LearningCoder Posted May 11, 2012 Share Posted May 11, 2012 <?php include"mainmenu.php"; ?> <?php if ($_POST['changepass']){ $pass1=strip_tags($_POST['password']); $pass=mysql_real_escape_string($pass1); $newpass1=strip_tags($_POST['newpass']); $newpass=mysql_real_escape_string($newpass1); if ($mypassword == $pass){ mysql_query("UPDATE users SET password='$newpass' WHERE username='$username'"); echo "Your Password has been successfully updated!"; }else{ echo "Incorrect Password!"; } } if ($_POST['editquote']){ $detail1=strip_tags($_POST['content']); $detail=mysql_real_escape_string($detail1); mysql_query("UPDATE users SET quote = '$detail' WHERE username='$username'"); mysql_query("INSERT INTO `logs` ( `id` , `who` , `action` , `date` ) VALUES ('', '$username', 'Edited profile quote!', '$date')"); echo "Your quote has been successfully updated!"; } if ($_POST['changeavatar']){ $avatar2 = $_POST['avatar']; mysql_query("UPDATE users SET avatar = '$avatar2' WHERE username='$username'"); mysql_query("INSERT INTO `logs` ( `id` , `who` , `action` , `date` ) VALUES ('', '$username', 'Edited avatar!', '$date')"); echo "Your avatar has been successfully updated!"; } if ($_POST['lol']){ $kk=htmlentities($_POST['color']); $fuck=mysql_real_escape_string($kk); mysql_query("UPDATE users SET hover = '$fuck' WHERE username='$username'"); mysql_query("INSERT INTO `logs` ( `id` , `who` , `action` , `date` ) VALUES ('', '$username', 'Edited hover colour!', '$date')"); echo "Your colour has been changed"; } if ($_POST['changestatus']){ $status=strip_tags($_POST['status']); $avail=mysql_real_escape_string($status); mysql_query("UPDATE users SET avail = '$status' WHERE username='$username'"); mysql_query("INSERT INTO `logs` ( `id` , `who` , `action` , `date` ) VALUES ('', '$username', 'Updated Status!', '$date')"); echo "Status Updated!"; } ?> <?php if($_POST['banneron']){ mysql_query("UPDATE users SET banner = '1' WHERE username='$username'"); echo "Your banner has been turned on!"; } ?> <?php if ($_POST['showcars']){ if(is_array($_POST['car'])) { $scar = $_POST['car']; mysql_query("UPDATE cars SET profile='0' WHERE owner='$username'"); foreach($scar as $showcar) { mysql_query("UPDATE cars SET profile='1' WHERE id='$showcar' AND owner='$username'"); } } if(is_array($_POST['ccar'])) { $scar = $_POST['ccar']; mysql_query("UPDATE ccars SET profile='0' WHERE owner='$username'"); foreach($scar as $showcar) { mysql_query("UPDATE ccars SET profile='1' WHERE id='$showcar' AND owner='$username'"); } } echo "<b>Profile Updated!</b>"; }//if submit ?> <?php if ($_POST['showupdate']){ mysql_query("UPDATE users SET showbusts='0', showkills='0' WHERE username='$username'"); if($_POST['showbusts']){ mysql_query("UPDATE users SET showbusts='1' WHERE username='$username'"); } if($_POST['showkills']){ mysql_query("UPDATE users SET showkills='1' WHERE username='$username'"); } echo "<b>Profile Updated!</b>"; }//if submit ?> <table cellSpacing=0 cellPadding=0 style="WIDTH: 100%"> <Tbody> <tr> <td class=topleft NOWRAP> </td> <td class=leftbar NOWRAP> </td> <td class=bar NOWRAP> <center>Edit Profile</center> </td> <td class=rightbar NOWRAP> </td> <td class=topright NOWRAP> </td> </tr> </tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 100%"> <Tbody> <tr> <td class=left NOWRAP> </td> <td class=main> <div align="center"> <form action="friends.php" method="post"> <input class="tbox" type="submit" value="Edit Friends"> </form> <form action="viewprofile.php?viewuser=<?php echo "$username"; ?>" method="post"> <input class="tbox" type="submit" value="View Profile"> </form> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=topleft NOWRAP> </td> <td class=leftbar NOWRAP> </td> <td class=bar NOWRAP> <div align="center">Edit Quote</div></td> <td class=rightbar NOWRAP> </td> <td class=topright NOWRAP> </td> </tr> </tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=left NOWRAP> </td> <td class=main> <div align="center"> <form action="" method="post"> <textarea name="content" cols="90"<?php if($activatek == "0"){ ?>disabled="yes"<?php } ?> rows="15" class="tbox"><?php if($activatek == "0"){ ?>You must activate before you can edit this!<?php }else{ ?> <?php echo "$profilequote"; ?><?php } ?> </textarea> <br> <input name="editquote" type="submit"<?php if($activatek == "0"){ ?>disabled="yes"<?php } ?> value="Update Quote!" class="tbox"> </form> <br> </div></td> <td class=right NOWRAP> </td> </tr> </Tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=bottomleft NOWRAP> </td> <td class=bottom NOWRAP> </td> <td class=bottomright NOWRAP> </td> </tr> </tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=bottomleft NOWRAP> </td> <td class=bottom NOWRAP> </td> <td class=bottomright NOWRAP> </td> </tr> </tbody> </table> <br> <br> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=topleft NOWRAP> </td> <td class=leftbar NOWRAP> </td> <td class=bar NOWRAP> <div align="center">Change Password </div></td> <td class=rightbar NOWRAP> </td> <td class=topright NOWRAP> </td> </tr> </tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=left NOWRAP> </td> <td class=main> <div align="center"> <form action="" method="post"> Current Password:<br> <input name="password" type="password"<?php if($activatek == "0"){ ?>disabled="yes"<?php } ?> class="tbox"> <br> New Password:<br> <input name="newpass" type="password"<?php if($activatek == "0"){ ?>disabled="yes"<?php } ?> class="tbox"> <br> <input name="changepass" type="submit"<?php if($activatek == "0"){ ?>disabled="yes"<?php } ?> value="Change" class="tbox"> </form> </div></td> <td class=right NOWRAP> </td> </tr> </Tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=bottomleft NOWRAP> </td> <td class=bottom NOWRAP> </td> <td class=bottomright NOWRAP> </td> </tr> </tbody> </table> <br> <br> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=topleft NOWRAP> </td> <td class=leftbar NOWRAP> </td> <td class=bar NOWRAP> <div align="center">Change Avatar </div></td> <td class=rightbar NOWRAP> </td> <td class=topright NOWRAP> </td> </tr> </tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=bottomleft NOWRAP> </td> <td class=bottom NOWRAP> </td> <td class=bottomright NOWRAP> </td> </tr> </tbody> </table> <br> <script type="text/javascript" src="jscolor.js"></script> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=topleft NOWRAP> </td> <td class=leftbar NOWRAP> </td> <td class=bar NOWRAP> <div align="center">Change Hover Colour </div></td> <td class=rightbar NOWRAP> </td> <td class=topright NOWRAP> </td> </tr> </tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=left NOWRAP> </td> <td class=main> <div align="center"> <form action="" method="post"> New Colour:<br> <div id="colors" style="display: block;"><input name="color" class="color" style="border-right:1px solid #353535; border-bottom:#626262 1px solid; border-left:#040404 1px solid; border-top:1px solid #191919; color:white; font-family:vixar,tahoma,verdana,arial,helvetica,sans-serif; font-size:10px; font-weight:700; " id="ChangeColor" style="background-color: rgb(61, 133, 85); color: rgb(255, 255, 255);" value="<?php echo $hover ?>" size="10" autocomplete="off" <?php if($activatek == "0"){ ?>disabled="yes"<?php } ?>> <br> <input name="lol" type="submit"<?php if($activatek == "0"){ ?>disabled="yes"<?php } ?> class="tbox" id="lol" value="Change"> </form> </div></td> <td class=right NOWRAP> </td> </tr> </Tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=bottomleft NOWRAP> </td> <td class=bottom NOWRAP> </td> <td class=bottomright NOWRAP> </td> </tr> </tbody> </table> <BR> <br> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=topleft NOWRAP> </td> <td class=leftbar NOWRAP> </td> <td class=bar NOWRAP> <div align="center">Add/Remove Cars From Profile </div></td> <td class=rightbar NOWRAP> </td> <td class=topright NOWRAP> </td> </tr> </tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=left NOWRAP> </td> <td class=main> <div align="center"> <table width="80%" cellspacing="2" cellpadding="1"> <br> <tr> <td class="tab" colspan="1"><div class="CM"></div>Car name<div class="CM"></div></td><td class="tab" colspan="1"><div class="CM"></div>Car damage<div class="CM"></div></td> </tr> <form action='' method='post'> <? $result = mysql_query("SELECT * FROM ccars WHERE owner='".mysql_real_escape_string($username)."' ORDER BY id DESC ") or die(mysql_error()); // keeps getting the next row until there are no more to get while($row = mysql_fetch_array( $result )) { $id = $row['id']; $carname = $row['name']; $sale = $row['sale']; $csp = $row['profile']; $price = number_format($row['price']); $super = $row['super']; ?> <tr> <td width="75%" hight="6" align="left" bgcolor="<?php echo "$tabcolor"; ?>" class="tabA"> <label for="<?php echo $row['id']; ?>"> <input name="ccar[]" type="checkbox" value="<? echo $id; ?>" <?php if($csp==1){ echo "checked=checked"; } ?> > <a href="viewcustomcar.php?carid=<? echo $id; ?>"><?php if($super>=5){ echo "<b><font color=blue>SUPER RARE</font>: </b>"; }else{ echo "<b><font color=red>CUSTOM</font>: </b>"; } ?><?php echo "$carname"; ?></a> </label> </td> <td width="25%" hight="6" align="left" bgcolor="<?php echo "$tabcolor"; ?>" class="tabA"><label> <?php echo "0%"; ?> </label> </td> </tr> <?php }// while loop ?> <? $result = mysql_query("SELECT * FROM cars WHERE owner='".mysql_real_escape_string($username)."' ORDER BY type ASC ") or die(mysql_error()); // keeps getting the next row until there are no more to get while($row = mysql_fetch_array( $result )) { $id = $row['id']; $type = $row['type']; $damage = $row['damage']; $sale = $row['sale']; $csp = $row['profile']; $price = number_format($row['price']); if($type=="1"){$carname = $car_1;} if($type=="2"){$carname = $car_2;} if($type=="3"){$carname = $car_3;} if($type=="4"){$carname = $car_4;} if($type=="5"){$carname = $car_5;} if($type=="6"){$carname = $car_6;} if($type=="7"){$carname = $car_7;} if($type=="8"){$carname = $car_8;} if($type=="9"){$carname = $car_9;} if($type=="10"){$carname = $car_10;} if($type=="11"){$carname = $car_11;} if($type=="12"){$carname = $car_12;} if($type=="13"){$carname = $car_13;} if($type=="14"){$carname = $car_14;} ?> <tr> <td width="75%" hight="6" align="left" bgcolor="<?php echo "$tabcolor"; ?>" class="tabA"> <label for="<?php echo $row['id']; ?>"> <input name="car[]" type="checkbox" value="<? echo $id; ?>" <?php if($csp==1){ echo "checked=checked"; } ?> > <a href="viewcar.php?carid=<? echo $id; ?>"><?php echo $carname; ?></a> </label> </td> <td width="25%" hight="6" align="left" bgcolor="<?php echo "$tabcolor"; ?>" class="tabA"><label> <?php echo $row['damage']."%"; ?> </label> </td> </tr> <?php }// while loop ?> </table> <center> <br><br> <input type='submit' name='showcars' class='tbox'<?php if($activatek == "0"){ ?>disabled="yes"<?php } ?> value='Show On Profile'> </center> </form> </div></td> <td class=right NOWRAP> </td> </tr> </Tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 60%"> <Tbody> <tr> <td class=bottomleft NOWRAP> </td> <td class=bottom NOWRAP> </td> <td class=bottomright NOWRAP> </td> </tr> </tbody> </table> <br> <br> </div> </td> <td class=right NOWRAP> </td> </tr> </Tbody> </table> <table cellSpacing=0 cellPadding=0 style="WIDTH: 100%"> <Tbody> <tr> <td class=bottomleft NOWRAP> </td> <td class=bottom NOWRAP> </td> <td class=bottomright NOWRAP> </td> </tr> </tbody> </table> <?php include"playerstats.php"; ?> Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted May 12, 2012 Share Posted May 12, 2012 Not good=> $avatar2 = $_POST['avatar']; mysql_query("UPDATE users SET avatar = '$avatar2' WHERE username='$username'"); Bad=> $status=strip_tags($_POST['status']); $avail=mysql_real_escape_string($status); mysql_query("UPDATE users SET avail = '$status' WHERE username='$username'"); Etc... check yourself ;) NEVER EVER let GET, POSTS, COOKIE info go inside a query without some checks / escaping. That's why people today should use MySQLi instead of the old library. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted May 12, 2012 Share Posted May 12, 2012 Not only it's on 2 lines, but on top of that the escaped variable is not used... it's the just tag stripped one. Quote Link to comment Share on other sites More sharing options...
Djkanna Posted May 13, 2012 Share Posted May 13, 2012 Is there a reason you use 2 lines for the strip_tags and myql_real_escape_string ? [...] If your directing this at Alain (due to the quote) he's saying that doing that was bad (the code he used, is part of the code provided in the original post) along with the fact the OP is not actually using the $avail variable in his/her query. So in a sense you should be directing your question at the OP. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.