The Arcive of Official vBulletin Modifications Site.

vietfancy · #1 11-25-2009, 05:56 PM

is there anything wrong with this code, if there is please point it out for me. Thanks

PHP Code:


			
   if (isset($_POST["submit"])){

    $id=$_POST["id"];

    $day=$_POST["day"];

    $time=$_POST["time"];

    $ampm=$_POST["ampm"];

    $class=$_POST["class"];

    $level=$_POST["level"];

    $instructor=$_POST["instructor"];

    $link=$_POST["link"];

    $display=$_REQUEST["display"];

    $live=$_POST["live"];

      //replace classes



    $db->query_write("UPDATE " . TABLE_PREFIX . "schedule SET day = $day, time = $time, ampm = $ampm, class = $class, level = $level, instructor = $instructor, link = $link, display = $display, live = $live WHERE id=$id")or die(mysql_error());

         $done = "Schedule updated";

         header("location: index.php?do=submit");

    }

Lynne · #2 11-25-2009, 06:02 PM

You should be running all your variables through the vbulletin cleaner - https://vborg.vbsupport.ru/showthread.php?t=154411

vietfancy · #3 11-25-2009, 07:00 PM

so instead of the code above. you want me to use this below? I tried to replace it. But it still doesn't do the trick.

PHP Code:


			
$vbulletin->input->clean_array_gpc('p', array(
    'day' => TYPE_NOHTML,
    'time' => TYPE_NOHTML,
    'ampm' => TYPE_NOHTML,
    'class' => TYPE_NOHTML,
    'level' => TYPE_NOHTML,
    'instructor' => TYPE_NOHTML,
    'link' => TYPE_NOHTML,
    'display' => TYPE_NOHTML,
    'live' => TYPE_NOHTML,
    'id' => TYPE_INT
));

    $day = $vbulletin->input->clean_gpc('p', 'day', TYPE_NOHTML);
    $time = $vbulletin->input->clean_gpc('p', 'time', TYPE_NOHTML);
    $ampm = $vbulletin->input->clean_gpc('p', 'ampm', TYPE_NOHTML);
    $class = $vbulletin->input->clean_gpc('p', 'class', TYPE_NOHTML);
    $level = $vbulletin->input->clean_gpc('p', 'level', TYPE_NOHTML);
    $instructor = $vbulletin->input->clean_gpc('p', 'instructor', TYPE_NOHTML);
    $link = $vbulletin->input->clean_gpc('p', 'link', TYPE_NOHTML);
    $display = $vbulletin->input->clean_gpc('p', 'display', TYPE_NOHTML);
    $live = $vbulletin->input->clean_gpc('p', 'live', TYPE_NOHTML);
    $id = $vbulletin->input->clean_gpc('p', 'id', TYPE_UINT);
    
$db->query_write("
    UPDATE " . TABLE_PREFIX . "schedule SET
        day = '" . $db->escape_string($vbulletin->GPC['day']) . "',
        time = '" . $db->escape_string($vbulletin->GPC['time']) . "',
        ampm = '" . $db->escape_string($vbulletin->GPC['ampm']) . "',
        class = '" . $db->escape_string($vbulletin->GPC['class']) . "',
        level = '" . $db->escape_string($vbulletin->GPC['level']) . "',
        instructor = '" . $db->escape_string($vbulletin->GPC['instructor']) . "',
        link = '" . $db->escape_string($vbulletin->GPC['link']) . "',
        display = '" . $db->escape_string($vbulletin->GPC['display']) . "',
        live = '" . $db->escape_string($vbulletin->GPC['live']) . "',
    WHERE id = " . $vbulletin->GPC['id'] . "
");

Lynne · #4 11-25-2009, 07:54 PM

You never said anything was wrong, you just asked *if* anything was wrong and I told you that you at least need to secure it by running it through the cleaner. What is wrong?

And once you've assigned it ($day = ....), then you can just use that variable $day.

This is actually the article I meant to link you to, sorry - https://vborg.vbsupport.ru/showthrea...hlight=cleaner

vietfancy · #5 11-25-2009, 08:53 PM

here is what i'm trying to do. I try to edit/modify/update a class from the schedule table.

So far i have:
http://qtresources.com/tienganh/ese/schedule.php << working fine
http://qtresources.com/tienganh/ese/schedule.php?do=add << working fine
http://qtresources.com/tienganh/ese/...e.php?do=admin << everything is ok, but when I tried to edit a class....I'm able to pull it up, but when i submit it, nothing change.

ex: http://qtresources.com/tienganh/ese/...?do=edit&id=49

here is my php code:

PHP Code:


			
// Show Edit Page
if ($ese_schedule['do'] == "edit"){

   if (!isset($_POST["submit"])){
       $id = $_REQUEST["id"];
    $result = $db->query_read("SELECT * FROM " . TABLE_PREFIX . "schedule WHERE id=$id");
    while($r = $db->fetch_array($result)){
        $day = "$r[day]";
        $time = "$r[time]";
        $ampm = "$r[ampm]";
        $class = "$r[class]";
        $level = "$r[level]";
        $instructor = "$r[instructor]";
        $link = "$r[link]";
        $live = "$r[live]";
        $display = "$r[display]";}
   }

   if (isset($_POST["submit"])){
//    $id=$_POST["id"];
//    $day=$_POST["day"];
//    $time=$_POST["time"];
//    $ampm=$_POST["ampm"];
//    $class=$_POST["class"];
//    $level=$_POST["level"];
//    $instructor=$_POST["instructor"];
//    $link=$_POST["link"];
//    $display=$_REQUEST["display"];
//    $live=$_POST["live"];
    
    // new code
$vbulletin->input->clean_array_gpc('p', array(
    'day' => TYPE_STR,
    'time' => TYPE_STR,
    'ampm' => TYPE_STR,
    'class' => TYPE_STR,
    'level' => TYPE_STR,
    'instructor' => TYPE_STR,
    'link' => TYPE_STR,
    'display' => TYPE_STR,
    'live' => TYPE_STR,
    'id' => TYPE_INT,
));

 // check for missing fields
if (empty($vbulletin->GPC['day'])
OR empty($vbulletin->GPC['time'])
OR empty($vbulletin->GPC['ampm'])
OR empty($vbulletin->GPC['class']))
OR empty($vbulletin->GPC['level'])
OR empty($vbulletin->GPC['instructor'])
OR empty($vbulletin->GPC['link']))
OR empty($vbulletin->GPC['display'])
OR empty($vbulletin->GPC['live'])
)
{
// show message
}
    $day = $vbulletin->input->clean_gpc('p', 'day', TYPE_STR);
    $time = $vbulletin->input->clean_gpc('p', 'time', TYPE_STR);
    $ampm = $vbulletin->input->clean_gpc('p', 'ampm', TYPE_STR);
    $class = $vbulletin->input->clean_gpc('p', 'class', TYPE_STR);
    $level = $vbulletin->input->clean_gpc('p', 'level', TYPE_STR);
    $instructor = $vbulletin->input->clean_gpc('p', 'instructor', TYPE_STR);
    $link = $vbulletin->input->clean_gpc('p', 'link', TYPE_STR);
    $display = $vbulletin->input->clean_gpc('p', 'display', TYPE_STR);
    $live = $vbulletin->input->clean_gpc('p', 'live', TYPE_STR);
    $id = $vbulletin->input->clean_gpc('p', 'id', TYPE_INT);
    
$db->query_write("
    UPDATE " . TABLE_PREFIX . "schedule SET
        day = '" . $db->escape_string($vbulletin->GPC['day']) . "',
        time = '" . $db->escape_string($vbulletin->GPC['time']) . "',
        ampm = '" . $db->escape_string($vbulletin->GPC['ampm']) . "',
        class = '" . $db->escape_string($vbulletin->GPC['class']) . "',
        level = '" . $db->escape_string($vbulletin->GPC['level']) . "',
        instructor = '" . $db->escape_string($vbulletin->GPC['instructor']) . "',
        link = '" . $db->escape_string($vbulletin->GPC['link']) . "',
        display = '" . $db->escape_string($vbulletin->GPC['display']) . "',
        live = '" . $db->escape_string($vbulletin->GPC['live']) . "',
    WHERE id = " . $vbulletin->GPC['id'] . "
");
//end new code
      //update classes
      

//    $db->query_write("UPDATE " . TABLE_PREFIX . "schedule SET day = '$day', time = '$time', ampm = '$ampm', class = '$class', level = '$level', instructor = '$instructor', link = '$link', display = '$display', live = '$live' WHERE id=$id")or die(mysql_error());
     // echo "Thank you! Schedule updated.";
         header("location: schedule.php?do=admin");
    }
}

if ($ese_schedule['do'] == 'edit'){
    $navbits = construct_navbits(array('' => 'Edit'));
    $navbar = render_navbar_template($navbits);
    $templater = vB_Template::create('schedule_edit');
    $templater->register_page_templates();
    $templater->register('navbar', $navbar);
    $templater->register('pagetitle', 'Edit A Class');
    $templater->register('id', $id);
    $templater->register('day', $day);
    $templater->register('time', $time);
    $templater->register('ampm', $ampm);
    $templater->register('class', $class);
    $templater->register('level', $level);
    $templater->register('instructor', $instructor);
    $templater->register('link', $link);
    $templater->register('display', $display);
    $templater->register('live', $live);
    print_output($templater->render());
}

// End Edit Page

here is my edit templete:

PHP Code:


			
<!-- add form -->
<form action="schedule.php?do=admin"  method="post">
<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
<input type="hidden" name="id" value="{vb:raw id}" />
<table class="tborder" cellpadding="0" cellspacing="6" border="0" width="100%" align="center">
    <tr valign="top">
        <td class="alt1" width="20%" align="left" nowrap="nowrap">
        <div style="padding:3px;">Day/Time/Am-Pm:</div>
        <div style="padding:3px;">Class:</div>
        <div style="padding:3px;">Level:</div>
        <div style="padding:3px;">Instructor:</div>
        <div style="padding:3px;">Link</div>
        <div style="padding:3px;">Display:</div>
        <div style="padding:3px;">Live:</div>
        </td>
        <td class="alt2" width="35%">
        <div style="padding:3px;">
        <input type="text" name="day" value="{vb:raw day}"size="6" maxlength="25" autocomplete="off" />

/ <input type="text" name="time" value="{vb:raw time}" size="6" maxlength="5" autocomplete="off" />
/ <input type="text" name="ampm" value="{vb:raw ampm}" size="6" maxlength="5" autocomplete="off" />
</div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="class" value="{vb:raw class}" autocomplete="off" /></div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="level" value="{vb:raw level}" autocomplete="off" /></div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="instructor" value="{vb:raw instructor}" autocomplete="off" /></div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="link" value="{vb:raw link}" autocomplete="off" /></div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="display" value="{vb:raw display}" autocomplete="off" /></div>
        <div style="padding:3px;"><input type="text" size="40" maxlength="256" name="live" value="{vb:raw live}" autocomplete="off" /></div>
        </td>
        <td class="alt1" width="45%" align="left" nowrap="nowrap">
        <div style="padding:3px;">text go here</div>

        </td>
    </tr>
    <tr valign="top">
        <td class="alt2" colspan="3" width="100%" align="center" style="padding-top:20px;">
        <input type="submit" class="button" value="Submit" accesskey="s" />
        <input type="hidden" class="button" value="Reset" accesskey="s" />
        </td>
    </tr>
</table>
</form>
<!-- end add form -->

Lynne · #6 11-25-2009, 09:16 PM

Like I said, if you already assigned $day to the cleaned variable, you can just use $day. Have you tried just:

PHP Code:


			
day = $day,

in your query? Or, if you feel the need to escape it,

PHP Code:


			
day = '" . $db->escape_string($day) . "',,

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.03768 seconds Memory Usage 2,352KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (6)bbcode_php (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (6)post_thanks_box (6)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (6)post_thanks_postbit_info (6)postbit (6)postbit_onlinestatus (6)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!