Form Processing

SFDonovan

Hello again,

I am continuing work on a PHP module for PHPNuke and want someone to look at my work and make some recommendations.

The module is called MILPACS and is for a gaming clan. I want to award points to soldiers who make drills, play on the server, and contribute to the clan. This way we can keep track of and promote those who are deserving. Here is my addpoints. php script.

I am not real experienced in PHP but have learned through trial and error and looking at others work.

Again any help is appreciated. Here is the meat of the form:

 <?php
OpenTable();

if ($op == "addpoints") {
		// Validations go here		
		// If all validations passed, save and exit, otherwise, redisplay with errors

	$point_id = intval($_POST['point_id']);
	$point_dt = addslashes($_POST['point_dt']);
	$points = intval($_POST['points']);
	$id = intval($_GET['id']);
	$sql = "INSERT INTO " . $prefix . "_milpacs_points_lkup 
		point_id = '$point_id',
		point_dt = '$point_dt',
		uniqueid = '$id',	
		point_details = '$details',
		points = '$points',
	 WHERE point_id ='$id'";
	$result = $db->sql_query($sql);
	}    
?>	

<form name="addpoints" action="modules.php?name=<?php echo $module_name ?>" method="post">
<table border="2" cellpadding="2" align="center" cellspacing="0" style="border-collapse: collapse;" bgcolor="#000000" bordercolor="#111111" width="100%">
	<tr>
		<td align="center" bgcolor="#777777">
		<b><font color="#000000">Record points for this soldier.</font></b>
		</td>
	<tr>
		<td align="left" bgcolor="#666633">
		<b><font color="#000000">Add Points</font></b>
		</td>
	</tr>
<table border=0 width="100%" cellpadding="3">
	<tr>
		<th width="20%">Reason for Action</th>
		<th width="20%">Point Value</th>
		<th width="25%">Date of Action</th>
		<th width="30%"><b>Details</b></th>
	</tr>
	<tr>
		<td align="center" bgcolor="#999999">
		<select name="point_id" size="1">
		<option value="">--- Select Action ---</option>
<?php
// Get values to populate combo box 
$result = $db->sql_query("SELECT point_id, point_class FROM " . $prefix . "_milpacs_points WHERE action = 'A'");
while ( $row = $db->sql_fetchrow($result) ) {
	$class = $row["point_class"];
	$point_id = $row["point_id"];
			echo "<option >$class</option>";	
}
?>
		</select>
		</td>		
         <td align="left" valign="middle" bgcolor="#999999">Points:<br>
            <input type="radio" name="points" checked value=""> Other&nbsp;
			<input type="text" name="points" value="0" size="10">
            <input type="radio" name="points" value="1"> 1 Point<br>
            <input type="radio" name="points" value="5"> 5 Points<br>
			<input type="radio" name="points" value="10"> 10 Points<br>
			<input type="radio" name="points" value="25"> 25 Points<br>
		</td>        

		<td align="center" bgcolor="#999999">
		<input type="text" name="point_dt" value="<?php echo $point_dt ?>">
		<a href="javascript:showCal('PointDate');"><img src="images/javascript/calendar.jpg" title="Select Date" alt="Select Date"></a>
		<font style="color: red;"><?php echo $dt_error ?></font>
		</td>
		<td align="left" bgcolor="#999999">
		<textarea name="details" cols="35" colspan="3" rows="3"><?php echo $details ?></textarea>
		</td>
	</tr>
</table>
<br>
<input type="hidden" name="op" value="addpoints"/>
<input type="hidden" name="pid" value="<?php echo $pid ?>"/>
<input type="hidden" name="id" value="<?php echo $id ?>"/>
<input type="submit" align="center" name="Submit" value="Add"/>
</form>
<?php
CloseTable();
@include_once("footer.php");
?>

Kudose

This line:

if ($op == "addpoints") {

Assumes that register_globals is turned on, which most configurations now default to off for security reasons. You should use the following code because it works with register_globals on or off.

if(isset($_POST['op'] == "addpoints")){