Having problems with clean_gpc function

[Jaxel]

I am using the following code...

Code:

function update_event($event)
{
	global $vbulletin, $db;

	$venue	= htmlspecialchars($vbulletin->input->clean_gpc('p', 'venue', TYPE_STR));
	$name		= htmlspecialchars($vbulletin->input->clean_gpc('p', 'name', TYPE_STR));
	$split	= htmlspecialchars($vbulletin->input->clean_gpc('p', 'split', TYPE_UINT));
	$game		= htmlspecialchars($vbulletin->input->clean_gpc('p', 'game', TYPE_UINT));
	$category	= htmlspecialchars($vbulletin->input->clean_gpc('p', 'category', TYPE_UINT));

	$day		= htmlspecialchars($vbulletin->input->clean_gpc('p', 'day', TYPE_UINT));
	$month	= htmlspecialchars($vbulletin->input->clean_gpc('p', 'month', TYPE_STR));
	$year		= htmlspecialchars($vbulletin->input->clean_gpc('p', 'year', TYPE_UINT));
	$time		= htmlspecialchars($vbulletin->input->clean_gpc('p', 'time', TYPE_STR));
	$timestamp = $day." ".$month." ".$year." ".$time." ".date('T');

	$db->query_write("UPDATE rank_events SET gameID='".$game."' WHERE eventID='".$event['eventID']."'");
	$db->query_write("UPDATE rank_events SET categoryID='".$category."' WHERE eventID='".$event['eventID']."'");
	$db->query_write("UPDATE rank_events SET eDate='".strtotime($timestamp)."' WHERE eventID='".$event['eventID']."'");
	$db->query_write("UPDATE rank_events SET eVenue='".$venue."' WHERE eventID='".$event['eventID']."'");
	$db->query_write("UPDATE rank_events SET eName='".$name."' WHERE eventID='".$event['eventID']."'");
	$db->query_write("UPDATE rank_events SET eSplit='".$split."' WHERE eventID='".$event['eventID']."'");
}

I thought this code would "sanitize" my inputs so that I wouldn't have any poisoning going on... but I still get the following error when I try to input something with a ' in it...

Code:

Database error in vBulletin 3.8.1:

Invalid SQL:
UPDATE rank_events SET eVenue='Gamer's Edge' WHERE eventID='4';

MySQL Error   : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Edge' WHERE eventID='4'' at line 1
Error Number  : 1064

How do I fix this?

[TigerC10]

Code:

clean_gpc(array $source, string $varname, [integer $vartype = TYPE_NOCLEAN])

You're calling it like so:

Code:

[S]clean_gpc('p', 'venue', TYPE_STR)[/S] //bad call

'p' is a literal char, not an array. You should use it more like this...

Code:

clean_gpc($vbulletin, 'ProductOptionName', TYPE_STR)

//or

clean_gpc($vbulletin, 'Input', TYPE_STR)

But what you really need to consider is the addslashes function.

Code:

addslashes($input);

Much simpler, it'll automatically escape the quote characters...

[Jaxel]

I simply changed it to the following...

Code:

$venue	= htmlspecialchars($vbulletin->input->clean_gpc('p', 'venue', TYPE_STR),ENT_QUOTES);

According to the VB manual... this is the way to do it
https://vborg.vbsupport.ru/showthread.php?t=119372

Code:

clean_gpc('p', 'venue', TYPE_STR)

The 'p' is a subsitute for $_POST... g would be for $_GET, r would be for $_RETRIEVE, etc...

[TigerC10]

That article is from 2006, are you sure that's how they're still calling the function?

What about sticking $_POST in there instead of 'p' ??

Have you tried addslashes? That's the function that replaced magic_quotes.


The other thing that article talks about is that you retrieve the value like so:

Code:

$vbulletin->GPC['value']

So your call should be this:

Code:

$vbulletin->input->clean_gpc('p', 'venue', TYPE_STR);
$venue = htmlspecialchars($vbulletin->GPC['venue']);

EDIT:
Yeah, I think I had it wrong at first, I misunderstood the API. The code sample above should be appropriate.

[Dismounted]

htmlspecialchars() is for sanitising HTML, that function should be used on display, and not when inserting into the database. You should be using $db->escape_string() on the variable.

[Jaxel]

Thanks Dismounted... you've solved all of my problems... escape_string is what I was looking for.