Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> How To's
Author Message
loraxx
Regular
Regular


Joined: Jan 24, 2008
Posts: 58

PostPosted: Sat Mar 01, 2008 4:43 pm Reply with quote

I'm really need a good joke module for my wesbite (my members are joke freaks) but no working one that is secure can be found. I have decide to start with the following module:


download link: Only registered users can see links on this board! Get registered or login!

I code has some bugs (well at least for me) I have worked all that I know but I'm left with the serious concern that data entered via submit joke and submit comment are NOT secure.

Could someone recommend the necessary filter, modification, etc.. I need to do to the user input data to make it safe?

Below is the code from index.php of the download above. This is the location the user inputs data for submit joke and submit comment. It seems unsafe and DOES NOT work as is since it leaves alot of \\\ every where:

[code]<?php
/************************************************************************/
/* Jokes Module FOR PHP-NUKE */
/* ------------------------- */
/* Copyright (c) 2006 by ADAMIN */
/* Only registered users can see links on this board! Get registered or login! */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
// Check if user is not accessing the file directly -->
if (!defined('MODULE_FILE')) {
die ("You can't access this file directly...");
}
// Check if user is not accessing the file directly <--
require_once("mainfile.php"); // Including mainfile
$module_name = basename(dirname(__FILE__)); // Module name detection
get_lang("$module_name"); // Language selection

//Configuration variables loading -->
global $prefix, $db;
global $index, $debug, $pagetitle;
global $limit_new, $limit_popular, $limit_top, $max_rating;
global $jokes_per_page, $category_per_line;
global $ShowAddressBar, $show_home_image, $show_category_image;
global $category_image_dir, $default_order;
if (!$result=$db->sql_query("SELECT * FROM ".$prefix."_jokes_config")){
//If configuration variables are failed to load from db then to be
//loaded from the deafult config.php file
require_once("modules/jokes/config.php");
}
else{
$row = $db->sql_fetchrow($result);
$index = $row['show_right_side_box'];
$debug = $row['debug_mode'];
$pagetitle = $row['page_title'];
$limit_new = $row['limit_new'];
$limit_popular = $row['limit_popular'];
$limit_top = $row['limit_top'];
$max_rating = $row['max_rating'];
$jokes_per_page = $row['jokes_per_page'];
$category_per_line = $row['category_per_line'];
$ShowAddressBar = $row['show_address_bar'];
$show_home_image = $row['show_home_image'];
$show_category_image = $row['show_category_image'];
$category_image_dir = $row['category_image_dir'];
$default_order = $row['default_joke_list_order'];
}
//Configuration variables loading <--

//Header creation for jokes module -->
function module_header(){
global $show_home_image;
echo ""
."<center>\n";
if ($show_home_image){
echo ""
."<img src=\"modules/jokes/images/logo.gif\" alt=\"\" border=\"0\" /><br>\n";
}
echo ""
."<font class=\"title\">"._JOKESTITLE."</font>\n"
."</center>\n";
}
//Header creation for jokes module <--

//TopMenu creation for jokes module -->
function menu(){
echo ""
."<center><br>\n"
."[ <a href=\"modules.php?name=jokes&op=show_default\">"._CATEGORIES."</a>"
." | "
."<a href=\"modules.php?name=jokes&op=search\">"._SEARCH."</a>"
." | "
."<a href=\"modules.php?name=jokes&op=show_new\">"._NEW."</a>"
." | ".
"<a href=\"modules.php?name=jokes&op=show_popular\">"._POPULAR."</a>"
." | "
."<a href=\"modules.php?name=jokes&op=show_top\">"._TOP."</a> ]\n"
."<br>"
."[ <a href=\"modules.php?name=jokes&op=submit_joke\">"._SUBMITJOKE."</a> ]"
."</center>\n";
CloseTable();
echo ""
."<br>";
OpenTable();
}
//TopMenu creation for jokes module <--

//Jokes preview/view (two modes) -->
function joke_preview($title, $description, $note, $category, $submitter, $submission_date, $hits, $mode){
OpenTable();
echo ""
."<center><font class=\"title\">"."$title </font>\n"
."<br>"
."<b>"._CATEGORY.":</b> $category <br>\n"
.(($mode == _VIEW)?"( $hits "._JOKESEEN." )<br>":"")
."<br>"
."<font class=\"content\">".$description."</font><br>"
."<br>"
.(($note == "")?"":"<b>"._AUTHORSNOTE."</b>: "." $note")
."<br>"
.(($mode == _VIEW)?"( $submitter "._POSTED." ".(($submission_date == "")?_NOTAVAILABLE:$submission_date)." )":"");
CloseTable();
}
//Jokes preview/view (two modes) <--

//Jokes submission processing -->
function submit_joke($title, $description, $note, $cat, $submit){
global $AllowableHTML, $prefix, $user, $cookie, $anonymous, $db;
if (isset($submit)){
$title = addslashes($title);
$description = addslashes($description);
$note = addslashes($note);
if (!$result = $db->sql_query("SELECT joke_id, title, content FROM ".$prefix."_jokes WHERE title='$title' OR content='$description'")){
modified_die("<center><font color=\"#FF0000\"><b>"._SQLERROR."</b></font></center>");
}
if ($db->sql_numrows($result) > 0){
$row = $db->sql_fetchrow($result);
echo ""
."<center>"
."<b><font color=\"#FF0000\">"._JOKEALREADYEXIST."</font></b>"
."<br>"
.((strtolower($row['title']) == strtolower($title))?"( "._TITLEERROR." )":"( "._CONTENTERROR." )")
."<br><br>"
."[ <a href=\"javascript:history.back(1)\">"._BACKTEXT."</a> |\n"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">"._CHECKEXISTINGJOKE."</a> ]"
."</center>";
exit();
}
if (!$result = $db->sql_query("SELECT joke_id, title, content FROM ".$prefix."_jokes_tmp WHERE title='$title' OR content='$description'")){
modified_die("<center><font color=\"#FF0000\"><b>"._SQLERROR."</b></font></center>");
}
if ($db->sql_numrows($result) > 0){
$row = $db->sql_fetchrow($result);
echo ""
."<center>"
."<b><font color=\"#FF0000\">"._JOKEALREADYEXIST."</font></b>"
."<br>"
.((strtolower($row['title']) == strtolower($title))?"( "._TITLEERROR." )":"( "._CONTENTERROR." )")
."<br><br>"
."[ <a href=\"javascript:history.back(1)\">"._BACKTEXT."</a> ]<br>\n"
._REQUESTEDJOKE
."</center>";
exit();
}
if ($submit == _SUBMIT){
if (is_user($user)) {
cookiedecode($user);
$uid = $cookie[0];
$name = $cookie[1];
}
else {
$uid = 1;
$name = "$anonymous";
}
if(!$db->sql_query("INSERT INTO ".$prefix."_jokes_tmp(title, cat, content, notes, submitter_id, submission_date) VALUES ('$title', $cat, '$description', '$note', $uid, '".date("Y-m-d H:i:s")."')")) {
modified_die("<center><font color=\"#FF0000\"><b>"._SQLERROR."</b></font></center>");
}
echo ""
."<center><font class=\"title\">"
._SUBSENT
."</font><br><br>"
._THANKSSUB
."<br><br>"
._SUBTEXT;
}
else{
$title = stripcslashes($title);
$description = stripcslashes($description);
$note = stripcslashes($note);
if ($title == "" || $description == ""){
$warning = ""
."<center><b><font color=\"#FF0000\">"
._BADTITLETEXT
."</b></font>\n"
."<br><br>\n"
."[ <a href=\"javascript:history.back(1)\">"._BACKTEXT."</a> ]\n"
."</center>\n";
modified_die($warning);
}
echo ""
."<center><font class=\"title\">"
."<b>"._JOKESUBPREVIEW."</b>"
."</font><br>\n"
."<i>"._JOKELOOK."</i>"
."<br><br>"
."</center>";
if ($cat == "") {
$warning = ""
."<center><font color=\"#FF0000\">"
."<b>"._SELECTCAT."</b>"
."</font><br><br>"
."[ <a href=\"javascript:history.back(1)\">"._BACKTEXT."</a> ]\n"
."</center>";
modified_die($warning);
}
if (is_user($user)) {
cookiedecode($user);
$submitter = $cookie[1];
}
else {
$submitter = $anonymous;
}
if (!$result = $db->sql_query("SELECT title FROM ".$prefix."_jokes_cat WHERE cat_id=$cat")){
modified_die("<center><font color=\"#FF0000\"><b>"._SQLERROR."</b></font></center>");
}
$row = $db->sql_fetchrow($result);
joke_preview($title, $description, $note, $row['title'], $submitter, $submission_date, $hits, $rating, _PREVIEW);
echo ""
."<center>"
."<br>"
."<b>"._YOURNAME.": </b>\n"
.(($submitter == $anonymous)?$submitter:"<a href=\"account.html\">$submitter</a>")
.(($submitter == $anonymous)?"":" [ <a href=\"modules.php?name=Your_Account&amp;op=logout\">"._LOGOUT."</a> ]")
."</center>\n"
."<br>\n"
."<form action=\"modules.php?name=jokes&op=submit_joke\" method=\"post\">\n"
."<center>"
._CHECKJOKE."<br>\n"
._HTMLNOTALLOWED
."<br><br>\n"
."<input type=\"hidden\" name=\"title\" value=\"$title\">\n"
."<input type=\"hidden\" name=\"description\" value=\"$description\">\n"
."<input type=\"hidden\" name=\"note\" value=\"$note\">\n"
."<input type=\"hidden\" name=\"cat\" value=\"$cat\">\n"
."[ <a href=\"javascript:history.back(1)\">"._BACKTEXT."</a> ]\n"
."<br>"._OR."<br>"
."<input type=\"submit\" name=\"submit\" value=\""._SUBMIT."\"></form>\n"
."</center>";
}
}
else{
if (is_user($user)){
getusrinfo($user);
}
echo ""
."<form action=\"modules.php?name=jokes&op=submit_joke\" method=\"post\">"
."<b>"._YOURNAME.":</b> ";
if (is_user($user)) {
cookiedecode($user);
echo ""
."<a href=\"account.html\">$cookie[1]</a> <font class=\"content\">[ <a href=\"modules.php?name=Your_Account&amp;op=logout\">"._LOGOUT."</a> ]</font>";
}
else {
echo ""
."$anonymous <font class=\"content\">[ <a href=\"account.html\">"._NEWUSER."</a> ]</font>";
}
echo ""
."<br><br>"
."<b>"._SUBTITLE."</b> "
."("._BEDESCRIPTIVE.")<br>"
."<input type=\"text\" name=\"title\" size=\"50\" maxlength=\"80\"><br><font class=\"content\">("._BADTITLES.")</font>"
."<br><br>"
."<b>"._CATEGORY.": </b> <select name=\"cat\">";
$result = $db->sql_query("SELECT cat_id, title FROM ".$prefix."_jokes_cat WHERE active='1' ORDER BY title");
echo ""
."<option value=\"\">"._SELECTCAT."</option>\n";
while ($row = $db->sql_fetchrow($result)) {
$cat_id = $row['cat_id'];
$title = $row['title'];
echo "<option value=\"$cat_id\">$title</option>\n";
}
echo "</select>\n"
."<br><br>"
."<b>"._DESCRIPTION.": </b><br>"
."<textarea cols=\"64\" rows=\"15\" name=\"description\"></textarea><br>"
."<br><br><b>"._NOTE."</b><br>"
."<textarea cols=\"64\" rows=\"15\" name=\"note\"></textarea><br>"
."<font class=\"content\">("._AREYOUSURE.")<br><br>"
.""._HTMLNOTALLOWED."</font>"
."<br><br>"
."<input type=\"submit\" name=\"submit\" value=\""._PREVIEW."\">"
."<br>("._SUBPREVIEW.")</font></form>";
}
}
//Jokes submission processing <--

//Jokes view counter function -->
function hits($joke_id){
global $prefix, $db;
$db->sql_fetchrow($db->sql_query("UPDATE ".$prefix."_jokes set hits=hits+1 WHERE joke_id=$joke_id"));
}
//Jokes view counter function <--

//View the joke requested for -->
function show_joke($joke_id, $next_joke_id, $previous_joke_id){
global $max_rating, $ShowAddressBar, $admin, $prefix, $db;
global $bgcolor1, $bgcolor2, $textcolor1;
hits($joke_id);
$sql = "SELECT joke_id, ".$prefix."_jokes.title 'joke_title', cat_id, ".$prefix."_jokes_cat.title 'category_title', content, notes, submission_date, hits, rating, rating_count, ".$prefix."_jokes.active, username FROM ".$prefix."_jokes, ".$prefix."_jokes_cat, ".$prefix."_users WHERE joke_id=$joke_id AND cat=cat_id AND submitter_id=user_id";
if (!$result = $db->sql_query($sql)){
modified_die("<center><font color=\"#FF0000\"><b>"._SQLERROR."</b></font></center>");
}
$row = $db->sql_fetchrow($result);
if ($ShowAddressBar){
echo ""
."<font class=\"title\">\n"
."<a href=\"index.php\">"._HOME."</a> > "
."<a href=\"modules.php?name=jokes&op=show_default\">"._JOKESTITLE."</a> > "
."<a href=\"modules.php?name=jokes&op=show_category&cat_id=".$row['cat_id']."\">".$row['category_title']."</a>"
."</font>"
."<br><br>";
}
joke_preview($row['joke_title'], $row['content'], $row['notes'], $row['category_title'], $row['username'], $row['submission_date'], $row['hits'], _VIEW);
echo ""
."<center>"
."[ "
.(is_admin($admin)?"<a href=\"admin.php?op=jokes_edit&joke_id=".$row['joke_id']."\">"._EDIT."</a> | <a href=\"admin.php?op=jokes_delete&joke_id=".$row['joke_id']."\">"._DELETE."</a> | ":"")
."<a href=\"modules.php?name=jokes&op=joke_print&joke_id=$joke_id\" target=\"_blank\">"._PRINTJOKE."</a>"
." ]"
."<br><br>"
."</center>"
."<form action=\"modules.php?name=jokes\" method=\"post\">\n"
."<center>"
."<b>".$row['rating_count']." "._CURRENTRATING.(($row['rating_count'] == 0)?"</b><br>( "._BEFIRST." )":". "._RATING.": ".$row['rating']."/$max_rating"."</b>")
."<br><br>"
."<b>"._RATETEXT.":</b> "
."<select name=\"rate\" size=\"1\">";
for($i=1;$i<=$max_rating;$i++){
echo ""
."<option value=\"$i\">$i</option>";
}
echo ""
."</select>"
."&nbsp; "
."<input type=\"hidden\" name=\"joke_id\" value=\"".$joke_id."\" />\n"
."<input type=\"submit\" name=\"op\" value=\""._RATE."\" />\n"
."</center>"
."</form>";
}
//View the joke requested for <--

//Search by joke title (not case-sensitive and match case is enabled) -->
function search($submit, $search_text, $category, $sort_by, $order, $page){
global $jokes_per_page, $prefix, $db;
if (isset($submit)){
$page = (($page == 0)?1:$page);
$sort_by = (($sort_by == "")?"submission_date":$sort_by);
$order = (($order == "")?"desc":$order);
$param = Array('search_text'=>$search_text, 'cat_id'=>$category, 'page'=>$page, 'limit'=>$jokes_per_page);
show_joke_list(_SEARCH, $param, $sort_by, $order);
}
else{
echo ""
."<center>"
."<font class=\"title\">\n"
."<b>:: "._SEARCH." ::</b>"
."</font><br><br>"
."</center>"
."<form id=\"search\" action=\"modules.php?name=jokes&op=search\" method=\"post\" name=\"search\">"
."<center>"
."<input type=\"text\" name=\"search_text\" size=\"40\"> "
."<select name=\"category\" size=\"1\">"
."<option value=\"0\">"._ALLCATEGORY."</option>";
$result = $db->sql_query("SELECT cat_id, title FROM ".$prefix."_jokes_cat WHERE active='1' ORDER BY title");
while ($row = $db->sql_fetchrow($result)) {
echo ""
."<option value=\"".$row['cat_id']."\">".$row['title']."</option>\n";
}
echo ""
."</select>"
."<br><br>"
."<select name=\"sort_by\" size=\"1\">"
."<option value=\"title\">"._JOKETITLE."</option>"
."<option value=\"submission_date\">"._SUBDATE."</option>"
."<option value=\"\">"._SUBBY."</option>"
."</select> "
."<select name=\"order\" size=\"1\">"
."<option value=\"asc\">"._ASCENDING."</option>"
."<option value=\"desc\">"._DESCENDING."</option>"
."</select> "
."<input type=\"submit\" name=\"submit\" value=\""._SEARCH."\">"
."<center>"
."</form>";
}
}
//Search by joke title (not case-sensitive and match case is enabled) <--

//Build dynamic joke list table (function: category/normal view, sorting by and in order, searching result) -->
function show_joke_list($reference, $param, $sort_by, $order){
global $admin, $prefix, $db;
global $bgcolor1,$bgcolor2, $textcolor1;
global $default_order;
$order = ($order == "")?$default_order." ":$order;
if ($reference == _CATEGORY){
$cat_id = $param['cat_id'];
$limit1 = ((($param['page'] == 0)?1:$param['page']) - 1) * $param['limit'];
$limit2 = $param['limit'];
$sort_by = ($sort_by == "")?"submission_date":$sort_by;
$sql = "SELECT joke_id, title, submission_date, hits, rating, username "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE cat = $cat_id AND submitter_id=user_id AND active='1' "
."ORDER BY $sort_by $order "
."LIMIT $limit1, $limit2";
}
elseif($reference == _TOP){
$limit = $param;
$sort_by = ($sort_by == "")?"rating":$sort_by;
$sql = "SELECT joke_id, title, submission_date, hits, rating, username "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE submitter_id=user_id AND active='1' "
."ORDER BY $sort_by $order"
."LIMIT 0, $limit";
}
elseif($reference == _NEW){
$limit = $param;
$sort_by = ($sort_by == "")?"submission_date":$sort_by;
$sql = "SELECT joke_id, title, submission_date, hits, rating, username "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE submitter_id=user_id AND active='1' "
."ORDER BY $sort_by $order"
."LIMIT 0, $limit";
}
elseif($reference == _POPULAR){
$limit = $param;
$sort_by = ($sort_by == "")?"hits":$sort_by;
$sql = "SELECT joke_id, title, submission_date, hits, rating, username "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE submitter_id=user_id AND active='1' "
."ORDER BY $sort_by $order"
."LIMIT 0, $limit";
}
elseif($reference == _SEARCH){
$cat_id = $param['cat_id'];
$limit1 = ((($param['page'] == 0)?1:$param['page']) - 1) * $param['limit'];
$limit2 = $param['limit'];
$sort_by = ($sort_by == "")?"submission_date":$sort_by;
$sql = "SELECT joke_id, title, submission_date, hits, rating, username "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE ".(($param['cat_id'] == 0)?"cat!=0 AND ":"cat = $cat_id AND ")."title LIKE \"%".$param['search_text']."%\" AND submitter_id=user_id AND active='1' "
."ORDER BY $sort_by $order "
."LIMIT $limit1, $limit2";
}
if (!$result = $db->sql_query($sql)){
modified_die("<center><font color=\"#FF0000\"><b>"._SQLERROR."</b></font></center>");
}
if ($reference == _CATEGORY){
$sql = "SELECT '' "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE cat = $cat_id AND submitter_id=user_id AND active='1'";
if (!$count = $db->sql_numrows($db->sql_query($sql))){
modified_die("<center><font color=\"#FF0000\">"._NOJOKE."</font></center>");
}
}
elseif($reference == _SEARCH){
$sql = "SELECT '' "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE ".(($param['cat_id'] == 0)?"cat!=0 AND ":"cat = $cat_id AND ")."title LIKE \"%".$param['search_text']."%\" AND submitter_id=user_id AND active='1' ";
if (!$count = $db->sql_numrows($db->sql_query($sql))){
modified_die("<center><font color=\"#FF0000\">"._NO." "._RECORDSFOUND."</font></center>");
}
}
else{
$count = $db->sql_numrows($result);
}
if ($reference == _SEARCH){
$category = (($cat_id == 0)?Array('title'=>_ALLCATEGORY):$db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_jokes_cat WHERE cat_id=$cat_id")));
echo ""
."<center>"
._SEARCHFOR." <b>\"".$param['search_text']."\"</b> "._INCATEGORY." <b>\"".$category['title']."\"</b><br>"
."( ".(($count == 0)?_NO:$count)." "._RECORDSFOUND." )"
."<br><br></center>";
}
echo ""
."<table bgcolor=\"$bgcolor2\" width=\"100%\" cellpadding=\"2\" cellspacing=\"1\" border=\"0\">"
."<tr bgcolor=\"$bgcolor2\">"
."<td align=\"center\"><b>".(($reference == _CATEGORY || $reference == _SEARCH)?"<a href=\"modules.php?name=jokes&op=".(($reference == CATEGORY)?"show_category":"search&submit="._SEARCH)."&cat_id=$cat_id&sort_by=title&order=".(($order == "asc")?"desc":"asc")."&page=".$param['page']."\">":"")."<font color=\"$textcolor1\">"._JOKETITLE."</font>".(($sort_by == "title")?(($order == "asc")?"<img src=\"modules/jokes/images/up.gif\" alt=\""._DESCENDING."\" border=\"0\">":"<img src=\"modules/jokes/images/down.gif\" alt=\""._ASCENDING."\" border=\"0\">"):"")."</a></b></td>"
."<td align=\"center\"><b>".(($reference == _CATEGORY || $reference == _SEARCH)?"<a href=\"modules.php?name=jokes&op=".(($reference == CATEGORY)?"show_category":"search&submit="._SEARCH)."&cat_id=$cat_id&sort_by=submission_date&order=".(($order == "asc")?"desc":"asc")."&page=".$param['page']."\">":"")."<font color=\"$textcolor1\">"._SUBDATE."</font>".(($sort_by == "submission_date")?(($order == "asc")?"<img src=\"modules/jokes/images/up.gif\" alt=\""._DESCENDING."\" border=\"0\">":"<img src=\"modules/jokes/images/down.gif\" alt=\""._ASCENDING."\" border=\"0\">"):"")."</a></b></td>"
."<td align=\"center\"><b>".(($reference == _CATEGORY || $reference == _SEARCH)?"<a href=\"modules.php?name=jokes&op=".(($reference == CATEGORY)?"show_category":"search&submit="._SEARCH)."&cat_id=$cat_id&sort_by=username&order=".(($order == "asc")?"desc":"asc")."&page=".$param['page']."\">":"")."<font color=\"$textcolor1\">"._SUBBY."</font>".(($sort_by == "username")?(($order == "asc")?"<img src=\"modules/jokes/images/up.gif\" alt=\""._DESCENDING."\" border=\"0\">":"<img src=\"modules/jokes/images/down.gif\" alt=\""._ASCENDING."\" border=\"0\">"):"")."</a></b></td>"
."<td align=\"center\"><b>".(($reference == _CATEGORY || $reference == _SEARCH)?"<a href=\"modules.php?name=jokes&op=".(($reference == CATEGORY)?"show_category":"search&submit="._SEARCH)."&cat_id=$cat_id&sort_by=hits&order=".(($order == "asc")?"desc":"asc")."&page=".$param['page']."\">":"")."<font color=\"$textcolor1\">"._HITS."</font>".(($sort_by == "hits")?(($order == "asc")?"<img src=\"modules/jokes/images/up.gif\" alt=\""._DESCENDING."\" border=\"0\">":"<img src=\"modules/jokes/images/down.gif\" alt=\""._ASCENDING."\" border=\"0\">"):"")."</a></b></td>"
."<td align=\"center\"><b>".(($reference == _CATEGORY || $reference == _SEARCH)?"<a href=\"modules.php?name=jokes&op=".(($reference == CATEGORY)?"show_category":"search&submit="._SEARCH)."&cat_id=$cat_id&sort_by=rating&order=".(($order == "asc")?"desc":"asc")."&page=".$param['page']."\">":"")."<font color=\"$textcolor1\">"._RATING."</font> ".(($sort_by == "rating")?(($order == "asc")?"<img src=\"modules/jokes/images/up.gif\" alt=\""._DESCENDING."\" border=\"0\">":"<img src=\"modules/jokes/images/down.gif\" alt=\""._ASCENDING."\" border=\"0\">"):"")."</a></b></td>"
.(is_admin($admin)?"<td align=\"center\"><b><font color=\"$textcolor1\">"._FUNCTIONS."</b></font>":"")
."</tr>";
if ($count < 1){
modified_die("<tr><td bgcolor=\"$bgcolor1\" colspan=\"6\"><center><font color=\"#FF0000\">"._NOJOKE."</font></center></td></tr>");
}
while($row = $db->sql_fetchrow($result)){
echo ""
."<tr bgcolor=\"$bgcolor1\">"
."<td align=\"center\">"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">".$row['title']."</a>"
."</td>"
."<td align=\"center\">"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">".(($row['submission_date'] == "")?_NOTAVAILABLE:$row['submission_date'])."</a>"
."</td>"
."<td align=\"center\">"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">".$row['username']."</a>"
."</td>"
."<td align=\"center\">"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">".$row['hits']."</a>"
."</td>"
."<td align=\"center\">"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">".(($row['rating'] == 0)?_NOTAVAILABLE:$row['rating'])."</a>"
."</td>"
.(is_admin($admin)?"<td>[ <a href=\"admin.php?op=jokes_edit&joke_id=".$row['joke_id']."\">"._EDIT."</a> | <a href=\"admin.php?op=jokes_delete&joke_id=".$row['joke_id']."\">"._DELETE."</a> ]</td>":"");
echo ""
."</td></tr>";
}
echo ""
."</table>";
if ($reference == _CATEGORY || $reference == _SEARCH){
echo ""
."<table cellpadding=\"5\" width=\"100%\">"
.(($param['page'] == 1)?"<td width=\"20%\">&nbsp;</td>":"<td width=\"20%\" align=\"left\"><a href=\"modules.php?name=jokes&op=".(($reference == _CATEGORY)?"show_category&cat_id=".$param['cat_id']:"search&search_text=".$param['search_text']."&submit="._SEARCH)."&sort_by=".$sort_by."&order=".$order."&page=".($param['page']-1)."\">"._PREVIOUS."</td>")
."<td align=\"center\">[ ";
for ($i = 1 ; ceil($count/$param['limit']) >= $i ; $i++){
echo ""
.(($i == $param['page'])?"<b>"._PAGE." $i</b> ":"<a href=\"modules.php?name=jokes&op=".(($reference == _CATEGORY)?"show_category&cat_id=".$param['cat_id']:"search&search_text=".$param['search_text']."&submit="._SEARCH)."&sort_by=".$sort_by."&order=".$order."&page=$i\">"._PAGE." $i</a> ");
}
echo ""
." ]</td>"
.(($count > $param['limit'] * $param['page'])?"<td width=\"20%\" align=\"right\"><a href=\"modules.php?name=jokes&op=".(($reference == _CATEGORY)?"show_category&cat_id=".$param['cat_id']:"search&search_text=".$param['search_text']."&submit="._SEARCH)."&sort_by=".$sort_by."&order=".$order."&page=".($param['page']+1)."\">"._NEXT."</td>":"<td width=\"20%\">&nbsp;</td>")
."</table>";
}
}
//Build dynamic joke list table (function: category/normal view, sorting by and in order, searching result) <--

//Show a requested category -->
function show_category($cat_id, $sort_by, $order, $page){
global $jokes_per_page, $prefix, $db;
global $bgcolor1, $bgcolor2, $textcolor1;
global $ShowAddressBar, $show_category_image;
if ($ShowAddressBar){
echo ""
."<font class=\"title\">\n"
."<a href=\"index.php\">"._HOME."</a> > "
."<a href=\"modules.php?name=jokes&op=show_default\">"._JOKESTITLE."</a>"
."</font>";
}
$row = $db->sql_fetchrow($db->sql_query("SELECT * FROM ".$prefix."_jokes_cat WHERE cat_id = $cat_id"));
echo ""
."<center>";
if ($show_category_image){
echo ""
.(($row['image'] != "")?"<img src=\"".$row['image']."\"><br>":"");
}
echo ""
."<font class=\"title\">\n"
."<b>"._JOKESIN." \"".$row['title']."\" "._CATEGORY."</b>\n"
."</font><br>\n"
."<font class=\"tiny\">"
.$row['description']
."<br><br>"
."</font></center>\n";
$page = (($page == 0)?1:$page);
$sort_by = (($sort_by == "")?"submission_date":$sort_by);
$order = (($order == "")?"desc":$order);
$param = Array('cat_id'=>$cat_id, 'page'=>$page, 'limit'=>$jokes_per_page);
show_joke_list(_CATEGORY, $param, $sort_by, $order);
}
//Show a requested category <--

//Jokes rating function -->
function rate_joke($joke_id,$rate){
global $prefix, $db;
$row = $db->sql_fetchrow($db->sql_query("SELECT rating, rating_count FROM ".$prefix."_jokes WHERE joke_id = $joke_id"));
$rating = ($row['rating']*$row['rating_count']+$rate)/($row['rating_count']+1);
$db->sql_fetchrow($db->sql_query("UPDATE ".$prefix."_jokes set rating=$rating, rating_count=rating_count+1 WHERE joke_id=$joke_id"));
echo ""
."<center>"
._RATINGTHANKS
."<br><br>"
."[ <a href=\"modules.php?name=jokes&op=show_joke&joke_id=$joke_id\">"._BACKTEXT."</a> ]\n"
."</center>";
}
//Jokes rating function <--

//Show new jokes -->
function show_new(){
global $limit_new;
echo ""
."<center>\n"
."<font class=\"title\">\n"
."<b>"._JOKESNEW."</b>"
."<br><br>"
."</font></center>\n";
show_joke_list(_NEW, $limit_new);
}

function show_popular(){
global $limit_popular;
echo ""
."<center>"
."<font class=\"title\">\n"
."<b>"._JOKESPOPULAR."</b>"
."<br><br>"
."</font></center>\n";
show_joke_list(_POPULAR, $limit_popular);
}
//Show new jokes <--

//Show top jokes -->
function show_top(){
global $limit_top;
echo ""
."<center>"
."<font class=\"title\">\n"
."<b>"._JOKESTOP."</b>"
."<br><br>"
."</font></center>\n";
show_joke_list(_TOP, $limit_top);
}
//Show top jokes <--

//Show default categorical view -->
function show_default() {
global $category_per_line, $prefix, $db;
global $bgcolor1, $bgcolor2;
echo ""
."<center>"
."<font class=\"title\">\n"
."<b>:: "._MAINCATEGORY." ::</b>\n"
."</font><br><br>"
."</center>\n";
if (!$result = $db->sql_query("SELECT * FROM ".$prefix."_jokes_cat WHERE active=1")){
modified_die("<center><font color=\"#FF0000\"><b>"._SQLERROR."</b></font></center>");
}
if ($db->sql_numrows($result)<1){
modified_die("<center><font color=\"#FF0000\"><b>"._NOJOKECAT."</b></font></center>");
}
echo ""
."<table width=\"100%\" cellpadding=\"5\" cellspacing=\"0\" border=\"0\">";
$category_count = 0;
while($row = $db->sql_fetchrow($result)){
if (!$result2 = $db->sql_query("SELECT joke_id FROM ".$prefix."_jokes WHERE active='1' AND cat =".$row['cat_id'])){
modified_die("<center><font color=\"#FF0000\"><b>"._SQLERROR."</b></font></center>");
}
$count = $db->sql_numrows($result2);
$category_count++;
echo ""
.(($category_count%$category_per_line == 1)?"<tr>\n":"")
."<td align=\"center\" width=\"".(100/$category_per_line)."%\">"
."<b><a href=\"modules.php?name=jokes&op=show_category&cat_id=".$row['cat_id']."\">".$row['title']." ($count)</a></b>"
."</td>\n"
.(($category_count%$category_per_line == 0)?"</tr>\n":"");
}
echo ""
."</table>";
}
//Show default categorical view <--

//Jokes print priview -->
function joke_print($joke_id){
global $currentlang, $prefix, $db;
$sql = "SELECT joke_id, ".$prefix."_jokes.title 'joke_title', "
.$prefix."_jokes_cat.title 'category_title', content, "
."notes, submission_date, username "
."FROM ".$prefix."_jokes, ".$prefix."_jokes_cat, ".$prefix."_users "
."WHERE joke_id=$joke_id AND cat=cat_id AND submitter_id=user_id AND "
.$prefix."_jokes.active=1";
if (!$result = $db->sql_query($sql)){
die("<center><font color=\"#FF0000\"><b>"._SQLERROR."</b></font></center>");
}
if ($db->sql_numrows($result)<1){
die("<center><font color=\"#FF0000\"><b>"._NOJOKEFOUND."</b></font></center>");
}
$row = $db->sql_fetchrow($result);
$url = "Location: modules/jokes/print.php?language=".$currentlang."&title=".$row['joke_title']."&category=".$row['category_title']."&description=".$row['content']."&note=".$row['notes']."&submitter=".$row['username']."&submission_date=".$row['submission_date'];
Header($url);
}
//Jokes print priview <--

//Custom jokes module footer -->
function module_footer(){
echo ""
."</td>\n"
."</tr>\n";
}
//Custom jokes module footer <--

//Custom die function for synchronization -->
function modified_die($msg, $sql){
global $admin, $debug, $db;
echo ""
.$msg;
if ($debug && is_admin($admin)){
$error = $db->sql_error();
if($error[code] != 0){
echo ""
."<center>"
."<b>"._SQLERRORCODE."[$error[code]]:</b> $error[message]"
."</center>";
}
}
module_footer();
CloseTable();
include("footer.php");
die();
}
//Custom die function for synchronization <--

//display page

include ('header.php');
OpenTable();
module_header();
menu();
if (isset($op)){
switch($op) {
case "submit_joke":
submit_joke($title, $description, $note, $cat, $submit);
break;

case "show_joke":
show_joke($joke_id, $next_joke_id, $previous_joke_id);
break;

case "rate_joke":
case _RATE:
rate_joke($joke_id,$rate);
break;

case "show_category":
show_category($cat_id, $sort_by, $order, $page);
break;

case "show_new":
show_new();
break;

case "show_popular":
show_popular();
break;

case "show_top":
show_top();
break;

case "joke_print":
joke_print($joke_id);
break;

case "search":
search($submit, $search_text, $category, $sort_by, $order, $page);
break;

default:
show_default();
break;
}
}
else{
show_default();
}
module_footer();
CloseTable();
include ('footer.php');
?>[/code]
 
View user's profile Send private message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Sat Mar 01, 2008 4:50 pm Reply with quote

I don't have time to wade through all that code. But in a nutshell, for PHP-Nuke modules:

call check_html() on all string user input
convert integer user input to integers using a cast or intval()
use addslashes() on any user string input that is going into the database

You are probably seeing lots of \\\ because the code isn't checking for magic quotes (at least I didn't see it). If you use RavenNuke, the RavenNuke check_html() will do this for you.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
loraxx
PostPosted: Sat Mar 01, 2008 4:55 pm Reply with quote

Thanks ALOT. I do use RavenNuke. I will try the nutshell above.

BTW I love the monkey.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9455
Location: Arizona

PostPosted: Tue Mar 04, 2008 9:22 pm Reply with quote

loraxx, please do not double-post. You already have this thread started in "Seeking Applications..." forum. Sad If you feel that you have posted something in the wrong forum, just politely ask us to move it... or, we may recognize that it needs moving and just move it ourselves without asking. Thanks.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
loraxx
PostPosted: Tue Mar 04, 2008 11:24 pm Reply with quote

Sorry, Please move as you see appropriate.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> How To's

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©