| Custom Config Settings Admin Panels |
| Description: A common error to avoid |
| Author: Xore |
| Date: Sat Jul 26, 2003 5:39 am |
| Type: Info |
| Keywords: config, error, update, admin, panel |
| Category: MODifications |
 |
So, this article isn't really telling you how to make one. If you really want to know, just load up admin/admin_board.php and sniff around through the code there.
Now, i've seen this problem quite a few times. There is a segment of code from admin/admin_board.php that a lot of mod authors like to use because it is very convienent, and as such, follows:
| Code: |
//
// Pull all config data
//
$sql = "SELECT *
FROM " . CONFIG_TABLE;
if(!$result = $db->sql_query($sql))
{
message_die(CRITICAL_ERROR, "Could not query config information in admin_board", "", __LINE__, __FILE__, $sql);
}
else
{
while( $row = $db->sql_fetchrow($result) )
{
$config_name = $row['config_name'];
$config_value = $row['config_value'];
$default_config[$config_name] = $config_value;
$new[$config_name] = ( isset($HTTP_POST_VARS[$config_name]) ) ? $HTTP_POST_VARS[$config_name] : $default_config[$config_name];
if ($config_name == 'cookie_name')
{
$cookie_name = str_replace('.', '_', $new['cookie_name']);
}
if( isset($HTTP_POST_VARS['submit']) )
{
$sql = "UPDATE " . CONFIG_TABLE . " SET
config_value = '" . str_replace("\'", "''", $new[$config_name]) . "'
WHERE config_name = '$config_name'";
if( !$db->sql_query($sql) )
{
message_die(GENERAL_ERROR, "Failed to update general configuration for $config_name", "", __LINE__, __FILE__, $sql);
}
}
}
if( isset($HTTP_POST_VARS['submit']) )
{
$message = $lang['Config_updated'] . "<br /><br />" . sprintf($lang['Click_return_config'], "<a href=\"" . append_sid("admin_board.$phpEx") . "\">", "</a>") . "<br /><br />" . sprintf($lang['Click_return_admin_index'], "<a href=\"" . append_sid("index.$phpEx?pane=right") . "\">", "</a>");
message_die(GENERAL_MESSAGE, $message);
}
}
|
Which is a perfectly nice peice of code, insofar as it goes. The problem is that if you borrow it, you're going to run into a little problem.
First of all, the code reads all the values out of the config table in the database. When it does so, these come out 'as is', so if they contain any sort of quotes or whatnot, they don't have protective slashing or whatnot.
However, the input from your form generally does, since ( because of either the fact that it's a POST variable, or that it came from an input text box-- i don't know) it already has some degree of protective slashing.
So, if you're going to be putting the data you just pulled from the database back into the database, you need to add that protective slashing. Thus...
Replace
| Code: |
config_value = '" . str_replace("\'", "''", $new[$config_name]) . "'
|
with
| Code: |
config_value = '" . addslashes($new[$config_name]) . "'
|
This means that if in any of the other fields you have a single quote ( ' ) or something ( like ' Xore's cool forum ' in the forum description ), it won't cause the database to bork
Now, the only problem is that now you have extra slashing on the variables that are coming in from your form, more than you actually want, since now you'll find that slashes start appearing in your text. This is bad. to prevent that, you'll want to do the following:
Replace
| Code: |
$new[$config_name] = ( isset($HTTP_POST_VARS[$config_name]) ) ? $HTTP_POST_VARS[$config_name] : $default_config[$config_name];
|
with
| Code: |
$new[$config_name] = ( isset($HTTP_POST_VARS[$config_name]) ) ? stripslashes($HTTP_POST_VARS[$config_name]) : $default_config[$config_name];
|
This will remove any protective slashing that it already has (which may or may not be adequate protection for inserting into the database) so that when we add the protective slashing later on, it won't become problematic.
Hope this helps  |
|
|
|
