Jump to content
MakeWebGames

Recommended Posts

Posted (edited)

Hello, so no errors come up and every other part of the report system works. When I am on the editing page of the player reports it only shows the <h3> title.

function pr_report_edit() {
	global $db, $ir, $c, $h, $userid;
        $_POST['ID'] =
                (isset($_POST['ID']) && is_numeric($_POST['ID']))
                        ? abs(intval($_POST['ID'])) : 0;
	if(isset($_POST['ID'], $_POST['status'])) {
		$max = $db->query(
						"SELECT `prID`, `prREPORTED` 
						 FROM `preports` 
						 WHERE `prID`= " . $_POST['ID'] . "
						 LIMIT 1");
		if(!ctype_digit($_POST['ID']) || !$db->num_rows($max)) {
			?>Invalid ID.<?php
			exit($h->endpage());
		}
		if(!in_array($_POST['status'], array(1, 2, 3, 4, 5))) {
		    ?>Invalid Status.<?php
			exit($h->endpage());
		}
		if(!$_POST['message']) {
			?>You need to enter a message to send to the reporter. Please go back and try again.<?php 
			exit($h->endpage());
		}
		$db->query(
				"UPDATE `preports` 
				 SET `prSTATUS` = '". $_POST['status']. "'
				 WHERE `prID` = '". $_POST['ID'] . "'");
		$it = $db->query(
					"SELECT * 
					 FROM `preports` 
					 WHERE `prID` = {$_POST['ID']}");
		$er = $db->fetch_row($it);
		$subj = $db->escape("Player report against " . username($er['prREPORTED']));
		$msg = $db->escape($_POST['message']);
		$statnamearray = array(
			1 => 'Pending Investigation',
			2 => 'Investigation In Progress',
			3 => 'Investigation Complete',
			4 => 'Awaiting Reply From Reporter',
			5 => 'Awaiting Reply From Reported'
		);
		$status = $statnamearray[$er['prSTATUS']];
		stafflog_add("Edited Player Report #" . $_POST['ID'] . " status");
		$db->query(
			"INSERT INTO `mail` 
			VALUES ('', 0, 0, " . $userid . ", " . $er['prREPORTER'] . ", " . time() . ", '" . $subj . "', '" . $msg . "')");

		$db->query("
				UPDATE `users` 
				SET `new_mail` = `new_mail` + 1 
				WHERE `userid` = {$er['prREPORTER']}");
		event_add($er['prREPORTER'], "Your player report against ". username($er['prREPORTED'], TRUE)." has been reviewed by staff member " . username($ir['userid'])." and has set this reports status to: ".$status);
		?><span style="color: green;">The report has been edited!<?
		exit($h->endpage());
	} else {

		$statnamearray = array(
			1 => 'Pending Investigation',
			2 => 'Investigation In Progress',
			3 => 'Investigation Complete',
			4 => 'Awaiting Reply From Reporter',
			5 => 'Awaiting Reply From Reported'
		);
		?><form action="staff_reports.php?action=predit" method="post">
		<table width='90%' cellpadding='1' class='table'>
			<tr>
				<th colspan='2'><strong>Process Report</strong></th>
			</tr>
			<tr>
				<td>Report ID:</td>
				<td align="left"><input type="text" name="ID" value="<?php echo $_GET['ID']; ?>" /> <font color='red'>*</font> [Report ID]</td>
			</tr>
			<tr>
				<td>New Status:</td>
					<td align="left"><select name="status" type="dropdown"><?php
					foreach($statnamearray as $values => $display)
						echo '<option value="',$values,'">',$display,'</option>';
				?></select><font color='red'>*</font> [Investigation Complete]</td>
			</tr>
			<tr>
				<td>Message:</td>
				<td align="left"><font color='red'>*</font> [Explain what has or is going to be done]<br />
				<textarea rows='10' cols='75' name='message'></textarea></td>
			</tr>
			<tr>
				<td><input type="submit" value="Submit" /></td>
				<td align="left"><font color='red'>*</font> [Revise all information before clicking submit]</td>
			</tr>
		</table>
		</form><?php
	}
}

What could be the issue?

Edited by Samurai Legend
Posted

The handling of the $_POST array is very strange, especially the ID element, Initially you check if it is number then take the absolute value. abs() returns an int or a float. Later on you check to see if is a string made up of digits. - ctype_digit() expects a string. It may be wise to extract the variables from the $_POST array early on; for example:

$report_id = array_key_exists('ID', $_POST)      && ctype_digit($POST['ID'])      ? (int)$_POST['ID']       : 0;
$status    = array_key_exists('status', $_POST)  && ctype_digit($_POST['status']) ? (int)$_POST['status']   : 0;
$message   = array_key_exists('message', $_POST) && is_string($_POST['message'])  ? trim($_POST['message']) : '';

Now, both $report_id and $status are positive integers, while $message is a string.

I'd probably start the ball rolling with `if ($report_id > 0)`, then check to see if status is within the range 1-5, check to see of your message is not empty, then finally check to see if a report actually exists with the given $report_id.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...