- Moderated by:
- Support Team
Need some help fixing code
-
- rank:
-
Helper
- registered:
- July 2002
- Status:
- offline
- last visit:
- 27.10.08
- Posts:
- 166
Howdy,
I have a bunch of custom modules that were created about 2 years ago. After my upgrade to .7.6.4 (actually it might have been at .7.5.0 but I can't recall) much of this custom code stopped working.
It appears that they way PN passes variables has changed significantly so pages that pass information to a script are not getting the information. I've fixed much of it, but I still have a bunch of pages that are not working. So I'm looking for some help in fixing them.
Here is an example:
This is the HTML code:
Code
<form name="reviews" action="modules.php" onsubmit="return validate();" method="get">
<input type="hidden" name="op" value="modload">
<input type="hidden" name="file" value="update_review_products">
<input type="hidden" name="name" value="database">
<table border="0" cellpadding="2" cellspacing="0" bgcolor="#3E8AED" align="center">
<tr>
<td>
<table width="50%" border="0" cellpadding="2" cellspacing="2" bgcolor="#BBE8FF">
<tr>
<td align="center" bgcolor="#3E8AED">Add Your Review</td>
</tr>
<tr>
<td> <input type="hidden" name="txtprodid" value=""></td>
</tr>
<tr>
<td><textarea name="txtreview" cols="80" rows="10"></textarea></td>
</tr>
<tr>
<td align="center"> </td>
</tr>
<tr>
<td align="center"> <input type="image" src="/themes/Aquarium_Blue/images/btn_submit.gif" width="67" height="17">
<a href="javascript:history.back();"><img src="/themes/Aquarium_Blue/images/btn_back.gif" name="close" value="Close" border="0"></a>
<a href="#" onclick="reviews.reset();"> <img src="/themes/Aquarium_Blue/images/btn_reset.gif" width="67" height="17" border="0"></a></td>
</tr>
<tr>
<td> </td>
</tr>
</table>
</td>
</tr>
</table>
</form>
Which passes to the following php:
Code
<?
$txtprodid = pnSessionGetVar('txtprodid');
$txtreview = pnSessionGetVar('txtreview');
$uid = pnSessionGetVar('uid');
if($uid=="")
{
?>
alert("You are not a Registered member")
javascript:history.go(-2);
<?
}
else
{
include("DataBase.php");
$db=new database();
$data=trim($txtreview);
$pkid=$txtprodid;
$sql="insert into TBL_product_reviews(product_review_id,product_id,visitor_id,review) values('',$txtprodid,$uid,'$data')";
print($sql);
if($db->executequery($sql))
{
?>
javascript:history.go(-2);
<?
}
else
{
header("Location: sorry.php");
}
}// end of if condition
?>
And here is the resulting SQL string generated:
insert into TBL_product_reviews(product_review_id,product_id,visitor_id,review) values('',,2,'')
As you can see several of the vars are coming in as empty. Any help is appreciated.
Sean
--
http://www.Aquaria.info --> 30k user PostNuke site
http://www.EngineSubmittal.com -- Free search engine submission
-
- rank:
-
Moderator
- registered:
- March 2002
- Status:
- offline
- last visit:
- 26.08.08
- Posts:
- 7720
Why do the variables txtprodid and txtreview come from the users session? This doesn't make any sense since these seem to be submitted from a form - in which case the variables would be in the POST array rather than the session.
Code
$txtprodid = pnSessionGetVar('txtprodid');
$txtreview = pnSessionGetVar('txtreview');
Change these two lines to use pnVarCleanFromInput
Code
$txtprodid = pnVarCleanFromInput('txtprodid');
$txtreview = pnVarCleanFromInput('txtreview');
I'm suprised that this code worked at all, ever! PN prior to .750 must have been doing something odd for this to have worked at any point.
-Mark
-
- rank:
-
Helper
- registered:
- July 2002
- Status:
- offline
- last visit:
- 27.10.08
- Posts:
- 166
Thanks Mark. That fixed one of the two missing ones, but it appears txtprodid is never making it to the form for submission. Here is the code that generates the form page:
Code
function validate()
{
if(trim(reviews.txtreview.value)=="")
{
alert("Enter your Review.");
reviews.txtreview.value="";
reviews.txtreview.focus();
return false;
}
return true;
}
<form name="reviews" action="modules.php" onsubmit="return validate();" method="get">
<input type="hidden" name="op" value="modload">
<input type="hidden" name="file" value="update_review_products">
<input type="hidden" name="name" value="database">
<input type="hidden" name="txtprodid" value="<?=$strid?>">
<table border="0" cellpadding="2" cellspacing="0" bgcolor="<?=$GLOBALS['bgcolor2']?>" align="center">
<tr> <td>
<table width="50%" border="0" cellpadding="2" cellspacing="2" bgcolor="<?=$GLOBALS['bgcolor1']?>">
<tr>
<td align="center" bgcolor="<?=$GLOBALS['bgcolor2']?>">Add Your Review</td>
</tr>
<tr>
<td><textarea name="txtreview" cols="80" rows="10"></textarea></td>
</tr>
<tr>
<td align="center"> </td>
</tr>
<tr>
<td align="center"> <input type="image" src="/themes/<?=$thename?>/images/btn_submit.gif" width="67" height="17">
<a href="javascript:history.back();"><img src="/themes/<?=$thename?>/images/btn_back.gif" name="close" value="Close" border="0"></a>
<a href="#" onclick="reviews.reset();"> <img src="/themes/<?=$thename?>/images/btn_reset.gif" width="67" height="17" border="0"></a></td>
</tr>
<tr>
<td> </td>
It is the strid var that is being passed from the previous page via the URL such as:
http://www.aquaria.info/modules.php?file=user_reviews_products&strid=150&op=modload&name=database
FYI, I didn't code this stuff it was done by an offshore company and as you can see the code leaves a lot to be desired!
--
http://www.Aquaria.info --> 30k user PostNuke site
http://www.EngineSubmittal.com -- Free search engine submission
-
- rank:
-
Moderator
- registered:
- March 2002
- Status:
- offline
- last visit:
- 26.08.08
- Posts:
- 7720
Since I can't see the output without logging in... Are you sure that the hidden variable is present? My guess is that it isn't - and it's down the virtually the same issue.
Change the code
Code
<input type="hidden" name="txtprodid" value="<?=$strid?>">
to
Code
<input type="hidden" name="txtprodid" value="<?=pnVarPrepForDisplay(pnVarCleanFromInput(('strid'));?>">
Your code assumes that any variable present in the URL is present in the PHP code. For PN versions prior to .750 this was true but was a potential security risk. From this version onwards you *must* obtain any input yourself.
In the updated code we get the 'strid' variable from the URL using pnVarCleanFromInput and then output it again via pnVarPrepForDisplay (to prevent an XSS issues).
To be on the safe side you should probably run any data to be added to the DB via pnVarPrepForStore. Add the following line of code prior to your SQL statement
Code
-Mark
-
- rank:
-
Helper
- registered:
- July 2002
- Status:
- offline
- last visit:
- 27.10.08
- Posts:
- 166
We have a winner!
Thanks Mark. Now off to scrub some 400 PHP pages to fix these problems.
--
http://www.Aquaria.info --> 30k user PostNuke site
http://www.EngineSubmittal.com -- Free search engine submission
-
- rank:
-
Helper
- registered:
- July 2002
- Status:
- offline
- last visit:
- 27.10.08
- Posts:
- 166
One quick change though, you had an extra parenthesis in the input, should be:
Code
<input type="hidden" name="txtprodid" value="<?=pnVarPrepForDisplay(pnVarCleanFromInput('strid'));?>">
edited by: mbuna, Apr 23, 2007 - 02:45 AM
--
http://www.Aquaria.info --> 30k user PostNuke site
http://www.EngineSubmittal.com -- Free search engine submission
-
- rank:
-
Moderator
- registered:
- March 2002
- Status:
- offline
- last visit:
- 26.08.08
- Posts:
- 7720
mbuna
One quick change though, you had an extra parenthesis in the input, should be:
The day I can type PHP with completely correct syntax into a forum is the day I accept that I spend too much of my free time on this!
-Mark
|
