user input question
Eric C
eric at newmag.org
Tue Apr 3 12:38:19 EDT 2007
>> smattering of PHP (if you saw the code for the
tracker
>> I'm making you would give yourself a tummy ache
>> giggling) I assumed that those were variables I'm
>Do tell! And let us know what you need help with.
Well if I'm going to ask a question it should probably
be on the part where I'm most likely to get cracked,
user input. Below is the page to handle a form on
index.php. Now stop laughing! It's my first module.
Anyway, if any of you real programmers see any
particularly idiotic screwups please let me know. A
friend mentioned that I should sanitize the users
input. Any suggested reading on some simple ways to
do this? Thanks for suggestions.
- Eric C.
****************************************
<?php
/*
* xpsTorrent! - a bittorrent tracker module for
XOOPS
*
* form.php
*/
require('../../mainfile.php');
require(XOOPS_ROOT_PATH.'/header.php');
global $xoopsDB;
global $xoops_url;
$name=htmlspecialchars($_POST['name']);
$hash=htmlspecialchars($_POST['hash']);
$announce=$_POST['announce'];
$metadata=$_POST['metadata'];
$linkback=$xoops_url;
// Let's check to see if this hash is already in the
database
$query = "SELECT DISTINCT hash FROM
".$xoopsDB->prefix('xps_torrents'). " WHERE hash =
'$hash'";
$result = $xoopsDB->query($query);
if ($result) {
if ($xoopsDB->getRowsNum($result) > 0) {
echo " <p>This torrent is already in our database.
<b>Please try again.</b></p>
<a href=$linkback>Click here to return to the
main page.</a>";
}
else {
// Insert a row into the table
$sql = "INSERT INTO
".$xoopsDB->prefix('xps_torrents');
$sql .= " ( name, hash, announce, metadata,
last_scrape ) VALUES ";
$sql .= " ( '$name', '$hash', '$announce',
'$metadata', NOW() )";
if ( ! $xoopsDB->query($sql) ) {
echo( $xoopsDB->error." : ".$xoopsDB->errno );
}
echo " <p>Your information has been successfully
added to the database.</p>
<a href=$linkback>Click here to return to the
main page.</a>";
}
}
require(XOOPS_ROOT_PATH.'/footer.php');
?>
****************************************
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Discuss
mailing list