Jump to content
MakeWebGames

Player Report


Recommended Posts

Hello, so no errors come up and every other part of the report system works. When I am on the editing page of the player reports it only shows the <h3> title.

function pr_report_edit() {
	global $db, $ir, $c, $h, $userid;
        $_POST['ID'] =
                (isset($_POST['ID']) && is_numeric($_POST['ID']))
                        ? abs(intval($_POST['ID'])) : 0;
	if(isset($_POST['ID'], $_POST['status'])) {
		$max = $db->query(
						"SELECT `prID`, `prREPORTED` 
						 FROM `preports` 
						 WHERE `prID`= " . $_POST['ID'] . "
						 LIMIT 1");
		if(!ctype_digit($_POST['ID']) || !$db->num_rows($max)) {
			?>Invalid ID.<?php
			exit($h->endpage());
		}
		if(!in_array($_POST['status'], array(1, 2, 3, 4, 5))) {
		    ?>Invalid Status.<?php
			exit($h->endpage());
		}
		if(!$_POST['message']) {
			?>You need to enter a message to send to the reporter. Please go back and try again.<?php 
			exit($h->endpage());
		}
		$db->query(
				"UPDATE `preports` 
				 SET `prSTATUS` = '". $_POST['status']. "'
				 WHERE `prID` = '". $_POST['ID'] . "'");
		$it = $db->query(
					"SELECT * 
					 FROM `preports` 
					 WHERE `prID` = {$_POST['ID']}");
		$er = $db->fetch_row($it);
		$subj = $db->escape("Player report against " . username($er['prREPORTED']));
		$msg = $db->escape($_POST['message']);
		$statnamearray = array(
			1 => 'Pending Investigation',
			2 => 'Investigation In Progress',
			3 => 'Investigation Complete',
			4 => 'Awaiting Reply From Reporter',
			5 => 'Awaiting Reply From Reported'
		);
		$status = $statnamearray[$er['prSTATUS']];
		stafflog_add("Edited Player Report #" . $_POST['ID'] . " status");
		$db->query(
			"INSERT INTO `mail` 
			VALUES ('', 0, 0, " . $userid . ", " . $er['prREPORTER'] . ", " . time() . ", '" . $subj . "', '" . $msg . "')");

		$db->query("
				UPDATE `users` 
				SET `new_mail` = `new_mail` + 1 
				WHERE `userid` = {$er['prREPORTER']}");
		event_add($er['prREPORTER'], "Your player report against ". username($er['prREPORTED'], TRUE)." has been reviewed by staff member " . username($ir['userid'])." and has set this reports status to: ".$status);
		?><span style="color: green;">The report has been edited!<?
		exit($h->endpage());
	} else {

		$statnamearray = array(
			1 => 'Pending Investigation',
			2 => 'Investigation In Progress',
			3 => 'Investigation Complete',
			4 => 'Awaiting Reply From Reporter',
			5 => 'Awaiting Reply From Reported'
		);
		?><form action="staff_reports.php?action=predit" method="post">
		<table width='90%' cellpadding='1' class='table'>
			<tr>
				<th colspan='2'><strong>Process Report</strong></th>
			</tr>
			<tr>
				<td>Report ID:</td>
				<td align="left"><input type="text" name="ID" value="<?php echo $_GET['ID']; ?>" /> <font color='red'>*</font> [Report ID]</td>
			</tr>
			<tr>
				<td>New Status:</td>
					<td align="left"><select name="status" type="dropdown"><?php
					foreach($statnamearray as $values => $display)
						echo '<option value="',$values,'">',$display,'</option>';
				?></select><font color='red'>*</font> [Investigation Complete]</td>
			</tr>
			<tr>
				<td>Message:</td>
				<td align="left"><font color='red'>*</font> [Explain what has or is going to be done]<br />
				<textarea rows='10' cols='75' name='message'></textarea></td>
			</tr>
			<tr>
				<td><input type="submit" value="Submit" /></td>
				<td align="left"><font color='red'>*</font> [Revise all information before clicking submit]</td>
			</tr>
		</table>
		</form><?php
	}
}

What could be the issue?

Edited by Samurai Legend
Link to comment
Share on other sites

The handling of the $_POST array is very strange, especially the ID element, Initially you check if it is number then take the absolute value. abs() returns an int or a float. Later on you check to see if is a string made up of digits. - ctype_digit() expects a string. It may be wise to extract the variables from the $_POST array early on; for example:

$report_id = array_key_exists('ID', $_POST)      && ctype_digit($POST['ID'])      ? (int)$_POST['ID']       : 0;
$status    = array_key_exists('status', $_POST)  && ctype_digit($_POST['status']) ? (int)$_POST['status']   : 0;
$message   = array_key_exists('message', $_POST) && is_string($_POST['message'])  ? trim($_POST['message']) : '';

Now, both $report_id and $status are positive integers, while $message is a string.

I'd probably start the ball rolling with `if ($report_id > 0)`, then check to see if status is within the range 1-5, check to see of your message is not empty, then finally check to see if a report actually exists with the given $report_id.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...