PHP String issues? - Developers

[url]http://pastebin.com/9c9LuKzN[/url] I've managed to get it there, but it won't print out anything when I do ?uid=15, where user ID 15 on my forum is a banned user. Any ideas?

[img]http://imgs.xkcd.com/comics/exploits_of_a_mom.png[/img]

[QUOTE=turb_;24233011][img]http://imgs.xkcd.com/comics/exploits_of_a_mom.png[/img][/QUOTE] An admin will be using this. Sanitization isn't really necessary. Where did "BannedByRow" come from? It has no value, unless I'm fucking blind. [editline]08:39PM[/editline] Yep, I'm blind. I was reading the 'while' as an 'if'.

Why are you selecting the same result twice from mybb_banned? Both of them use $userid

[QUOTE=Qombat;24233119]An admin will be using this. Sanitization isn't really necessary.[/QUOTE] False. Sanitisation is always [b]really[/b] necessary.

[QUOTE=Qombat;24233119]An admin will be using this. Sanitization isn't really necessary.[/QUOTE] Until good old Johnny O'Reilly enrolls and the school registrar who doesn't know anything about SQL can't understand for the life of her why her enrollments program keeps crashing when she tries to insert Johnny O'Reilly into the students table.

[QUOTE=arienh4;24233259]False. Sanitisation is always [b]really[/b] necessary.[/QUOTE] False. Testing shit on a homeserver. If you're dicking with ideas, you're not going to sanitize your input while you're messing with concepts. [editline]09:01PM[/editline] [QUOTE=turb_;24233296]Until good old Johnny O'Reilly enrolls and the school registrar who doesn't know anything about SQL can't understand for the life of her why her enrollments program keeps crashing when she tries to insert Johnny O'Reilly into the students table.[/QUOTE] I just realised that we'd be copying a string from a ban reason to a post. Sanitization is necessary.

[QUOTE=Qombat;24233375]False. Testing shit on a homeserver. If you're dicking with ideas, you're not going to sanitize your input while you're messing with concepts.[/QUOTE] I'm confused. Are you dicking with ideas or messing with concepts?

[QUOTE=Qombat;24233375]Testing shit on a homeserver. If you're dicking with ideas, you're not going to sanitize your input while you're messing with concepts.[/QUOTE] Yeah of course, because you'd never let your testing code hit an internet-facing server would you? And since there's no cons with sanitization, and it literally takes an extra second or two to do, I see no point not sanitizing.

[QUOTE=arienh4;24233457]I'm confused. Are you dicking with ideas or messing with concepts?[/QUOTE] The point is it's not [b]always[/b] necessary. Granted in this instance it is because I realised its purpose only after I posted that. I have no idea what's going on with this vertical SQL shit but it hurts my head. [editline]09:08PM[/editline] [QUOTE=turb_;24233462]Yeah of course, because you'd never let your testing code hit an internet-facing server would you? And since there's no cons with sanitization, and it literally takes an extra second or two to do, I see no point not sanitizing.[/QUOTE] I have a lot of stuff that I don't bother putting on an internet-facing server because it's just pointless ideas that aren't worth it.

[QUOTE=turb_;24233011][img]http://imgs.xkcd.com/comics/exploits_of_a_mom.png[/img][/QUOTE] Brilliant. :v:

You know there's some really nice database functions in MyBB for simple things like select? You should try them. [url]http://wiki.mybb.com/index.php/Database_Methods[/url]

[QUOTE=Qombat;24233468]The point is it's not [b]always[/b] necessary. Granted in this instance it is because I realised its purpose only after I posted that.[/QUOTE] Well, true. If nothing, and that means nothing at all is going to be inputting data, I guess it's fine to not sanitise. I just wonder what the point of coding is then.

[QUOTE=Qombat;24233375]False. Testing shit on a homeserver. If you're dicking with ideas, you're not going to sanitize your input while you're messing with concepts.[/QUOTE] That argument is completely invalid. "Oh just because no one is using it I don't need to code it correctly, who's gonna exploit it?!" is a stupid stupid excuse, You should always sanitize, it's a great habit to get into, Why would you want to code something then have to come back and make it right before you use it live? [editline]08:58PM[/editline] [QUOTE=Qombat;24233468]The point is it's not [b]always[/b] necessary.[/QUOTE] Why are you trying so hard to prove him wrong? When he's clearly right.

It looks like it might be because you're calling $reasonrow[] in your loop, when you defined it as $messagerow[] in your statement. I could be entirely wrong here, but I think a simpler way to do this whole thing would be: [php] $message = mysql_fetch_array(mysql_query("SELECT FROM mybb_posts WHERE pid = '$postid'")); $reason = mysql_fetch_array(mysql_query("SELECT * FROM mybb_banned WHERE uid = '$userid'")); $bannedby = mysql_fetch_array(mysql_query("SELECT * FROM mybb_banned WHERE uid = '$userid'")); echo("User was banned for reason: " . $reason['reason'] . " by ID " . $bannedby['admin'] . " lol"); [/php] I'm pretty sure that works, and it avoids loops and complications. Of course, you can split up the code as much as you want $reason = mysql_query() $reasonArray = mysql_fetch array($reason) I, personally, enjoy cutting down my code as much as possible, even if it means coding an entire page, then going back and finding ways to cut it down. Do what you will, though. [editline]01:08AM[/editline] Oh sorry, I didn't know we were on a different rail at this point, excuse me for derailing the derail

[QUOTE=nivek;24251046]That argument is completely invalid. "Oh just because no one is using it I don't need to code it correctly, who's gonna exploit it?!" is a stupid stupid excuse, You should always sanitize, it's a great habit to get into, Why would you want to code something then have to come back and make it right before you use it live? [/QUOTE] Because my code doesn't come out as a version 7 complete with every feature, unlike your code by the sounds of you. Mine starts at what could be considered alpha and goes from there.

[QUOTE=Qombat;24252801]Because my code doesn't come out as a version 7 complete with every feature, unlike your code by the sounds of you. Mine starts at what could be considered alpha and goes from there.[/QUOTE] chucking in a quick call to mysql_real_escape_string isn't a feature, it's the bare minimum of common sense.

Well, to finally answer the OP, you don't have a $reasonrow declared anywhere. I'm surprised you didn't get a parse error due to that variables nonexistence. Anyways, I decided to play around with the query, you can try it if you like, I didn't test it out myself. I'm only going to paste here what has been changed from your original. [php]$baninfo = $db->query(" SELECT u.username AS admin, b.reason AS reason FROM mybb_banned AS b INNER JOIN mybb_users AS u ON b.admin = u.uid WHERE uid = '{$userid}' "); while ($messagerow = mysql_fetch_assoc($message) $$ $bannedrow = mysql_fetch_assoc($baninfo)) { echo "User was banned for reason: ".$bannedrow['reason']." by: ".$bannedrow['admin']." lol"; }[/php] [editline]12:35AM[/editline] Oh yeah, and as previously stated, [b]always[/b] sanitize your queries!

[QUOTE=turb_;24253848]chucking in a quick call to mysql_real_escape_string isn't a feature, it's the bare minimum of common sense.[/QUOTE] As usual, you're missing my point. [editline]03:46PM[/editline] I was responding to [QUOTE]Why would you want to code something then have to come back and make it right before you use it live?[/QUOTE]

I don't see [b]any[/b] reasons why it would be beneficial to leave out sanitization until before release. You'll just end up forgetting to sanitize somewhere and end up shooting yourself in the foot.

Got it to work but when the original message includes apostrophes it freaks out and doesn't go through. I know you use mysql_real_escape_string to do it, but it isn't working. Any further ideas? [code] <?php define("IN_MYBB", 1); define('THIS_SCRIPT', 'test.php'); require_once "./global.php"; $postid = $_GET['pid']; $userid = $_GET['uid']; $querya = $db->query(" SELECT message FROM mybb_posts WHERE pid = '$postid' "); $query = $db->simple_select("banned", "reason", "uid='$userid'"); $query2 = $db->simple_select("banned", "admin", "uid='$userid'"); $query3 = $db->simple_select("users", "username", "uid='$userid'"); $result = $db->fetch_array($query); $result2 = $db->fetch_array($query2); $result3 = $db->fetch_array($query3); $result6 = $db->fetch_array($querya); $reason = implode("",$result); $idby = implode("",$result2); $userbanned = implode("",$result3); $origmessage= implode("",$result6); $query5 = $db->simple_select("users", "username", "uid='$idby'"); $result5 = $db->fetch_array($query5); $bannedby = implode("",$result5); $newmessage = $origmessage . " [color=#FF0000][b](User was banned for this post (\"" . $reason . "\" - " . $bannedby . "))[/b][/color]"; $final = $db->query(" UPDATE mybb_posts SET message = '" . mysql_real_escape_string($newmessage) . "' WHERE pid = '$postid' "); ?> [/code] [editline]02:35AM[/editline] Also i know it looks like shit, it works so I don't care.

[QUOTE=advil0;24259040]Got it to work but when the original message includes apostrophes it freaks out and doesn't go through. I know you use mysql_real_escape_string to do it, but it isn't working. Any further ideas? [code] <?php define("IN_MYBB", 1); define('THIS_SCRIPT', 'test.php'); require_once "./global.php"; $postid = $_GET['pid']; $userid = $_GET['uid']; $querya = $db->query(" SELECT message FROM mybb_posts WHERE pid = '$postid' "); $query = $db->simple_select("banned", "reason", "uid='$userid'"); $query2 = $db->simple_select("banned", "admin", "uid='$userid'"); $query3 = $db->simple_select("users", "username", "uid='$userid'"); $result = $db->fetch_array($query); $result2 = $db->fetch_array($query2); $result3 = $db->fetch_array($query3); $result6 = $db->fetch_array($querya); $reason = implode("",$result); $idby = implode("",$result2); $userbanned = implode("",$result3); $origmessage= implode("",$result6); $query5 = $db->simple_select("users", "username", "uid='$idby'"); $result5 = $db->fetch_array($query5); $bannedby = implode("",$result5); $newmessage = $origmessage . " [color=#FF0000][b](User was banned for this post (\"" . $reason . "\" - " . $bannedby . "))[/b][/color]"; $final = $db->query(" UPDATE mybb_posts SET message = '" . mysql_real_escape_string($newmessage) . "' WHERE pid = '$postid' "); ?> [/code] [editline]02:35AM[/editline] Also i know it looks like shit, it works so I don't care.[/QUOTE] How'd you manage to miss the entire sanitisation argument? :smile:

[QUOTE=arienh4;24259384]How'd you manage to miss the entire sanitisation argument? :smile:[/QUOTE] I've never done any MySQL before, so I have no idea what "sanitation" is.

[QUOTE=advil0;24259922]I've never done any MySQL before, so I have no idea what "sanitation" is.[/QUOTE] Where did you learn MySQL? Really, teaching SQL without teaching sanitisation is immoral.

[QUOTE=arienh4;24260128]Where did you learn MySQL? Really, teaching SQL without teaching sanitisation is immoral.[/QUOTE] Mainly modifying code I found throughout the web, it's worked up until now hasn't it?

[QUOTE=advil0;24260144]Mainly modifying code I found throughout the web, it's worked up until now hasn't it?[/QUOTE] I'd suggest proper following a tutorial, it'll teach you proper PHP and SQL.

Tutorials suck, I know where advil0 is coming from, I learn't by modifying code and self-teaching as it were. advil0, sanitization is 'cleaning' the data, to prevent it from being malicious. Any good PHP script should make use of it, so I'd just check some out, because it seems that's how you're learning, and it's a good way :)

[QUOTE=Fizzadar;24260607]Tutorials suck, I know where advil0 is coming from, I learn't by modifying code and self-teaching as it were. advil0, sanitization is 'cleaning' the data, to prevent it from being malicious. Any good PHP script should make use of it, so I'd just check some out, because it seems that's how you're learning, and it's a good way :)[/QUOTE] With modifying code and self-teaching you get code that's [b]horribly[/b] unsafe and generally bad, since after even a year of just doing that you still don't know the language, you only know a bunch of functions. Although, you are right. You learn not by modifying code and self-teaching as it were.

This php file will never be given out, no users but me and my co-admin will have the URL to it and what parameters you need to make it work. Also I figured the apostrophe issue out :)

[QUOTE=advil0;24262233]This php file will never be given out, no users but me and my co-admin will have the URL to it and what parameters you need to make it work. Also I figured the apostrophe issue out :)[/QUOTE] Yeah. The 'you and your co-admin' is why you need to sanitise. There could always be a possibility where you break your code by entering the wrong data.