News:

Want to get involved in developing SMF? Why not lend a hand on our GitHub!

Main Menu

Forms in Templates and HACKING ATTEMPT

Started by RRasco, March 26, 2007, 02:34:27 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

RRasco

March 26, 2007, 02:34:27 PM Last Edit: March 28, 2007, 11:28:07 AM by RRasco
I am trying to post some form data from one template and subaction to another.  problem is when i submit the data and try to run an INSERT INTO, i get an error from SMF that says 'hacking attempt'.  i had this problem before on another mod i was writing, but that was due to a ';' being in a query.  the query i am running now does not have any spec chars.....any ideas?  an example query is below...

Code Select
INSERT INTO smf_garage_vehicles (user_id, made_year, engine_type, color, mileage, mileage_unit, price, currency, date_created, date_updated, make_id, model_id) VALUES ("2", "2007", "8 Cylinder Forced Induction", "White", "1", "Miles", "30000", "USD", "1174925253", "1174925253", "2", "14");
Vehicle Management System for SMF - SMFGarage.com

H

#1
March 26, 2007, 03:00:38 PM
I think you need to define SMF although I'm not much of a programmer.

Code Select
define('SMF', 'SSI');
-H
Former Support Team Lead		                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

RRasco

#2
March 26, 2007, 03:04:22 PM
that didnt seem to work.
Vehicle Management System for SMF - SMFGarage.com

RRasco

#3
March 27, 2007, 12:06:22 PM
anyone else have any ideas?
Vehicle Management System for SMF - SMFGarage.com

karlbenson

#4
March 27, 2007, 02:11:29 PM
I've had similar trouble in the past.  Every time I had it, it was due to an error in my code

try
Code Select
INSERT INTO {$db_prefix}garage_vehicles (`user_id`, `made_year`, `engine_type`, `color`, `mileage`, `mileage_unit`, `price`, `currency`, `date_created`, `date_updated`, `make_id`, `model_id`) VALUES ("2", "2007", "8 Cylinder Forced Induction", "White", "1", "Miles", "30000", "USD", "1174925253", "1174925253", "2", "14", __FILE__, __LINE__);

if that doesnt work.
Check your the table is in the database and its spelt correctly

Check each field in the table and check that its spelt correctly and that type/maxlengths are setup correctly.

RRasco

#5
March 27, 2007, 04:13:42 PM Last Edit: March 27, 2007, 04:57:03 PM by RRasco
Why did you put '__FILE__,__LINE__' in the query?  I have tried doing this several ways and verified the correct table/field name(s).  I just don't get it and its holding my whole project up.

This is the function that runs the query:

Code Select
// Insert Vehicle
function G_Insert_Vehicle()
{   
    global $txt, $scripturl, $db_prefix, $user_info;
    global $modSettings, $context, $func;
   
    include('Sources/GarageFunctions.php');
           
    $context['sub_template'] = 'insert_vehicle';
   
    $context['page_title'] = $txt[1501] . ' > ' . $txt[1549];
    $context['linktree'][] = array(
        'url' => $scripturl . '?action=garage;sa=add_vehicle',
        'name' => &$txt['1549']
    );
   
    $date_created = time();
   
    // TEMP QUERY CHECK
    $context['query'] = "INSERT INTO {$db_prefix}garage_vehicles (\"user_id\", \"made_year\", \"engine_type\", \"color\", \"mileage\", \"mileage_unit\", \"price\", \"currency\", \"date_created\", \"date_updated\", \"make_id\", \"model_id\", \"make_id\", \"model_id\") VALUES (\"".$context['user']['id']."\", \"".$_POST['made_year']."\", \"".$_POST['engine_type']."\", \"".$_POST['color']."\", \"".$_POST['mileage']."\", \"".$_POST['mileage_units']."\", \"".$_POST['price']."\", \"".$_POST['currency']."\", \"".$date_created."\", \"".$date_created."\", \"".$_POST['make_id']."\", \"".$_POST['model_id']."\");";
   
    // COME BACK AND ADD VALIDATION TO THIS FORM!
   
    // Insert Data Into {$db_prefix}garage_vehicles
    $request = db_query("
    INSERT INTO {$db_prefix}garage_vehicles (\"user_id\", \"made_year\", \"engine_type\", \"color\", \"mileage\", \"mileage_unit\", \"price\", \"currency\", \"date_created\", \"date_updated\", \"make_id\", \"model_id\", \"make_id\", \"model_id\")
    VALUES (\"".$context['user']['id']."\", \"".$_POST['made_year']."\", \"".$_POST['engine_type']."\", \"".$_POST['color']."\", \"".$_POST['mileage']."\", \"".$_POST['mileage_units']."\", \"".$_POST['price']."\", \"".$_POST['currency']."\", \"".$date_created."\", \"".$date_created."\", \"".$_POST['make_id']."\", \"".$_POST['model_id']."\");", __FILE__, __LINE__);
   
    mysql_free_result($request);
   
    move_uploaded_file($_FILES['FILE_UPLOAD'] ['tmp_name'],
      "Garage/uploads/{$_FILES['FILE_UPLOAD'] ['name']}");

}

and this is the value of $context['query'] so we can see what its printing...

Code Select
INSERT INTO smf_garage_vehicles ("user_id", "made_year", "engine_type", "color", "mileage", "mileage_unit", "price", "currency", "date_created", "date_updated", "make_id", "model_id", "make_id", "model_id") VALUES ("2", "2007", "8 Cylinder Forced Induction", "White", "1", "Miles", "30000", "USD", "1175028902", "1175028902", "2", "4");
Vehicle Management System for SMF - SMFGarage.com

karlbenson

#6
March 28, 2007, 08:36:18 AM
The __FILE__LINE bit is for the line/file information.

If there is an error, (depending on which type - if that sort of error is logged by smf) it will be shown in your error log, helping you to bug fix, find the problem query.

Most/All SMF queries use it

p.S why do have you escaped lots of characters with backslashes.  You don't need to do that.

RRasco

#7
March 28, 2007, 10:44:44 AM
im just trying different things to see if anything works or not.
Vehicle Management System for SMF - SMFGarage.com

RRasco

#8
March 28, 2007, 11:27:54 AM
AH HA!  It was the ';' at the end of the query, which I should have realized since I have had a similar problem inside a query before.  Thanks for all the help!
Vehicle Management System for SMF - SMFGarage.com

karlbenson

#9
March 28, 2007, 01:25:57 PM
glad you managed to fix it
Print
Go Up Pages1
User actions
Advertisement: