Kakashi Posted May 15, 2010 Share Posted May 15, 2010 To gain some reputation around this forum, I am willing to give one of my simple GRPG scripts, the notepad script. :p The SQL: ALTER TABLE `grpgusers` ADD `notepad` text NOT NULL, Notepad.php <? include 'header.php'; if (isset($_POST['submit'])) { $notepad = $_POST["notepad"]; //insert the values if (!isset($message)){ $result= mysql_query("UPDATE `grpgusers` SET `notepad`='".$notepad."' WHERE `id`='".$user_class->id."'"); echo Message('<center>Your notepad has been updated.</center><meta HTTP-EQUIV="REFRESH" content="2; url=notepad.php">'); die(); } } ?> <? if (isset($message)) { echo Message($message); } ?> <tr><td class="contenthead">Notepad</td></tr> <tr><td class="contentcontent"> <center>Set yourself a reminder or something... Write anything you like here...</center> </td></tr> <tr><td class="contentcontent"> <center> <form method='post'> <textarea name='notepad' cols='53' rows='7'><?= $user_class->notepad; ?></textarea> <input type='submit' name='submit' value='Update Notepad'> </form> </center> </td></tr> <? include 'footer.php'; ?> In classes, around class users, add this: $this->notepad = $worked['notepad']; If you don't know where to put this, you should put this just after "$this->marijuana = $worked['marijuana'];" (without the quotes). Enjoy, please give feedback. Kakashi :love: Quote Link to comment Share on other sites More sharing options...
iSOS Posted May 15, 2010 Share Posted May 15, 2010 One thing I see wrong is no sanitizing of the "$_POST['notepad']", other than that it's okay. Quote Link to comment Share on other sites More sharing options...
Kakashi Posted May 15, 2010 Author Share Posted May 15, 2010 Yeah... There was no point on that but I quickly coded it as my players wanted it really quickly. :p If anyone has any other mods to suggest, contact me or post here so we can negotiate. Simple mods = Free. Quote Link to comment Share on other sites More sharing options...
iSOS Posted May 15, 2010 Share Posted May 15, 2010 Erm, there is a point otherwise anyone with half a 'hacking' braincell could hack your site. 0.o But nevertheless good job. Quote Link to comment Share on other sites More sharing options...
Kakashi Posted May 15, 2010 Author Share Posted May 15, 2010 Erm, there is a point otherwise anyone with half a 'hacking' braincell could hack your site. 0.o But nevertheless good job. They wouldn't be able to post mysql_queries there, however they may be able to post HTML codes that could redirect, popup annoying Javascript, but they will be only viewable to themselves, as it is a private notepad and each player has its own notepad, for reminders, its perfect for anything. :) Enjoy! Quote Link to comment Share on other sites More sharing options...
SlanderDesign Posted May 17, 2010 Share Posted May 17, 2010 I secured some things.. NOT TESTED! You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Regards SlanderDesign Quote Link to comment Share on other sites More sharing options...
Djkanna Posted May 18, 2010 Share Posted May 18, 2010 $notepad = mysql_real_escape_string(strip_tags(addslashes($_POST["notepad"]))); No no no! Use the specific escape function for the database you're using.. IE: mysql(i)_real_escape_string() : MySQL. pg_escape_string() : PostgreSQL. If it doesn't have a native function for it then use addslashes() Don't use addslashes if magic quotes are enabled as you'll be double escaping them nor use addslashes with another native escape function. Quote Link to comment Share on other sites More sharing options...
SlanderDesign Posted May 18, 2010 Share Posted May 18, 2010 My mysql database doesn't use magic quotes =/ Anyway to turn them on? :) Quote Link to comment Share on other sites More sharing options...
Djkanna Posted May 18, 2010 Share Posted May 18, 2010 Yes Magic Quotes is a PHP function so it will be in your PHP.INI file but don't Magic quotes will be removed as of PHP6 I believe.. Stick to using mysql(i)_real_escape_string() or the native escape function for the database.. Quote Link to comment Share on other sites More sharing options...
SlanderDesign Posted May 18, 2010 Share Posted May 18, 2010 Why would I use this when all of my pages use addslashes();? :S Quote Link to comment Share on other sites More sharing options...
Djkanna Posted May 18, 2010 Share Posted May 18, 2010 Why would you use what? http://www.php.net/addslashes Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte). An example use of addslashes() is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. It's highly recommeneded to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_string() for PostgreSQL), but if the DBMS you're using does't have an escape function and the DBMS uses \ to escape special chars, you can use this function. This would only be to get the data into the database, the extra \ will not be inserted. Having the PHP directive magic_quotes_sybase set to on will mean ' is instead escaped with another '. The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping. The function get_magic_quotes_gpc() may come in handy for checking this. Hopefully that will explain what's best and what it does :) Quote Link to comment Share on other sites More sharing options...
Kakashi Posted May 18, 2010 Author Share Posted May 18, 2010 Kk, thanks for improving. :thumbsup: Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.