PHP direct eval problem after 4.07 update

[janaf]

I have a php-direct eval page with some drop-downs and a Submit button on the same page / same code. The page sends POST data to/from itself. It has been up running for a month after help I got here.

Now, after 4.0.7 I have problems

IF I am logged on to the site, I get the following message after hitting the submit button / posting

HTML Code:

vBulletin Messege:

Your submission could not be processed because you have logged in since the previous page was loaded.

Please push the back button and reload the previous window.

I have logged on / off / refreshed several times to confirm. IE8 and FF

If I am NOT logged in, I do not get that message but POST data is not read by the code:

PHP Code:

$brand = vB::$vbulletin->input->clean_gpc('r', 'brand', TYPE_STR); 
$nominalsize = vB::$vbulletin->input->clean_gpc('r', 'nominalsize', TYPE_STR); 


The variables ($brand and $nominalsize) remain empty.

A secuity token is generated like this.

PHP Code:

$a.='<input type="hidden" name="securitytoken" value="';
$a.=vb::$vbulletin->userinfo[securitytoken];
$a.='" />'; 


If this is not included, I get a security error message instead.

Any clues?

The page is here:
http://www.41hz.com/forums/content.php?253-TSdb

[Lynne]

I keep trying stuff and getting no results. But, to be honest, I have no idea what to select that would give results. Can you tell us what we should select that should give results but isn't.

[janaf]

Thanks for looking,

Any selection of drop-downs should be valid, if you use just one single drop-down. For example brand name only (for example Beyma, which there are about 100 record in the db) or nominal size only (for examlpe size 12 which there are about 300 records). The drop-downs are directly based on SQL "Select Distinct" queries on the db, which is a single table, so they must excist, or they would not be in the drop-down.

Selections do not return any results because values of the drop-down POST values are for some reason empty in php now. For example the drop-down named "brand" and the value should be read by:

PHP Code:

$brand = vB::$vbulletin->input->clean_gpc('r', 'brand', TYPE_STR); 


But $brand is empty, so the query can not be created as this evaluates to false:

PHP Code:

if (strlen($brand) > 0) {
$query.=' AND brand like "'.$brand.'" '; 
} 


I can also verify this by simply printing $brand but again, it is empty.

I can also verify that by assigning a value to $brand in the code, then all works as expected.

I have also tried adding arguments to the URL, but that does not work either. I think I could do a direct url of type <mypage>&brand=Beyma before, but not now.

And it has worked for a month.....

So my conclusion so far is that something changed that makes this php code invalid:

PHP Code:

$brand = vB::$vbulletin->input->clean_gpc('r', 'brand', TYPE_STR); 


Any suggestions on alternative ways of reading the posted arguments?

[Lynne]

Have you tried just $vbulletin->input->clean_gpc or $db->input->clean_gpc or any other variations there?

[ragtek]

what's the code you're using?
Could you post an link to your page so we could check it?

[janaf]

Quote:

Originally Posted by Lynne

Have you tried just $vbulletin->input->clean_gpc or $db->input->clean_gpc or any other variations there?

I have tried

PHP Code:

$brand=$vbulletin->input->clean_gpc('r', 'brand', TYPE_STR); 


but get
Fatal error: Call to a member function clean_gpc() on a non-object in /var/www/41hz/forums/tsdb/read_post.php on line 2

and

PHP Code:

$brand = input->clean_gpc('r', 'brand', TYPE_STR); 


which gives:
Parse error: syntax error, unexpected T_OBJECT_OPERATOR in /var/www/41hz/forums/tsdb/read_post.php on line 2

and

PHP Code:

$brand = clean_gpc('r', 'brand', TYPE_STR); 


Fatal error: Call to undefined function clean_gpc() in /var/www/41hz/forums/tsdb/read_post.php on line 2

--------------- Added [DATE]1285241373[/DATE] at [TIME]1285241373[/TIME] ---------------

Ragtek, you helped me with this one before:
https://vborg.vbsupport.ru/showthread.php?t=249002
It worked.
The link to the site / page is in a previous post.

This code reads the various posted variables:

PHP Code:

<?php
$brand = vB::$vbulletin->input->clean_gpc('r', 'brand', TYPE_STR); 
$nominalsize = vB::$vbulletin->input->clean_gpc('r', 'nominalsize', TYPE_STR);
$useas = vB::$vbulletin->input->clean_gpc('r', 'useas', TYPE_STR); 
$dtype = vB::$vbulletin->input->clean_gpc('r', 'dtype', TYPE_STR); 
$features = vB::$vbulletin->input->clean_gpc('r', 'features', TYPE_STR);
$sortfield = vB::$vbulletin->input->clean_gpc('r', 'sortfield', TYPE_STR);
$ID = vB::$vbulletin->input->clean_gpc('r', 'ID', TYPE_INT);
$thingtodo = vB::$vbulletin->input->clean_gpc('r', 'thingtodo', TYPE_STR);
?>

This creates the drop-downs and form:

PHP Code:

<?php
$a='<form action="content.php?313" method="POST">';
$query  = 'select distinct nominalsize from tsdata where review is FALSE and nominalsize IS NOT NULL order by nominalsize';
$result = mysql_query($query);
$a.='<select name="nominalsize">';
$a.='<option value="">[Nominal size]</option>';
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
    $a.='<option value="'.$row['nominalsize'].'"';
    $bbb=$row['nominalsize'];
    if ($nominalsize==$bbb){
        $a.=' selected="selected" ';
    }
    $a.='>'.$row['nominalsize'].'</option>';
}
$a.='</select> ';
// Create drop-downs
$query  = 'SELECT distinct brand from tsdata where review is FALSE order by brand';
$result = mysql_query($query);
$a.='<select name="brand">';
$a.='<option value="">[Brand Name]</option>';
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
    $a.='<option value="'.$row['brand'].'"';
    $bbb=''.$row['brand'];
    if ($brand == $bbb) {
        $a.=' selected="selected"';
    }    
    $a.='>'.$row['brand'].'</option>';
}
$a.='</select> ';

$a.='<select name="useas">';
$a.='<option value="" ';
$a.='>[Type of Use]</option>';
$a.='<option value="1"';
if ($useas=="1"){
    $a.=' selected="selected" ';
}
$a.='>PA</option>';
$a.='<option value="2"';
if ($useas=="2"){
    $a.=' selected="selected" ';
}
$a.='>HiFi</option>';
$a.='<option value="3"';
if ($useas=="3"){
    $a.=' selected="selected" ';
}
$a.='>Car/Mobile</option>';
$a.='<option value="4"';
if ($useas=="4"){
    $a.=' selected="selected" ';
}
$a.='>Musical Instrum.</option>';
$a.='<option value="5"';
if ($useas=="5"){
    $a.=' selected="selected" ';
}
$a.='>Marine/Outdoor</option>';
$a.='<option value="6"';
if ($useas=="6"){
    $a.=' selected="selected" ';
}
$a.='>Ceiling/wall</option>';
$a.='</select> ';

$a.='<select name="dtype">';
$a.='<option value=""';
if ($dtype==""){
    $a.=' selected="selected" ';
}
$a.='>[Frequency Range]</option>';
$a.='<option value="1"';
if ($dtype=="1"){
    $a.=' selected="selected" ';
}
$a.='>Tweeter</option>';
$a.='<option value="2"';
if ($dtype=="2"){
    $a.=' selected="selected" ';
}
$a.='>Midrange</option>';
$a.='<option value="3"';
if ($dtype=="3"){
    $a.=' selected="selected" ';
}
$a.='>Midbass</option>';
$a.='<option value="4"';
if ($dtype=="4"){
    $a.=' selected="selected" ';
}
$a.='>Woofer/bass/sub</option>';
//$a.='<option value="5"';
//if ($dtype=="5"){
//    $a.=' selected="selected" ';
//}
// $a.='>Compr/horn driver</option>';
$a.='<option value="6"';
if ($dtype=="6"){
    $a.=' selected="selected" ';
}
$a.='>Full/wide range</option>';
$a.='</select> ';

$a.='<select name="features">';
$a.='<option value=""';
if ($features==""){
    $a.=' selected="selected" ';
}
$a.='>[Features]</option>';
$a.='<option value="1"';
if ($features=="1"){
    $a.=' selected="selected" ';
}
$a.='>Neodym. / low weight</option>';
$a.='<option value="2"';
if ($features=="2"){
    $a.=' selected="selected" ';
}
$a.='>Multi-coil</option>';
$a.='<option value="3"';
if ($features=="3"){
    $a.=' selected="selected" ';
}
$a.='>Shielded</option>';
$a.='<option value="5"';
if ($features=="5"){
    $a.=' selected="selected" ';
}
$a.='>Compr/horn driver</option>';

$a.='</select>  ';

$a.='<input type="hidden" name="securitytoken" value="';
$a.=vb::$vbulletin->userinfo[securitytoken];
$a.='" />';
$a.='<br><input type="submit" value="   Submit   " />';
$a.='</form>';
?>

This is the main code:

PHP Code:

// Open database
include("tsdb/tsdb_init.php");

// Configure basics
$limitsearch='100';
$def=TRUE;

// Read POST variables
include("tsdb/read_post.php");

//Create drop-downs
include("tsdb/dropdown_form.php");

//Create queries
$def=TRUE;
$selected='<i>';
$query='SELECT ID, brand, model, rangetype, nominalsize, sensitivity, maxpower, fs, vas FROM tsdata WHERE review=FALSE ';
// Query Nominal size
if (strlen($nominalsize) > 0) {
$def=FALSE;
$selected.='Nominal size:'.$nominalsize;
$query.=' AND nominalsize like "'.$nominalsize.'" ';
}
// Query Brand
if (strlen($brand) > 0) {
$def=FALSE;
$selected.=' Brand:' .$brand;
$query.=' AND brand like "'.$brand.'" ';
}
// Query Use As
if (strlen($useas) > 0) {
$def=FALSE;
$selected.=' Use:';
switch ($useas) {
    case "1":
        $query.=' AND useas like "%PA%" ';
        $selected.='PA ';
        break;
    case "2":
        $query.=' AND useas like "%HiFi%" ';
        $selected.='HiFi ';
        break;
    case "3":
        $query.=' AND (useas like "%car%" or useas like "%mobile%")';
        $selected.='Car/Mobile ';
        break;
    case "4":        
        $query.=' AND (description like "%guitar%" or description like "%keyboard%" or rangetype like "%guitar%" or useas like "%musical instr%" or useas like "%guitar%" or useas like "%Electric bass%" or useas like "%Organ%")';
        $selected.='Musical Instrument ';
        break;
    case "5":
        $query.= ' AND (useas like "%marine%" or useas like "%outdoor%")';
        $selected.='Marine/Outdoor ';
        break;
    case "6":
        $query.=' AND (useas like "%ceiling%" or useas like "%wall%")';
        $selected.='Ceiling/wall ';
        break;
    }
}
// Query Driver Type
if (strlen($dtype) > 0) {
$def=FALSE;
$selected.=' Range/Type:';
switch ($dtype) {
    case "1":
        $query.=' AND rangetype like "%tweet%" ';
        $selected.='Tweeter ';
        break;
    case "2":
        $query.=' AND (rangetype like "%mid%" and NOT (rangetype like "%woofer%" or rangetype like "%bass%")) ';
        $selected.='Midrange ';
        break;
    case "3":
        $query.=' AND (rangetype like "%mid-bass%" or rangetype like "%mid-woofer%" or rangetype like "%midbass%" or rangetype like "%midwoofer%")';
        $selected.='Mid bass ';
        break;
    case "4":        
        $query.=' AND (rangetype like "%sub%" OR rangetype like "%woofer%" and rangetype NOT like "%mid%")';
        $selected.='Bass/woofer ';
        break;
//    case "5":
//        $query.=' AND rangetype like "%compres%"';
//        $selected.='Compr. driver ';
//        break;
    case "6":
        $query.=' AND (rangetype like "%full%" or rangetype like "%wide%")';
        $selected.='Full/wide range ';
        break;
    }
}

// Query Features
if (strlen($features) > 0) {
$def=FALSE;
$selected.=' Features:';
switch ($features) {
    case "1":
        $query.=' AND (magnetmaterial like "%neodym%" or description like "%neodym%" )';
        $selected.='Neodymium/low weight ';
        break;
    case "2":
        $query.=' AND Z like "%dual%" ';
        $selected.='Dual coil ';
        break;
    case "3":
        $query.=' AND (rangetype like "%shield%" or useas like "%shield%")';
        $selected.='Shielded ';
        break;
    case "5":
        $query.=' AND rangetype like "%compres%"';
        $selected.='Compr. driver ';
        break;
    }
}

// Create table headers with search and sort order links
$searcharg='&brand='.$brand.'&nominalsize='.$nominalsize.'&useas='.$useas.'&dtype='.$dtype.'&features='.$features;
if (strpos($sortfield,'DESC')){
    $sortorder="ASC";
} else {
    $sortorder="DESC";
}
if (strlen($sortfield)>0) {
    $query.=' ORDER BY '.$sortfield;
} else {
    $query.=' ORDER BY brand, model';
}
$query.=' LIMIT '.$limitsearch;
$selected.='</i>';
//Process query
$result = mysql_query($query) or die ("Query error"  . mysql_error()); 
//Header
$topline=<<<INTRO
<table width='100%' border='1' cellpadding='2' cellspacing='2' align='center'>
<tr>
<th><B><a href="content.php?313$searcharg&sortfield=brand $sortorder">Brand</a></B></th>
<th><B><a href="content.php?313$searcharg&sortfield=model $sortorder">Model</a></B></th>
<th><B><a href="content.php?313$searcharg&sortfield=useas $sortorder">Type</a></B></th>
<th><B><a href="content.php?313$searcharg&sortfield=nominalsize $sortorder">Size</a></B></th>
<th><B><a href="content.php?313$searcharg&sortfield=maxpower $sortorder">Pmax W</a></B></th>
<th><B><a href="content.php?313$searcharg&sortfield=sensitivity $sortorder">Sens dB</a></B></th>
<th><B><a href="content.php?313$searcharg&sortfield=Fs $sortorder">Fs Hz</a></B></th>
<th><B><a href="content.php?313$searcharg&sortfield=VAS $sortorder">VAS L</a></B></th>
</tr>
INTRO;
if ($def==TRUE){
$selected='<i>Please select at least one search parameter from the drop-downs</i>';
}
$all=$selected;
$all.=$topline;
//Read Query
$icount=0;
if ($def==FALSE){
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
$icount++;
$ID="{$row['ID']}";
$brand="{$row['brand']}";
$model="{$row['model']}";
$rangetype=substr("{$row['rangetype']}",0,12);
if (strlen("{$row['rangetype']}") > 12) {
  $rangetype.='...';
}
$maxpower="{$row['maxpower']}";
$sensitivity="{$row['sensitivity']}";
$nominalsize="{$row['nominalsize']}";
$fs ="{$row['fs']}";
$vas ="{$row['vas']} ";

//Output the results table
$tsall.=<<<EOD
<tr>
<td>$brand</td>
<td><a href="content.php?316&ID=$ID&brand=$brand&model=$model">$model</a></td>
<td>$rangetype</td>
<td>$nominalsize</td>
<td>$maxpower</td>
<td>$sensitivity</td>
<td>$fs</td>
<td>$vas</td>
</tr>
EOD;
}
}
$all.=$tsall;
$all.="</table>";
mysql_close($conn_ts);
$searchtips='<br><br><ul><li>- Click on column titles to sort the list, twice to reverse order.</li><li>- Click on a Model to view details.</li><li>- Sorting also re-searces. If results have previously been truncated, new models may show up.</li><li>- All parameters may not be specified for all models.</li></ul>';
if ($icount>=$limitsearch) {
    $cntmsg='Results have been truncated after the first ' .$limitsearch.$searchtips;
} elseif ($icount>0){
    $cntmsg=$icount.' matches found'.$searchtips;
} elseif ($icount==0) {
    $cntmsg='<br>[Sorry, nothing found...]';
}
$all.=$cntmsg;
$output=$a.$all;
// Disclaimer
include("tsdb/disclaimer_text.php");
$output.='<br><br>'.$disclaimer.'<br>'.$query; 


All looks like the first code part is the problem; the POST variables are not read properly, but empty.

Right now, the code types out the query string on the web page, at the bottom, to verify this.

[janaf]

I have found now that this is a caching problem. Not solved. There is cached content displayed, even when the cache time has been set to zero, and POST arguments have changed.

A new thread, trying to isolate the problem, not yet solved:

https://vborg.vbsupport.ru/showthread.php?t=251402