XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. Xoops Development / 
  3. XOOPS Module Development
  4. Blue Move 
  5.  / Blue Move Tip - Database Updates
Register
1
Peekay
Blue Move Tip - Database Updates

  • 2010/8/10 13:34

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


If you get this error when a module tries to update the database:

Quote:
Database update not allowed during processing of a GET request


Then you can change the query from:

if ($xoopsDB->query($str)):


to:

if ($xoopsDB->queryF($str)):


Credit to Catzwolf for this one, originally posted here.

-- Edit --

However, if the function is triggered from a link, it would really be better to replace the link with a form. See below.
A thread is for life. Not just for Christmas.
2
ghia
Re: Blue Move Tip - Database Updates

  • 2010/8/10 15:07

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


As a general W3C rule, you should not be able to make alterations in a database by means of a link.
That's why the two functions differentiate.

The correct solution is to implement a form with the required functions as eg buttons and not to exchange the function name as in the example.
If such links become accesible, Google could modify or delete in your database.

Bad tip!
3
Peekay
Re: Blue Move Tip - Database Updates

  • 2010/8/10 15:37

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Sorry Ghia, I wan't suggesting using a link, it's just that I had the error message from this function in an old module:

$q_str "DELETE FROM " $xoopsDB->prefix('arms_moderators') . " WHERE uid=$arms_uid AND sec_id=$arms_secid";
    if ($xoopsDB->query($q_str)):
      { redirect_header('index.php?w=moderators'1_MM_MOD_DELETED ); }
    else:
      { print_and_diesprintf(_ME_ARMS_SQL_ERROR$q_str) ); }
    endif;

and changing the 'query' to 'queryF' fixed it.

I have since found a quote in the Xoops FAQ
Quote:
using queryf is insecure as it doesn't distinguish between _POST and _GET and will likely lead to security exploitation via XSS or CSRF

So... in my function (I didn't write it BTW) what's causing the error. I'm guessing the redirect?
A thread is for life. Not just for Christmas.
4
ghia
Re: Blue Move Tip - Database Updates

  • 2010/8/10 16:50

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


The code is allright.
The only problem is how you got there for executing that function, by a link (GET) or by a form (POST)?
In the first case the query function sees it is initiated from a link/GET request and then fails deliberately.

The good correction is to find the template or code where the link that has lead to this function is present and make there a form with the right parameters.
Much more difficult and complicated then adding a letter in the function name, but hey, security is not that simple.
5
Peekay
Re: Blue Move Tip - Database Updates

  • 2010/8/10 17:33

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


You are quite right. The function is accessed through a link, not a form. The query string is:

?w=deletemod&uid=3&secid=1

I will convert it to a form. In fact, there are several like this so I'll do the lot.

Good tip!
A thread is for life. Not just for Christmas.

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

188 user(s) are online (111 user(s) are browsing Support Forums)

Members: 1

Guests: 187

Mamba,

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits