Coding Help

danbriant

I am building a cms system for personal use
Now i am well and truely stuck.
I am aware some if not all of my code may be insecure so i am asking for some help.
http://danielbriant.com/cms/admin/managecats.php

I currently use addslashes and stripslashes etc, but everyone says to use mysql_real_escape_string but i have looked around and tried to get that working but to no luck.
And i am at a loss on how to secure some of my $_GET used in the sql statments

I am sorry if my code has made any of you coders die of shock or something

bpat1434

Just so you know, there's an error in your javascript that prevents you from deleting the "cat's" category. You need to escape that apostrophe....

in place of addslashes, you can just use [man]mysql_real_escape_string/man to properly escape characters. It's much better than addslashes since it won't hinder your parsing of data and it looks normal in the database, instead of something like \\\\\'s....

Well, you can use type-casting to keep IDs as integers and descriptions as strings if you wanted. Would be much more secure. At the same time, you can have an array of "allowed" values for you _GET variables. If it's not in the array, it could be a hacking attempt (or you forgot to add it to the array).

Those are just a few items... not to mention putting this whole functionality behind an authentication system.

danbriant

Stop haxoring my script 🙂

I will recode it to use mysql_real_escape stuff.
So take it i can say use
$cat_name = mysql_real_escape_string($_POST['cat_name']);

Then sling $cat_name directly into the sql statement

I am working on getting the news and cat psoting stuff fixed etc then will work on user system

with mysql_real_escape_string do i use it on all DB querys or only stuff that will alter the datbase? like insert and update

bpat1434

Yes, using mysql_real_escape_string() that way is perfectly fine.

You should use mysql_real_escape_string on any query where user-input is being used. Even if it's just a simple search term. The reason is so that someone doesn't hack the query and bring back more information than you intend.

danbriant

i simply copied the php.net demo stuff and it seems to work

        if(get_magic_quotes_gpc()) {
            $cat_name = stripslashes($_POST['cat_name']);
            $cat_desc = stripslashes($_POST['cat_desc']);
        } else {
            $cat_name = $_POST['cat_name'];
            $cat_desc = $_POST['cat_desc'];
        }

    // Make a safe query
    $query = sprintf("INSERT INTO cats (`cat_name`, `cat_desc`) VALUES ('%s', '%s')",
                mysql_real_escape_string($cat_name),
                mysql_real_escape_string($cat_desc));

				mysql_query($query)or die('Could not insert cats: ' . mysql_error());

		//Make the redirect links back to main list page
		echo 'Entered data successfully Category Added <a href="?action=list">Back To Category Listing</a>';

what can i do about

$sql = mysql_query("DELETE FROM cats WHERE cat_id = ".$_GET["id"]."") or die('Could not delete cat: ' . mysql_error());

bpat1434

$sql = mysql_query("DELETE FROM cats WHERE cat_id = " . intval($_GET['id'])) or die('Could not delete cat: ' . mysql_error());

Or type-cast it using this:

$sql = mysql_query("DELETE FROM cats WHERE cat_id = " . (int) $_GET['id']) or die('Could not delete cat: ' . mysql_error());

Either way, you know that it's only going to be an integer that is put there.

danbriant

i have made the changes needed i think....
Let me know if i done any noobish things in the code. As i dont wanna continue coding and find out all i done was way wrong 🙂

Another question is i have an ACP page http://www.danielbriant.com/cms/admin/
How can i get it so that when a link on the left is clicked it loads that page into the content area on the right?

bpat1434

How can i get it so that when a link on the left is clicked it loads that page into the content area on the right?

What do you mean? So that the user "doesn't refresh" or just in general?

In general you'd replace the contents of the div with ID "mainContent" with whatever you wanted.

To do it without refreshing the entire page would mean utilizing AJAX which would mean that every link would call a javascript function to send a request to your server for the content. The response would be parsed, and the content of the response would be placed in the "mainContent" div.

danbriant

well like how frames work etc.
I just need something that keeps the links on the left and when a link is shown on the right
Like the phpBB and Vbulletin ACP do.

But i was looking for something that dont do frames as such, but has the same functions...

i would prefure it to refresh the whole page anyway

bpat1434

Then just call it as a normal link to go to your admin (or section) and have all your admin pages use the same template. Just replace the contents of the mainContent div in your template with whatever form you want to show.

danbriant

the way i used to link pages in php is using the following
http://danielbriant.com/cms/test.php
But this seems to kill all my switch links etc