Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
5 - 3 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
     

Re: Blue Move Tip - Database Updates
by Peekay on 2010/8/10 17:33:56

You are quite right. The function is accessed through a link, not a form. The query string is:

le="color: #000000"><?php ?w=deletemod&uid=3&secid=1

I will convert it to a form. In fact, there are several like this so I'll do the lot.

Good tip!
Re: Blue Move Tip - Database Updates
by ghia on 2010/8/10 16:50:30

The code is allright.
The only problem is how you got there for executing that function, by a link (GET) or by a form (POST)?
In the first case the query function sees it is initiated from a link/GET request and then fails deliberately.

The good correction is to find the template or code where the link that has lead to this function is present and make there a form with the right parameters.
Much more difficult and complicated then adding a letter in the function name, but hey, security is not that simple.
Re: Blue Move Tip - Database Updates
by Peekay on 2010/8/10 15:37:06

Sorry Ghia, I wan't suggesting using a link, it's just that I had the error message from this function in an old module:

le="color: #000000"><?php $q_str = "DELETE FROM " . $xoopsDB->prefix('arms_moderators') . " WHERE uid=$arms_uid AND sec_id=$arms_secid"; if ($xoopsDB->query($q_str)): { redirect_header('index.php?w=moderators', 1, _MM_MOD_DELETED ); } else: { print_and_die( sprintf(_ME_ARMS_SQL_ERROR, $q_str) ); } endif;

and changing the 'query' to 'queryF' fixed it.

I have since found a quote in the Xoops FAQ
Quote:
using queryf is insecure as it doesn't distinguish between _POST and _GET and will likely lead to security exploitation via XSS or CSRF

So... in my function (I didn't write it BTW) what's causing the error. I'm guessing the redirect?
Re: Blue Move Tip - Database Updates
by ghia on 2010/8/10 15:07:55

As a general W3C rule, you should not be able to make alterations in a database by means of a link.
That's why the two functions differentiate.

The correct solution is to implement a form with the required functions as eg buttons and not to exchange the function name as in the example.
If such links become accesible, Google could modify or delete in your database.

Bad tip!
Blue Move Tip - Database Updates
by Peekay on 2010/8/10 13:34:30

If you get this error when a module tries to update the database:

Quote:
Database update not allowed during processing of a GET request


Then you can change the query from:

le="color: #000000"><?php if ($xoopsDB->query($str)):


to:

le="color: #000000"><?php if ($xoopsDB->queryF($str)):


Credit to Catzwolf for this one, originally posted here.

-- Edit --

However, if the function is triggered from a link, it would really be better to replace the link with a form. See below.

Who's Online

200 user(s) are online (157 user(s) are browsing Support Forums)


Members: 0


Guests: 200


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits