PDA

View Full Version : Is there anything wrong with this code?


vietfancy
25 Nov 2009, 19:56
is there anything wrong with this code, if there is please point it out for me. Thanks

if (isset($_POST["submit"])){
$id=$_POST["id"];
$day=$_POST["day"];
$time=$_POST["time"];
$ampm=$_POST["ampm"];
$class=$_POST["class"];
$level=$_POST["level"];
$instructor=$_POST["instructor"];
$link=$_POST["link"];
$display=$_REQUEST["display"];
$live=$_POST["live"];
//replace classes

$db->query_write("UPDATE " . TABLE_PREFIX . "schedule SET day = $day, time = $time, ampm = $ampm, class = $class, level = $level, instructor = $instructor, link = $link, display = $display, live = $live WHERE id=$id")or die(mysql_error());
$done = "Schedule updated";
header("location: index.php?do=submit");
}

Lynne
25 Nov 2009, 20:02
You should be running all your variables through the vbulletin cleaner - http://www.vbulletin.org/forum/showthread.php?t=154411

vietfancy
25 Nov 2009, 21:00
so instead of the code above. you want me to use this below? I tried to replace it. But it still doesn't do the trick.


$vbulletin->input->clean_array_gpc('p', array(
'day' => TYPE_NOHTML,
'time' => TYPE_NOHTML,
'ampm' => TYPE_NOHTML,
'class' => TYPE_NOHTML,
'level' => TYPE_NOHTML,
'instructor' => TYPE_NOHTML,
'link' => TYPE_NOHTML,
'display' => TYPE_NOHTML,
'live' => TYPE_NOHTML,
'id' => TYPE_INT
));

$day = $vbulletin->input->clean_gpc('p', 'day', TYPE_NOHTML);
$time = $vbulletin->input->clean_gpc('p', 'time', TYPE_NOHTML);
$ampm = $vbulletin->input->clean_gpc('p', 'ampm', TYPE_NOHTML);
$class = $vbulletin->input->clean_gpc('p', 'class', TYPE_NOHTML);
$level = $vbulletin->input->clean_gpc('p', 'level', TYPE_NOHTML);
$instructor = $vbulletin->input->clean_gpc('p', 'instructor', TYPE_NOHTML);
$link = $vbulletin->input->clean_gpc('p', 'link', TYPE_NOHTML);
$display = $vbulletin->input->clean_gpc('p', 'display', TYPE_NOHTML);
$live = $vbulletin->input->clean_gpc('p', 'live', TYPE_NOHTML);
$id = $vbulletin->input->clean_gpc('p', 'id', TYPE_UINT);

$db->query_write("
UPDATE " . TABLE_PREFIX . "schedule SET
day = '" . $db->escape_string($vbulletin->GPC['day']) . "',
time = '" . $db->escape_string($vbulletin->GPC['time']) . "',
ampm = '" . $db->escape_string($vbulletin->GPC['ampm']) . "',
class = '" . $db->escape_string($vbulletin->GPC['class']) . "',
level = '" . $db->escape_string($vbulletin->GPC['level']) . "',
instructor = '" . $db->escape_string($vbulletin->GPC['instructor']) . "',
link = '" . $db->escape_string($vbulletin->GPC['link']) . "',
display = '" . $db->escape_string($vbulletin->GPC['display']) . "',
live = '" . $db->escape_string($vbulletin->GPC['live']) . "',
WHERE id = " . $vbulletin->GPC['id'] . "
");

Lynne
25 Nov 2009, 21:54
You never said anything was wrong, you just asked *if* anything was wrong and I told you that you at least need to secure it by running it through the cleaner. What is wrong?

And once you've assigned it ($day = ....), then you can just use that variable $day.

This is actually the article I meant to link you to, sorry - http://www.vbulletin.org/forum/showthread.php?t=119372&highlight=cleaner

vietfancy
25 Nov 2009, 22:53
here is what i'm trying to do. I try to edit/modify/update a class from the schedule table.

So far i have:
http://qtresources.com/tienganh/ese/schedule.php << working fine
http://qtresources.com/tienganh/ese/schedule.php?do=add << working fine
http://qtresources.com/tienganh/ese/schedule.php?do=admin << everything is ok, but when I tried to edit a class....I'm able to pull it up, but when i submit it, nothing change.

ex: http://qtresources.com/tienganh/ese/schedule.php?do=edit&id=49

here is my php code:

// Show Edit Page
if ($ese_schedule['do'] == "edit"){

if (!isset($_POST["submit"])){
$id = $_REQUEST["id"];
$result = $db->query_read("SELECT * FROM " . TABLE_PREFIX . "schedule WHERE id=$id");
while($r = $db->fetch_array($result)){
$day = "$r[day]";
$time = "$r[time]";
$ampm = "$r[ampm]";
$class = "$r[class]";
$level = "$r[level]";
$instructor = "$r[instructor]";
$link = "$r[link]";
$live = "$r[live]";
$display = "$r[display]";}
}

if (isset($_POST["submit"])){
// $id=$_POST["id"];
// $day=$_POST["day"];
// $time=$_POST["time"];
// $ampm=$_POST["ampm"];
// $class=$_POST["class"];
// $level=$_POST["level"];
// $instructor=$_POST["instructor"];
// $link=$_POST["link"];
// $display=$_REQUEST["display"];
// $live=$_POST["live"];

// new code
$vbulletin->input->clean_array_gpc('p', array(
'day' => TYPE_STR,
'time' => TYPE_STR,
'ampm' => TYPE_STR,
'class' => TYPE_STR,
'level' => TYPE_STR,
'instructor' => TYPE_STR,
'link' => TYPE_STR,
'display' => TYPE_STR,
'live' => TYPE_STR,
'id' => TYPE_INT,
));

// check for missing fields
if (empty($vbulletin->GPC['day'])
OR empty($vbulletin->GPC['time'])
OR empty($vbulletin->GPC['ampm'])
OR empty($vbulletin->GPC['class']))
OR empty($vbulletin->GPC['level'])
OR empty($vbulletin->GPC['instructor'])
OR empty($vbulletin->GPC['link']))
OR empty($vbulletin->GPC['display'])
OR empty($vbulletin->GPC['live'])
)
{
// show message
}
$day = $vbulletin->input->clean_gpc('p', 'day', TYPE_STR);
$time = $vbulletin->input->clean_gpc('p', 'time', TYPE_STR);
$ampm = $vbulletin->input->clean_gpc('p', 'ampm', TYPE_STR);
$class = $vbulletin->input->clean_gpc('p', 'class', TYPE_STR);
$level = $vbulletin->input->clean_gpc('p', 'level', TYPE_STR);
$instructor = $vbulletin->input->clean_gpc('p', 'instructor', TYPE_STR);
$link = $vbulletin->input->clean_gpc('p', 'link', TYPE_STR);
$display = $vbulletin->input->clean_gpc('p', 'display', TYPE_STR);
$live = $vbulletin->input->clean_gpc('p', 'live', TYPE_STR);
$id = $vbulletin->input->clean_gpc('p', 'id', TYPE_INT);

$db->query_write("
UPDATE " . TABLE_PREFIX . "schedule SET
day = '" . $db->escape_string($vbulletin->GPC['day']) . "',
time = '" . $db->escape_string($vbulletin->GPC['time']) . "',
ampm = '" . $db->escape_string($vbulletin->GPC['ampm']) . "',
class = '" . $db->escape_string($vbulletin->GPC['class']) . "',
level = '" . $db->escape_string($vbulletin->GPC['level']) . "',
instructor = '" . $db->escape_string($vbulletin->GPC['instructor']) . "',
link = '" . $db->escape_string($vbulletin->GPC['link']) . "',
display = '" . $db->escape_string($vbulletin->GPC['display']) . "',
live = '" . $db->escape_string($vbulletin->GPC['live']) . "',
WHERE id = " . $vbulletin->GPC['id'] . "
");
//end new code
//update classes


// $db->query_write("UPDATE " . TABLE_PREFIX . "schedule SET day = '$day', time = '$time', ampm = '$ampm', class = '$class', level = '$level', instructor = '$instructor', link = '$link', display = '$display', live = '$live' WHERE id=$id")or die(mysql_error());
// echo "Thank you! Schedule updated.";
header("location: schedule.php?do=admin");
}
}

if ($ese_schedule['do'] == 'edit'){
$navbits = construct_navbits(array('' => 'Edit'));
$navbar = render_navbar_template($navbits);
$templater = vB_Template::create('schedule_edit');
$templater->register_page_templates();
$templater->register('navbar', $navbar);
$templater->register('pagetitle', 'Edit A Class');
$templater->register('id', $id);
$templater->register('day', $day);
$templater->register('time', $time);
$templater->register('ampm', $ampm);
$templater->register('class', $class);
$templater->register('level', $level);
$templater->register('instructor', $instructor);
$templater->register('link', $link);
$templater->register('display', $display);
$templater->register('live', $live);
print_output($templater->render());
}

// End Edit Page
here is my edit templete:

<!-- add form -->
<form action="schedule.php?do=admin" method="post">
<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
<input type="hidden" name="id" value="{vb:raw id}" />
<table class="tborder" cellpadding="0" cellspacing="6" border="0" width="100%" align="center">
<tr valign="top">
<td class="alt1" width="20%" align="left" nowrap="nowrap">
<div style="padding:3px;">Day/Time/Am-Pm:</div>
<div style="padding:3px;">Class:</div>
<div style="padding:3px;">Level:</div>
<div style="padding:3px;">Instructor:</div>
<div style="padding:3px;">Link</div>
<div style="padding:3px;">Display:</div>
<div style="padding:3px;">Live:</div>
</td>
<td class="alt2" width="35%">
<div style="padding:3px;">
<input type="text" name="day" value="{vb:raw day}"size="6" maxlength="25" autocomplete="off" />

/ <input type="text" name="time" value="{vb:raw time}" size="6" maxlength="5" autocomplete="off" />
/ <input type="text" name="ampm" value="{vb:raw ampm}" size="6" maxlength="5" autocomplete="off" />
</div>
<div style="padding:3px;"><input type="text" size="40" maxlength="256" name="class" value="{vb:raw class}" autocomplete="off" /></div>
<div style="padding:3px;"><input type="text" size="40" maxlength="256" name="level" value="{vb:raw level}" autocomplete="off" /></div>
<div style="padding:3px;"><input type="text" size="40" maxlength="256" name="instructor" value="{vb:raw instructor}" autocomplete="off" /></div>
<div style="padding:3px;"><input type="text" size="40" maxlength="256" name="link" value="{vb:raw link}" autocomplete="off" /></div>
<div style="padding:3px;"><input type="text" size="40" maxlength="256" name="display" value="{vb:raw display}" autocomplete="off" /></div>
<div style="padding:3px;"><input type="text" size="40" maxlength="256" name="live" value="{vb:raw live}" autocomplete="off" /></div>
</td>
<td class="alt1" width="45%" align="left" nowrap="nowrap">
<div style="padding:3px;">text go here</div>

</td>
</tr>
<tr valign="top">
<td class="alt2" colspan="3" width="100%" align="center" style="padding-top:20px;">
<input type="submit" class="button" value="Submit" accesskey="s" />
<input type="hidden" class="button" value="Reset" accesskey="s" />
</td>
</tr>
</table>
</form>
<!-- end add form -->

Lynne
25 Nov 2009, 23:16
Like I said, if you already assigned $day to the cleaned variable, you can just use $day. Have you tried just:
day = $day,

in your query? Or, if you feel the need to escape it,
day = '" . $db->escape_string($day) . "',,