Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 06-20-2008, 05:20 AM
Itworx4me's Avatar
Itworx4me Itworx4me is offline
 
Join Date: Feb 2002
Posts: 210
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Is this code safe to use?

I was wondering if someone would look over this code and tell me if it is secure to use? As in its coded to the standards of 3.7.1.

PHP Code:
<?php
// ######################## SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
@
set_time_limit(0);
 
// #################### PRE-CACHE TEMPLATES AND DATA ######################
$phrasegroups = array('style');
$specialtemplates = array('products');
 
// ########################## REQUIRE BACK-END ############################
require_once('./global.php');
require_once(
DIR '/includes/adminfunctions_template.php');
 
$id   $vbulletin->input->clean_gpc('r''id'TYPE_INT);
 
switch ( 
$_REQUEST['do'] )
{
        case 
'add':
                
print_add_form$id );
                break;
        
        case 
'update':  
                
do_add_sql$id );
                break;
        default:
                
print_main_form();                        
}
 
function 
do_add_sql$id )
{
        global 
$vbulletin;
        
        
$url   $vbulletin->input->clean_gpc('r''url'TYPE_STR);
        
$image $vbulletin->input->clean_gpc('r''image'TYPE_STR);
        
$title $vbulletin->input->clean_gpc('r''title'TYPE_STR);
        
  
print_cp_header();
                
        
print_table_start();
        
print_table_header("Ad Management");
        echo 
'<tr><td class="alt1" colspan="2">'
  echo 
'Adding --' $url '....<br/>';
 
        if ( 
$id == )
        {
                
$sql ='INSERT INTO ' TABLE_PREFIX 'ads (url,image,title) VALUES ("' $url '","' $image '","' $title '")';
        } else {
                
$sql ="UPDATE " TABLE_PREFIX "ads SET url='".$url."', image='".$image."',title='".$title."' WHERE id=" $id;              
        }
 
        
$foo $vbulletin->db->query_write($sql);
 
        echo 
'</td></tr>';      
 
        
print_table_footer(2''''0);  
        
}
 
function 
print_add_form$id )
{
        global 
$vbulletin;
 
        if ( 
$id )
        {
                
$sql ='SELECT * FROM ' TABLE_PREFIX 'ads WHERE id=' $id;
                
$foo $vbulletin->db->query_first($sql);       
        }
        
  
print_cp_header();
        
        
print_table_start();
        
print_table_header("Sponsored Ad Management");
 
        
print_form_header('ad_management''update');
        
        
print_input_row('URL to Link to''url'$foo['url']);  
  
print_input_row('Image Location''image'$foo['image']);  
        
print_input_row('HoverOver ToolText''title'$foo['title']);  
        if ( 
$id )
        {
                echo 
'<input type="hidden" name="id" value="'.$id.'" />';
        }
 
        
print_submit_row();     
 
}
 
function 
print_main_form()
{
        global 
$vbulletin;
 
        
$sql ='SELECT id,url FROM ' TABLE_PREFIX 'ads';
        
$foo $vbulletin->db->query_read($sql);
 
  
print_cp_header();
                
        
print_table_start();
        
print_table_header("Ad Management");
        while (
$var =  $vbulletin->db->fetch_array($foo))
        {
                
$id  $var['id'];
                
$url '<a href="ad_management.php?do=add&id=' $id '">' $var['url'] . '</a>';
                
print_label_row($id$url'''middle'nullfalse);
        }
 
        
print_table_footer(2''''0);  
}
 
 
 
 
?>
Thanks,
Itworx4me
Reply With Quote
  #2  
Old 06-20-2008, 05:57 AM
MoT3rror MoT3rror is offline
 
Join Date: Mar 2007
Posts: 423
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The script has no sql protection, any input can be used as sql injection.
Reply With Quote
  #3  
Old 06-20-2008, 06:29 AM
Michael Biddle Michael Biddle is offline
 
Join Date: Apr 2004
Location: Anaheim, CA
Posts: 774
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Correct. I would definately not use it. It does not even escape strings.
Reply With Quote
  #4  
Old 06-20-2008, 10:05 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

And to answer your standards question, no, it is not coded according to the vBulletin Coding Standards.
Reply With Quote
  #5  
Old 06-20-2008, 11:33 PM
Itworx4me's Avatar
Itworx4me Itworx4me is offline
 
Join Date: Feb 2002
Posts: 210
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Anyone willing to fix it. I would pay...Need to know how much first.

Thank,
Itworx4me
Reply With Quote
  #6  
Old 06-21-2008, 03:33 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Please post in the correct forum for paid requests.

Requests For Paid Services
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:47 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04309 seconds
  • Memory Usage 2,246KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete