Please HELP

[CJ - Twitch]

Can I have some help on this snippit of code please?

 

function gang_staff_pic()
{
global $ir,$c,$userid,$gangdata;
if($gangdata['gangPRESIDENT'] == $userid)
{
if($_POST['subm'] == "")
{
print "You did not enter a new pic.

[url='yourgang.php?action=staff']> Back[/url]";
}
else
{
  if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['newpic'])) {
   echo "Invalid Extension!";
}
if(@getimagesize($_POST['newpic']) == FALSE) {
   echo "Invalid Extension!";
}
$_POST['subm'] = str_replace(array(".php"), array(""), $_POST['subm']);
$_POST['subm']=str_replace('\\\'',''', $_POST['subm']);
mysql_query("UPDATE gangs SET gangPIC='{$_POST['vp']}' WHERE gangID={$gangdata['gangID']}",$c);
print "Gang pic changed!

[url='yourgang.php?action=staff']> Back[/url]";
}

{
print "Current Pic: 

";
if($gangdata['gangPIC'])
{
print "[img={$gangdata[]";
}
else
{
print "[b]No Gang Picture[/b]";
}
print"<hr /> <form action='yourgang.php?action=staff&act2=pic' method='post'>
Please note that the pic must be externally hosted, [url='http://tinypic.com']Tinypic[/url] is our recommendation.

Any pics that are not 400x100 will be automatically resized.

<input type='hidden' name='subm' value='submit' />
tag: <input type='text' name='vp' value='' />

<input type='submit' value='Change' /></form>";
}
}
}

 

It works but shows th errors when i dont want them to be shown. For example. "You did not enter a new pic" when I havent clicked submit yet and "Invalid Extension!Gang pic changed". Its hard to explain but im sure you'll figure it out. :thumbsup:

Thanks in advance -CJ - Twitch

PS: How secure is this?

[bluegman991]

Line 20:

$_POST['subm']=str_replace('\\\'',''', $_POST['subm']);

 

should be

$_POST['subm']=str_replace('\\\'','\'', $_POST['subm']);

 

thats the first thing i saw from looking

but what error exactly r u getting?

[Danny696]

$_POST['newname'] = str_replace(array("meta","http-equiv","http","refresh","content","www.",".com",".co.uk"), "", $_POST['newname']);

Who did that?

[CJ - Twitch]

I don't know. Where did you get that from?

[Magictallguy]

<?php
function gang_staff_pic() {
global $db, $ir, $c, $userid, $gangdata;
if($gangdata['gangPRESIDENT'] != $userid) {
echo "You are not the gang leader";
$h->endpage();
exit;
}
if(isset($_POST['vp'])) {
if(empty($_POST['vp'])) {
print "You did not enter a new pic.
[url='yourgang.php?action=staff']> Back[/url]";
$h->endpage();
exit;
}
if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['newpic'])) {
echo "Invalid Extension!";
$h->endpage();
exit;
}
if(@getimagesize($_POST['newpic']) === FALSE) {
echo "Invalid Extension!";
$h->endpage();
exit;
}
$_POST['vp'] = str_replace(array(".php"), array(""), $_POST['vp']);
$_POST['vp']=str_replace('\\\'','\'', $_POST['vp']);
$_POST['vp'] = $db->escape($_POST['vp']);
$db->query("UPDATE gangs SET gangPIC='{$_POST['vp']}' WHERE gangID={$gangdata['gangID']}",$c);
print "Gang pic changed!
[url='yourgang.php?action=staff']> Back[/url]";
} else {
print "Current Pic: 
";
if($gangdata['gangPIC']) {
print "[img=".htmlspecialchars(stripslashes($gangdata[]";
} else {
print "[b]No Gang Picture[/b]";
}
print"<hr /><form action='yourgang.php?action=staff&act2=pic' method='post'>
Please note that the pic must be externally hosted, [url='http://tinypic.com']Tinypic[/url] is our recommendation.

Any pics that are not 400x100 will be automatically resized.

Pic: <input type='text' name='vp' value='' />

<input type='submit' value='Change' /></form>";
}
}

[CJ - Twitch]

Thanks MTG. :)