1
MS-2001
Convert "GET"-Items to make a query work
  • 2007/2/5 17:28

  • MS-2001

  • Quite a regular

  • Posts: 204

  • Since: 2004/7/27


Is there any possibility to convert $_GET-values to make a ->query work?

$cid = (isset($_GET['cid']) ? (int)$_GET['cid'] : 0;
[...]
$xoopsDB->query("DELETE FROM ".$xoopsDB->prefix("table")." WHERE cid=$cid");

This one isn't working because of the query / queryF thing. The problem is: I can't use queryF because it's a line of code in the kernal and I don't want to change that line.

2
zyspec
Re: Convert "GET"-Items to make a query work
  • 2007/2/5 19:35

  • zyspec

  • Module Developer

  • Posts: 1095

  • Since: 2004/9/21


I'm not sure I understand exactly what you're trying to do, or what problem you're trying to solve...

I believe the XOOPS query function (as long as you're using the standard MySQL connection) uses a queryF because it does it's connection through the XoopsMySQLDatabaseSafe class.

If you're trying to bypass the queryF you could just use the PHP mysql_query command.

Sorry if this isn't what you're asking. Maybe you could define "isn't working".

3
MS-2001
Re: Convert "GET"-Items to make a query work
  • 2007/2/6 17:55

  • MS-2001

  • Quite a regular

  • Posts: 204

  • Since: 2004/7/27


For understanding my question you should know about the query / queryF thing in XOOPS. Using the query function of the xoopsDB object requieres not to use variables referencing $_GET-values in the SQL string.

But I'm using such a variable as you can see in the code above.

Now I want to "convert" the variable to use it in a query function.

Again:
$cid = (isset($_GET['cid']) ? (int)$_GET['cid'] : 0;
so $cid is my variable referencing the $_GET-value 'cid'.

As an example see the following sql query:
$xoopsDB->query("DELETE FROM ".$xoopsDB->prefix("table")." WHERE cid=$cid");
This one is not beeing executed because $cid is part of it. To make the query work, I have to use the function "queryF".

And exactly that's the problem: I can't use it because the problem I'm adressing occures in the kernel (groupperm.php).

I hope you know what I mean.

4
MS-2001
Re: Convert "GET"-Items to make a query work
  • 2007/2/8 18:31

  • MS-2001

  • Quite a regular

  • Posts: 204

  • Since: 2004/7/27


I need help *uuh*

5
Dave_L
Re: Convert "GET"-Items to make a query work
  • 2007/2/8 19:21

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


It's not a matter of converting variables, but rather dealing with the request method $_SERVER['REQUEST_METHOD'] check in include/common.php:

// #################### Connect to DB ##################
    
require_once XOOPS_ROOT_PATH.'/class/database/databasefactory.php';
    if (
$_SERVER['REQUEST_METHOD'] != 'POST' || !$xoopsSecurity->checkReferer(XOOPS_DB_CHKREF)) {
        
define('XOOPS_DB_PROXY'1);
    }
    
$xoopsDB =& XoopsDatabaseFactory::getDatabaseConnection();


You might need to substitute your own modified version of common.php.

6
Catzwolf
Re: Convert "GET"-Items to make a query work
  • 2007/2/8 19:43

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


using this method and without the $_post/$_get var check will leave you open to attack, not mainly due to someone trying to hack you but rather than the exploits that could be left open by other developers.

My suggestion to you would be to rethink the way you do this in your form, $_GET should never be using in this method anyway.

7
vaughan
Re: Convert "GET"-Items to make a query work
  • 2007/2/8 21:34

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


xoops will not allow you to use $xoopsDB->query() with $_GET for security reasons as John mentioned.. you have to use queryF() with $_GET which is insecure.

queryF basically forces the query which bypasses all sanitization in the query leaving the query itself open to exploitation. you should only ever use queryF if you have no other choice at all, and then i wouldn't recommend using it on any pages/forms that are accessible by users.

if you can change from $_GET to use $_POST instead, then $xoopsDB->query() will function correctly.

as david mentioned, can you not use >

$cid = isset($_REQUEST['cid']) ? $_REQUEST['cid'] : 0;

& use a class/function to execute the query itself instead of having the query execute in the same script that the form uses? then return the results. i'm no expert tho..

8
JCDunnart
Re: Convert "GET"-Items to make a query work
  • 2007/2/8 22:04

  • JCDunnart

  • Not too shy to talk

  • Posts: 114

  • Since: 2006/7/1 5


The usual way to change a $_GET request to $_POST in XOOPS modules is to use the confirmation message - the "are you sure you want to delete this?" form. This is submitted as a POST request, which then allows the sql statement to be executed.

Pseudo code example:

if ( isset( $_POST['ok'] ) ) {
    
// execute your sql 
} else {
    
xoops_confirm( array( 'cid' => $cid'ok' => ), 'index.php'CONFIRM_DEL );
}


Not sure if that's what you are looking for, but maybe it helps...

9
MS-2001
Re: Convert "GET"-Items to make a query work
  • 2007/2/10 10:50

  • MS-2001

  • Quite a regular

  • Posts: 204

  • Since: 2004/7/27


Thank you for all your answers. It's just about a delete option in the adminarea of one of my self-written modules.

I'll try to use xoops_confirm then. Thank you.

Login

Who's Online

176 user(s) are online (113 user(s) are browsing Support Forums)


Members: 0


Guests: 176


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits