Creating sql tables from strings

Posted: Tue Dec 26, 2006 11:02 am

I am creating a sql table from a user defined string or value.

I just want to make sure that it strips all info from the string that might not concur with sql rules.

Here is what I got so far.

Code:

$ribtitle2 = $ribtitle;


$ribtitle2 = str_replace(' ','',$ribtitle2);


$ribtitle2 = strtolower($ribtitle2);


$ribtitle2 = stripslashes($ribtitle2);


$ribtitle2 = htmlspecialchars($ribtitle2);

Did I miss anything?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

It would help me to see the actual form that you are using.

Posted: Sat Dec 30, 2006 12:22 pm

Code:

case "CRRibbonsdb":


global $db, $prefix, $admin_file, $module_name;


$module_name = "$module_name";


$crfig = array();


$sql = "SELECT * FROM ".$prefix."_croster_config";


$result = $db->sql_query($sql);


while(list($config_name, $config_value) = $db->sql_fetchrow($result)){


$crfig[$config_name] = $config_value;


}


if ($ribtitle == ""){


OpenTable();


echo "<center>A Ribbon Title is Required<br \><br \>"._GOBACK."</center>";


CloseTable();


}else{


$jpeg = 'image/jpeg';


$jpg = 'image/pjpeg';


$gif = 'image/gif';


$png = 'image/png';


//CHECK THE IMAGE


if ($_FILES["image"]["size"] > 0){


$image_name = $_FILES['image']['name'];


$image_type = $_FILES['image']['type'];


$image_size = $_FILES['image']['size'];


$temp_file_name = $_FILES['image']['tmp_name'];


if ($image_name != '' && ($image_type != $jpg && $image_type != $jpeg && $image_type != $gif && $image_type != $png)){


OpenTable();


echo '<center>('.$image_name.') Your Extension is not Allowed</b></center><br/>';


echo '<center><b>'._GOBACK.'</b></center><br/>';


CloseTable();


crcopy();


include("footer.php");


die();


} else {


if($image_type == $jpg){$file_ext = "jpg";}


if($image_type == $jpeg){$file_ext = "jpg";}


if($image_type == $gif){$file_ext = "gif";}


if($image_type == $png){$file_ext = "png";}


$filename = $ribtitle.time().".".$file_ext;


$filename = str_replace(' ', '_', $filename);


$target_path = "$crfig[ribbonpath]/$filename";


//RETURN ERROR IF THE FILE CANNOT BE RENAMED AND MOVED PROPERLY


if(!move_uploaded_file($_FILES['image']['tmp_name'], $target_path)){


OpenTable();


echo '<center><span class="title">Sorry there was an error</span><br \>Be Sure Your Image Directory is chmod 777 and your image is the correct file type<br \>Be Sure Your Image Directory is chmod 777 and your image is the correct file type</center><br /><br />';


echo '<center><b>'._GOBACK.'</b></center><br/>';


CloseTable();


crcopy();


include("footer.php");


die();


}


 }


} else {


$filename = '';


}


CloseTable();


$sql = $db->sql_query("INSERT INTO ".$prefix."_croster_ribbons values (NULL,'$ribtitle','$filename', '$ribdesc')");


$ribtitle = str_replace(' ','',$ribtitle);


$ribtitle = strtolower($ribtitle);


$ribtitle = stripslashes($ribtitle);


$ribtitle = htmlspecialchars($ribtitle);


$sql2 = $db->sql_query("CREATE TABLE ".$prefix."_croster_ribbons_$ribtitle (cribid2 int(11) NOT NULL AUTO_INCREMENT, cribid int(11) NULL, uid int(11) NULL, username varchar(255) NULL, PRIMARY KEY (cribid2))") OR die("Could not create ribbon table");


header("Location: $admin_file.php?op=CRRibbons");


}


break;

Well here is where the action of the form takes place. As you can see the creation of the table happens right at the end there. I will have to email you the other case as the forums didn't like it. As soon as I get a chance.