:
$vbulletin->input->clean_array_gpc() 
so the input becomes:

PHP Code:
$vbulletin->GPC['testform'
instead of:

PHP Code:
$testform 
do you recommend more security restrictions? what exactly
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:47 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04471 seconds
  • Memory Usage 2,297KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)bbcode_html
  • (9)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete