The Arcive of vBulletin Modifications Site. |
|
|
#1
02-14-2009, 12:48 AM
|
|||
|
|||
Having problems with clean_gpc function
I am using the following code...
Code:
function update_event($event)
{
global $vbulletin, $db;
$venue = htmlspecialchars($vbulletin->input->clean_gpc('p', 'venue', TYPE_STR));
$name = htmlspecialchars($vbulletin->input->clean_gpc('p', 'name', TYPE_STR));
$split = htmlspecialchars($vbulletin->input->clean_gpc('p', 'split', TYPE_UINT));
$game = htmlspecialchars($vbulletin->input->clean_gpc('p', 'game', TYPE_UINT));
$category = htmlspecialchars($vbulletin->input->clean_gpc('p', 'category', TYPE_UINT));
$day = htmlspecialchars($vbulletin->input->clean_gpc('p', 'day', TYPE_UINT));
$month = htmlspecialchars($vbulletin->input->clean_gpc('p', 'month', TYPE_STR));
$year = htmlspecialchars($vbulletin->input->clean_gpc('p', 'year', TYPE_UINT));
$time = htmlspecialchars($vbulletin->input->clean_gpc('p', 'time', TYPE_STR));
$timestamp = $day." ".$month." ".$year." ".$time." ".date('T');
$db->query_write("UPDATE rank_events SET gameID='".$game."' WHERE eventID='".$event['eventID']."'");
$db->query_write("UPDATE rank_events SET categoryID='".$category."' WHERE eventID='".$event['eventID']."'");
$db->query_write("UPDATE rank_events SET eDate='".strtotime($timestamp)."' WHERE eventID='".$event['eventID']."'");
$db->query_write("UPDATE rank_events SET eVenue='".$venue."' WHERE eventID='".$event['eventID']."'");
$db->query_write("UPDATE rank_events SET eName='".$name."' WHERE eventID='".$event['eventID']."'");
$db->query_write("UPDATE rank_events SET eSplit='".$split."' WHERE eventID='".$event['eventID']."'");
}
I thought this code would "sanitize" my inputs so that I wouldn't have any poisoning going on... but I still get the following error when I try to input something with a ' in it... Code:
Database error in vBulletin 3.8.1: Invalid SQL: UPDATE rank_events SET eVenue='Gamer's Edge' WHERE eventID='4'; MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Edge' WHERE eventID='4'' at line 1 Error Number : 1064 How do I fix this? 
|
|
#2
02-14-2009, 02:00 AM
|
||||
|
||||
|
Code:
clean_gpc(array $source, string $varname, [integer $vartype = TYPE_NOCLEAN]) Code:
[S]clean_gpc('p', 'venue', TYPE_STR)[/S] //bad call
Code:
clean_gpc($vbulletin, 'ProductOptionName', TYPE_STR) //or clean_gpc($vbulletin, 'Input', TYPE_STR) But what you really need to consider is the addslashes function. Code:
addslashes($input);
|
|
#3
02-14-2009, 02:31 AM
|
|||
|
|||
|
I simply changed it to the following...
Code:
$venue = htmlspecialchars($vbulletin->input->clean_gpc('p', 'venue', TYPE_STR),ENT_QUOTES);
https://vborg.vbsupport.ru/showthread.php?t=119372 Code:
clean_gpc('p', 'venue', TYPE_STR)
|
|
#4
02-14-2009, 02:45 AM
|
||||
|
||||
|
That article is from 2006, are you sure that's how they're still calling the function?
What about sticking $_POST in there instead of 'p' ?? Have you tried addslashes? That's the function that replaced magic_quotes. The other thing that article talks about is that you retrieve the value like so: Code:
$vbulletin->GPC['value'] Code:
$vbulletin->input->clean_gpc('p', 'venue', TYPE_STR);
$venue = htmlspecialchars($vbulletin->GPC['venue']);
Yeah, I think I had it wrong at first, I misunderstood the API. The code sample above should be appropriate.
|
|
#5
02-14-2009, 05:03 AM
|
||||
|
||||
|
htmlspecialchars() is for sanitising HTML, that function should be used on display, and not when inserting into the database. You should be using $db->escape_string() on the variable.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 05:21 PM.