Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 Programming Discussions
Reload this Page Issue with query
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 02-09-2013, 06:28 PM
LifesGreatestGift's Avatar
LifesGreatestGift LifesGreatestGift is offline
 
Join Date: Jul 2009
Location: Louisville, KY USA
Posts: 885
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Issue with query
Not sure why this plugin isn't submitting the data to database. Yes, all form fields have names. 3 of the fields are arrays.




PHP Code:
if ($foruminfo['forumid'] >= 18 AND $foruminfo['forumid'] <= 68
{  

$t_id $newpost['threadid']; 
$posttype $vbulletin->input->clean_gpc('p'"posttype"TYPE_STR); 
$area $vbulletin->input->clean_gpc('p'"area"TYPE_STR); 
$price $vbulletin->input->clean_gpc('p'"price"TYPE_NUM); 
$posttype $vbulletin->input->clean_gpc('p'"posttype"TYPE_STR); 
$posttype_firearm $vbulletin->input->clean_gpc('p'"posttype_firearm"TYPE_STR); 


$caliber $vbulletin->input->clean_gpc('p'"caliber"TYPE_ARRAY_STR); 
$manufacturer $vbulletin->input->clean_gpc('p'"manufacturer"TYPE_ARRAY_STR); 
$action $vbulletin->input->clean_gpc('p'"action"TYPE_ARRAY_STR); 
$type $vbulletin->input->clean_gpc('p'"type"TYPE_STR); 

if (!empty($caliber[0])) 
$caliber2 $caliber[0]; 
} elseif (!empty($caliber[1])) 
$caliber2 $caliber[1]; 
} else { $caliber2 $caliber[2]; } 

if (!empty($manufacturer[0])) 
$manufacturer2 $manufacturer[0]; 
} elseif (!empty($manufacturer[1])) 
$manufacturer2 $manufacturer[1]; 
} else { $manufacturer2 $manufacturer[2]; } 

if (!empty($action[0])) 
$action2 $action[0]; 
} else { $action2 $action[1]; } 


$vbulletin->db->query_write(
    INSERT INTO  " TABLE_PREFIX "`thread_classifieds` ( 
    `threadid` , 
    `price` , 
    `area` , 
    `posttype` , 
    `posttype_firearm` , 
    `caliber` , 
    `manufacturer` , 
    `action` , 
    `type` 
    ) 
    VALUES ( 
    '" $t_id "',   
    '" $price "',   
    '" $area "',   
    '" $posttype "',   
    '" $posttype_firearm "',   
    '" $caliber2 "',   
    '" $manufacturer2 "',   
    '" $action2 "',   
    '" $type "' 
    ) 
"); 

  } 
Reply With Quote
  #2  
Old 02-09-2013, 06:33 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I didn't study the entire thing, but I think the first line of your SQL needs the backquote moved to before the prefix, like:

Code:
    INSERT INTO  `" . TABLE_PREFIX . "thread_classifieds` (

ETA: also you should use escape_string() for all those values, like:

Code:
    '" . $vbulletin->db->escape_string($t_id) . "',   
    '" . $vbulletin->db->escape_string($price) . "',    
etc
Reply With Quote
  #3  
Old 02-09-2013, 06:38 PM
LifesGreatestGift's Avatar
LifesGreatestGift LifesGreatestGift is offline
 
Join Date: Jul 2009
Location: Louisville, KY USA
Posts: 885
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
doesn't the clean_gpc do that?

--------------- Added [DATE]1360438869[/DATE] at [TIME]1360438869[/TIME] ---------------

BTW the issue was a { in my elseif statement

BEFORE:
PHP Code:
if (!empty($caliber[0]))  
$caliber2 $caliber[0];  
} elseif { (!empty($caliber[1]))  
$caliber2 $caliber[1];  
} else { $caliber2 $caliber[2]; } 
AFTER:
PHP Code:
if (!empty($caliber[0]))  
$caliber2 $caliber[0];  
} elseif (!empty($caliber[1]))  
$caliber2 $caliber[1];  
} else { $caliber2 $caliber[2]; } 
Reply With Quote
  #4  
Old 02-09-2013, 06:43 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by LifesGreatestGift View Post
doesn't the clean_gpc do that?
If you use TYPE_STR it only trims spaces off the ends, so it can still contain any character. Also, even if you use the db escape_string function, it could still contain html tags, so you need to be careful what you do with after you read it from the database.
Reply With Quote
  #5  
Old 02-09-2013, 06:48 PM
LifesGreatestGift's Avatar
LifesGreatestGift LifesGreatestGift is offline
 
Join Date: Jul 2009
Location: Louisville, KY USA
Posts: 885
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
its multiple dropdowns like this [pictured in attachments]
Attached Images
File Type: jpg xLjiD.jpg (78.6 KB, 0 views)
Reply With Quote
  #6  
Old 02-09-2013, 07:24 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Oh, right. Well, it's true I don't know the details of your application or who would have access to it, so maybe it's not an issue for you. But it is possible for a hacker to submit whatever string they want for any parameter, even if it's supposed to be coming from dropdown. Anyway, just thought I'd mention it.
Reply With Quote
  #7  
Old 02-09-2013, 08:17 PM
LifesGreatestGift's Avatar
LifesGreatestGift LifesGreatestGift is offline
 
Join Date: Jul 2009
Location: Louisville, KY USA
Posts: 885
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Would you recommend this?

htmlspecialchars()


PHP Code:
$vbulletin->db->query_write("  
    INSERT INTO  " TABLE_PREFIX "`thread_classifieds` (  
    `threadid` ,  
    `price` ,  
    `area` ,  
    `posttype` ,  
    `posttype_firearm` ,  
    `caliber` ,  
    `manufacturer` ,  
    `action` ,  
    `type`  
    )  
    VALUES (  
    '" $vbulletin->db->escape_string(htmlspecialchars($t_id)) . "',    
    '" $vbulletin->db->escape_string(htmlspecialchars($price)) . "',    
    '" $vbulletin->db->escape_string(htmlspecialchars($area)) . "',    
    '" $vbulletin->db->escape_string(htmlspecialchars($posttype)) . "',    
    '" $vbulletin->db->escape_string(htmlspecialchars($posttype_firearm)) . "',    
    '" $vbulletin->db->escape_string(htmlspecialchars($caliber2)) . "',    
    '" $vbulletin->db->escape_string($manufacturer2) . "',    
    '" $vbulletin->db->escape_string(htmlspecialchars($action2)) . "',    
    '" $vbulletin->db->escape_string(htmlspecialchars($type)) . "'  
    )  
"); 
Reply With Quote
  #8  
Old 02-09-2013, 10:19 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
That works. You only need to do that if at some point you're going to display the values on a page. In fact now that I think about it, if you use a template and use {vb:var ...} and not {vb:raw }, I believe that takes care of it as well.

I guess another way would be, if they are coming from dropdown menus, make sure they match one of the expected values and if they don't, show an error or use a default.

Anyway, sorry, I feel like I've made your task more difficult, and you didn't even ask about that.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 09:00 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04587 seconds
  • Memory Usage 2,292KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (4)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (1)postbit_attachment
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • postbit_attachment
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete