// fetch form informations
$paket = $HTTP_POST_VARS["paket"];
Use $_POST/$_GET/$_REQUEST instead of long arrays like $HTTP_XXX_VARS
$sql = "INSERT INTO orders (status, paket, vname, nname, street, city, email, domain, domsel, domain2, domsel2, domain3, domsel3)
VALUES ('$status','$paket','$vname','$nname','$street', '$city','$email','$domain','$domsel','$domain2','$domsel2','$domain3','$domsel3')";
before using a variable in an SQL statement, you should sanitize it.
Integers are sanitized with intval:
$var = intval($_POST['var']);
Strings are sanitized with the text sanitizer:
$myts =& MyTextSanitizer::getInstance();
$sanitized_var = $myts->addSlashes($_POST['var']);
Also, you should use $xoopsDB->prefix('tablename') instead of hardcoding the table name directly in SQL (others may have different XOOPS prefixes than you)
function writeuser(){
global $pass, $uname, $email, $name, $user_regdate, $user_from, $umode;
$sql2 = "INSERT INTO portal_users (name, uname, email, user_regdate, user_from, umode, pass)
VALUES ('$name','$uname','$email','$user_regdate','$user_from','$umode','$pass')";
$result2 = mysql_query($sql2);
}
writeuser();
This is better:
$member_handler =& xoops_gethandler('member');
$user =& $member_handler->create();
$user->setVar('name', $name);
$user->setVar('uname', $_POST['uname']); //Sanitation is done in the class, so no need to addslashes here
$user->setVar('email', $_POST['email']);
$user->setVar('user_regdate', time());
$user->setVar('user_from', $user_from);
$user->setVar('umode', "thread");
$user->setVar('pass', $pass);
if ($member_handler->insert($user)) {
//user was inserted correctly
}
else {
//user was not inserted correctly
//$user->getHtmlErrors() will return an HTML string with error messages
}
Hope this helps
