Multiple $_REQUEST vars=SQL Error?

[Fargo]

Why does the followin code produce a SQL error if there is more than one request variable defined in the url?

PHP Code:

if (empty($_REQUEST['siteid']))
{
$getgames = $DB_site->query("SELECT * FROM site_game_info");
}
else
{
$tempval = $_REQUEST['siteid'];
$getgames = $DB_site->query("SELECT * FROM site_game_info WHERE siteid=$tempval");
}
while($game = $DB_site->fetch_array($getgames))
{
//call bbcodeparse.php to parse bbcode within overview and requirements fields
require_once('./includes/functions_bbcodeparse.php');
$game['overview'] = parse_bbcode2($game['overview'], 1, 1, 1, 1);
$game['rec_sys_req'] = parse_bbcode2($game['rec_sys_req'], 1, 1, 1, 1);
$game['min_sys_req'] = parse_bbcode2($game['min_sys_req'], 1, 1, 1, 1);
eval('$games .= "' . fetch_template('gamedetail') . '";');
} 


as you can see, one of the request variables is siteid, however, most of the time there will be more than one variable defined. For example, a link to some specific content may look like this:

index.php?siteid=3?do=overview

The code above functions properly when ONLY siteid is being sent, but once do=overview has been added, I get a SQL error because $tempval is being filled not only with the value of siteid, but "?do=overview" as well.

What im trying to do is have the page first look at the siteid so it knows which set of records to pull from the table (currently, I have it coded where an empty $_REQUEST['siteid'] returns all records), then finally look at DO so it knows what action to perform/template to eval.

Can someone please point me in the right direction?

[Colin F]

if you have more than one var in the URL, it has to be formatted like this:

index.php?var1=foo&var2=somethingelse&var3=what

that would result in

$_REQUEST['var1'] == 'foo';
$_REQUEST['var2'] == 'somethingelse';
$_REQUEST['var3'] == 'what';

Also, for security reasons, make sure to either use the vBulletin function globalise() or to addslashes() anything that gets used in a query. If the value is a number, you can also do intval().

[Fargo]

Thank you VERY much Colin! I see exactly where I've been screwing up now

Could you please elaborate how/where I would include the globalise(), addslashes() or inval() functions?

If im thinking correctly, since my siteid will always be an int, I change my code from
$tempval = $_REQUEST['siteid'];

to

$tempval = intval($_REQUEST['siteid']);

Correct?

I would like to ask one more thing since im thinking about it...
How can I stop the results from being sent to the template if the requested siteid is either non-numeric, or an unknown value?

For example, if the user decided to try and send

index.php?siteid=1000000000000 or
index.php?siteid=thisisnotnumeric

since the database dont (and never will) have a site id of 1000000000000 and thisisnotnumeric is a text value, currently, both follow through correctly, but no data is sent to the template because the siteid dont exist.

I would prefer that the user is sent an error message instead of a blank template.

Thanks again for your time on the initial question at hand!

[Revan]

I am writing this off the top of my head, so dont expect it to work. But it should give you a starting point:

PHP Code:

// usage of globalize():
if ($_REQUEST['siteid'])
{
    globalize($_REQUEST, array(
        'siteid' => INT // if you want site id to be integer only, else remove the "=> INT"
    ));
    $getgames = $DB_site->query("SELECT * FROM site_game_info WHERE siteid='$siteid'");
    // we can use "$siteid" here because globalize makes it a global variable.
    
    if(!$getgames) // it is false (i.e SQL returns no rows)
    {
        standard_error('There are no sites with the ID you have entered, pelase try another ID.');
        die; //to avoid having it execute the rest of the script
    }
    else
    {
        while($game = $DB_site->fetch_array($getgames))
        {
            //call bbcodeparse.php to parse bbcode within overview and requirements fields
            require_once('./includes/functions_bbcodeparse.php');
            $game['overview'] = parse_bbcode2($game['overview'], 1, 1, 1, 1);
            $game['rec_sys_req'] = parse_bbcode2($game['rec_sys_req'], 1, 1, 1, 1);
            $game['min_sys_req'] = parse_bbcode2($game['min_sys_req'], 1, 1, 1, 1);
            eval('$games .= "' . fetch_template('gamedetail') . '";');
        }
    }
} 


Hope this helps


//peace

[Fargo]

Greatly appreciated, Revan! Will let ya know the results...as soon as I get caught up here at work..sigh.

[Fargo]

ok, finally got around to testing your code Revan.

The results: If I enter a numeric siteid that exists, everything still works as expected. If I enter a numeric siteid that dont exist, it still spits out an empty template. If I enter a textual siteid, it still returns a SQL error:

Database error in vBulletin 3.0.3:

Invalid SQL: SELECT * FROM site_game_info WHERE siteid=ghj
mysql error: Unknown column 'ghj' in 'where clause'

mysql error number: 1054

Date: Thursday 11th of November 2004 01:41:39 PM
Script: xxxxxx.com/forums/gameinfo.php?siteid=ghj
Referer:
Username: Fargo
IP Address: 192.168.1.1

If you or anyone else has any suggestions, feel free to offer them. In the meantime, Ill keep attempting to figure it out as well. Theres gotta be an existing vbulletin page that does relatively the same thing......

[edit]ok, forumdisplay.php does about the same thing - returns an error if the forum id dont exist...time to do some research on that file...[/edit]

[Fargo]

well, looks like vb uses verify_id() to check thread/forum id's and the sort. Having a look at functions.php, im finding that ive already gotten way over my head in something I know very little about...but I think I can figure it out - eventually :ermm:

[Natch]

Once the siteid has been globailzed, you should then test it prior to running the SQL query...

eg:

PHP Code:

... globalize statement ...
if(!is_int($siteid))
{
... trip your error checking facility ...
}
else
{
... the rest of your statement ...
} 


[Fargo]

Thanks for the input, Natch. While I fully understand what your suggesting I do, could you fill in the blanks and let me know how I would verify that error checking works? Im pretty new at all this stuff, so im a bit ignorant yet