KevinM1 Posted June 27, 2007 Share Posted June 27, 2007 I'm having problems using parentheses with the GET method. Here's what's going on: I wrote a custom registration script for a PHP-Fusion site. The script itself works fine. Upon successful submission, the user is redirected to a success page (unoriginally named success.php) that has a "Thank you, $user, for registering for the following event: $event" message. Those variables are passed via GET to that page. The page works fine, unless parentheses are used in the $event string. In those cases, I get a blank screen. I am escaping the input with mysql_real_escape_string(), so that shouldn't be an issue. Any ideas? Quote Link to comment https://forums.phpfreaks.com/topic/57436-solved-get-with-parentheses/ Share on other sites More sharing options...
cooldude832 Posted June 27, 2007 Share Posted June 27, 2007 show us some code, but this sounds dangerous to pass all that info in GET get is designed for variables that the user can see for SEO reasons/linking purposes Quote Link to comment https://forums.phpfreaks.com/topic/57436-solved-get-with-parentheses/#findComment-284171 Share on other sites More sharing options...
KevinM1 Posted June 27, 2007 Author Share Posted June 27, 2007 show us some code, but this sounds dangerous to pass all that info in GET get is designed for variables that the user can see for SEO reasons/linking purposes Nothing critical is being sent via GET. Only a user name and the event name. One must be logged into the system to even get that far. It's not dangerous. In any event, my registration form: <?php require_once "maincore.php"; require_once "subheader.php"; require_once "side_left.php"; function myEscape($string){ return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); } if(file_exists(INFUSIONS."aw_ecal_panel/locale/".$settings['locale'].".php")) { include INFUSIONS."aw_ecal_panel/locale/".$settings['locale'].".php"; } else { include INFUSIONS."aw_ecal_panel/locale/German.php"; } if(!iMEMBER){ fallback(); } if(isset($_GET['evid'])){ $ev = dbquery("SELECT * FROM ".DB_PREFIX."aw_ec_events WHERE ev_id=". $_GET['evid']); $event = dbarray($ev); $ev_id = myEscape($event['ev_id']); $user_id = myEscape($userdata['user_id']); $ev_title = myEscape($event['ev_title']); $ev_start = myEscape($event['ev_start']); $ev_end = myEscape($event['ev_end']); } $errMessage = NULL; if(isset($_POST['submit'])){ $ev = dbquery("SELECT * FROM ".DB_PREFIX."aw_ec_events WHERE ev_id=". $_POST['evid']); $event = dbarray($ev); $ev_id = myEscape($event['ev_id']); $user_id = myEscape($userdata['user_id']); $ev_title = myEscape($event['ev_title']); $ev_start = myEscape($event['ev_start']); $ev_end = myEscape($event['ev_end']); if(!empty($_POST['regAgent']) && preg_match("/^[a-zA-Z]+([ a-zA-Z\.-]+)*$/i", $_POST['regAgent'])){ $regAgent = myEscape($_POST['regAgent']); $ra = TRUE; } else{ $errMessage .= "Please enter your name!<br />\n"; } if(!empty($_POST['agentWritingNum']) && preg_match("/^[0-9a-zA-Z]*$/i", $_POST['agentWritingNum'])){ $agentWritingNum = myEscape($_POST['agentWritingNum']); $awn = TRUE; } else{ $errMessage .= "Please enter your writing number!<br />\n"; } if(!empty($_POST['phoneNum'])){ $phoneNum = $_POST['phoneNum']; if(preg_match("/^[0-9]{3}$/i", $phoneNum[0]) && preg_match("/^[0-9]{3}$/i", $phoneNum[1]) && preg_match("/^[0-9]{4}$/i", $phoneNum[2])){ $areaCode = myEscape($phoneNum[0]); $firstPart = myEscape($phoneNum[1]); $secondPart = myEscape($phoneNum[2]); $phoneText = "$areaCode-$firstPart-$secondPart"; $phone = TRUE; } else{ $errMessage .= "Please enter your correct phone number!<br />\n"; } } else{ $errMessage .= "Please enter your phone number!<br />\n"; } if(!empty($_POST['emailAddress']) && preg_match("/^[\w-]+(\.[\w-]+)*@([\w-]+\.)+[a-zA-Z]{2,7}$/i", $_POST['emailAddress'])){ $email = myEscape($_POST['emailAddress']); $e = TRUE; } else{ $errMessage .= "Please enter your e-mail address!<br />\n"; } if(!empty($_POST['regionalSales']) && preg_match("/^[a-zA-Z]+([ a-zA-Z\.-]+)*$/i", $_POST['regionalSales'])){ $regSales = myEscape($_POST['regionalSales']); $rs = TRUE; } else{ $errMessage .= "Please enter the name of your regional sales coordinator!<br />\n"; } if(!empty($_POST['districtSales']) && preg_match("/^[a-zA-Z]+([ a-zA-Z\.-]+)*$/i", $_POST['districtSales'])){ $disSales = myEscape($_POST['districtSales']); $ds = TRUE; } else{ $errMessage .= "Please enter the name of your district sales coordinator!<br />\n"; } if($ra && $awn && $phone && $email && $rs && $ds){ //start the big process of updating tables and e-mailing results $timestamp = strtotime("now"); $aflacQuery = "INSERT INTO ".DB_PREFIX."aflac (registering_agent, agent_writing_number, phone, email, regional_sales_coordinator, district_sales_coordinator, ev_id, user_id, ev_title, ev_start, ev_end, login_timestamp, login_status) VALUES ('". $regAgent ."', '". $agentWritingNum ."', '". $phoneText ."', '". $email ."', '". $regSales ."', '". $disSales ."', '". $ev_id ."', '". $user_id ."', '". $ev_title ."', '". $ev_start ."', '". $ev_end ."', '". $timestamp ."', '1')"; $aflacResult = dbquery($aflacQuery); $eventQuery = "UPDATE ".DB_PREFIX."aw_ec_events SET ev_allow_logins='1' WHERE ev_id='".$ev_id."'"; $eventResult = dbquery($eventQuery); $loginsQuery = "INSERT INTO ".DB_PREFIX."aw_ec_logins (ev_id, user_id, login_comment, login_status, login_timestamp) VALUES ('". $ev_id ."', '". $user_id ."', 'Definitely Agreed', '1', '". $timestamp ."')"; $loginsResult = dbquery($loginsQuery); if($aflacResult && $eventResult && $loginsResult){ $eventTimestamp = strtotime($ev_start); $eventDate = date("m-d-Y h:i:s T", $eventTimestamp); $userName = $userdata['user_name']; $to = "rebecca_dunkle@us.aflac.com"; $subject = "Event Registration ($ev_title)"; $mailMessage = "<html>\n<head>\n<title>Event Registration Information</title>\n</head>\n\n<body>"; $mailMessage .= "Below is the registration information:<br />\n<br />\n"; $mailMessage .= "Event Name: $ev_title<br />\nEvent Date: $eventDate<br />\nRegistering Agent: $regAgent<br />\nUser Name: $userName<br />\n"; $mailMessage .= "Agent Writing Number: $agentWritingNum<br />\nPhone Number: $phoneText<br />\n"; $mailMessage .= "E-mail Address: $email<br />\nRegional Sales Coordinator: $regSales<br />\n"; $mailMessage .= "District Sales Coordinator: $disSales<br />\n</body>\n</html>"; $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; mail($to, $subject, $mailMessage, $headers); header("Location: success.php?user=$userName&event=$ev_title"); } else{ echo "<br />Something went wrong with the insert!<br /><br />\n\n"; } } else{ echo "<div style='color: red;'>$errMessage</div><br />"; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Registration Form</title> <link rel="stylesheet" type="text/css" href="formstyles.css"> </head> <body style="text-align: center;"> <div style="width: 400px; margin: 0 auto;"> Registration Form<br /><br /> <form action="<?php echo $_SERVER['PHP_SELF']; ?>?evid=<?php echo $ev_id; ?>" method="post"> <fieldset class="narrow"><legend>Please input your information</legend> <p><label for="regAgent">Registering Agent:</label><input type="text" name="regAgent" value="<?php if(isset($_POST['regAgent'])){echo $_POST['regAgent'];} ?>" /></p> <p><label for="agentWritingNum">Agent Writing Number:</label><input type="text" name="agentWritingNum" value="<?php if(isset($_POST['agentWritingNum'])){echo $_POST['agentWritingNum'];} ?>" /></p> <p><label for="phoneNum">Phone Number:</label>(<input type="text" name="phoneNum[]" size="3" maxlength="3" value="<?php if(isset($_POST['phoneNum'])){echo $_POST['phoneNum'][0];} ?>" />) - <input type="text" name="phoneNum[]" size="3" maxlength="3" value="<?php if(isset($_POST['phoneNum'])){echo $_POST['phoneNum'][1];} ?>" /> - <input type="text" name="phoneNum[]" size="4" maxlength="4" value="<?php if(isset($_POST['phoneNum'])){echo $_POST['phoneNum'][2];} ?>" /></p> <p><label for="emailAddress">E-mail Address:</label><input type="text" name="emailAddress" value="<?php if(isset($_POST['emailAddress'])){echo $_POST['emailAddress'];} ?>" /></p> <p><label for="regionalSales">Regional Sales Coordinator:</label><input type="text" name="regionalSales" value="<?php if(isset($_POST['regionalSales'])){echo $_POST['regionalSales'];} ?>" /></p> <p><label for="districtSales">District Sales Coordinator:</label><input type="text" name="districtSales" value="<?php if(isset($_POST['districtSales'])){echo $_POST['districtSales'];} ?>" /></p> </fieldset> <input type="hidden" name="evid" value="<?php echo $ev_id; ?>" /> <p><input type="submit" name="submit" value="Submit" /></p> </form> </div> </body> </html> <?php require_once "side_right.php"; require_once "footer.php"; ?> The success page: <?php require_once "maincore.php"; require_once "subheader.php"; require_once "side_left.php"; if(!iMEMBER){ fallback(); } if(isset($_GET['user'])){ $userName = $_GET['user']; } if(isset($_GET['event'])){ $eventName = $_GET['event']; } $text = "Thank you $userName for registering for the following event:<br />\n"; $text .= "$eventName<br />\n<br />\n<a href='".BASEDIR."/news.php'>Please click here to return home</a>"; echo $text; require_once "side_right.php"; require_once "footer.php"; ?> Quote Link to comment https://forums.phpfreaks.com/topic/57436-solved-get-with-parentheses/#findComment-284181 Share on other sites More sharing options...
trq Posted June 27, 2007 Share Posted June 27, 2007 You need to use url_encode to pass special chars through the url. Quote Link to comment https://forums.phpfreaks.com/topic/57436-solved-get-with-parentheses/#findComment-284186 Share on other sites More sharing options...
per1os Posted June 27, 2007 Share Posted June 27, 2007 if(isset($_GET['evid'])){ $ev = dbquery("SELECT * FROM ".DB_PREFIX."aw_ec_events WHERE ev_id=". $_GET['evid']); That line could screw you, your not escaping the $_GET['evid'] before you query it... Here is that part corrected for you: $ev_id = myEscape($_GET['evid']); $ev = dbquery("SELECT * FROM ".DB_PREFIX."aw_ec_events WHERE ev_id=". $ev_id); $event = dbarray($ev); $user_id = $userdata['user_id']; $ev_title = $event['ev_title']; $ev_start = $event['ev_start']; $ev_end = $event['ev_end']; You only need to escape data going INTO the db, not coming out (IE $_GET['evid'] is going into the db) Quote Link to comment https://forums.phpfreaks.com/topic/57436-solved-get-with-parentheses/#findComment-284189 Share on other sites More sharing options...
KevinM1 Posted June 27, 2007 Author Share Posted June 27, 2007 Unfortunately, success.php is still choking on parentheses. My code: registration.php <?php require_once "maincore.php"; require_once "subheader.php"; require_once "side_left.php"; function myEscape($string){ return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); } if(file_exists(INFUSIONS."aw_ecal_panel/locale/".$settings['locale'].".php")) { include INFUSIONS."aw_ecal_panel/locale/".$settings['locale'].".php"; } else { include INFUSIONS."aw_ecal_panel/locale/German.php"; } if(!iMEMBER){ fallback(); } if(isset($_GET['evid'])){ $ev_id = myEscape($_GET['evid']); $ev = dbquery("SELECT * FROM ".DB_PREFIX."aw_ec_events WHERE ev_id='$ev_id'"); $event = dbarray($ev); $ev_id = $event['ev_id']; $user_id = $userdata['user_id']; $ev_title = $event['ev_title']; $ev_start = $event['ev_start']; $ev_end = $event['ev_end']; } $errMessage = NULL; if(isset($_POST['submit'])){ $ev_id = myEscape($_POST['evid']); $ev = dbquery("SELECT * FROM ".DB_PREFIX."aw_ec_events WHERE ev_id='$ev_id'"); $event = dbarray($ev); $ev_id = $event['ev_id']; $user_id = $userdata['user_id']; $ev_title = $event['ev_title']; $ev_start = $event['ev_start']; $ev_end = $event['ev_end']; if(!empty($_POST['regAgent']) && preg_match("/^[a-zA-Z]+([ a-zA-Z\.-]+)*$/i", $_POST['regAgent'])){ $regAgent = myEscape($_POST['regAgent']); $ra = TRUE; } else{ $errMessage .= "Please enter your name!<br />\n"; } if(!empty($_POST['agentWritingNum']) && preg_match("/^[0-9a-zA-Z]*$/i", $_POST['agentWritingNum'])){ $agentWritingNum = myEscape($_POST['agentWritingNum']); $awn = TRUE; } else{ $errMessage .= "Please enter your writing number!<br />\n"; } if(!empty($_POST['phoneNum'])){ $phoneNum = $_POST['phoneNum']; if(preg_match("/^[0-9]{3}$/i", $phoneNum[0]) && preg_match("/^[0-9]{3}$/i", $phoneNum[1]) && preg_match("/^[0-9]{4}$/i", $phoneNum[2])){ $areaCode = myEscape($phoneNum[0]); $firstPart = myEscape($phoneNum[1]); $secondPart = myEscape($phoneNum[2]); $phoneText = "$areaCode-$firstPart-$secondPart"; $phone = TRUE; } else{ $errMessage .= "Please enter your correct phone number!<br />\n"; } } else{ $errMessage .= "Please enter your phone number!<br />\n"; } if(!empty($_POST['emailAddress']) && preg_match("/^[\w-]+(\.[\w-]+)*@([\w-]+\.)+[a-zA-Z]{2,7}$/i", $_POST['emailAddress'])){ $email = myEscape($_POST['emailAddress']); $e = TRUE; } else{ $errMessage .= "Please enter your e-mail address!<br />\n"; } if(!empty($_POST['regionalSales']) && preg_match("/^[a-zA-Z]+([ a-zA-Z\.-]+)*$/i", $_POST['regionalSales'])){ $regSales = myEscape($_POST['regionalSales']); $rs = TRUE; } else{ $errMessage .= "Please enter the name of your regional sales coordinator!<br />\n"; } if(!empty($_POST['districtSales']) && preg_match("/^[a-zA-Z]+([ a-zA-Z\.-]+)*$/i", $_POST['districtSales'])){ $disSales = myEscape($_POST['districtSales']); $ds = TRUE; } else{ $errMessage .= "Please enter the name of your district sales coordinator!<br />\n"; } if($ra && $awn && $phone && $email && $rs && $ds){ //start the big process of updating tables and e-mailing results $timestamp = strtotime("now"); $aflacQuery = "INSERT INTO ".DB_PREFIX."aflac (registering_agent, agent_writing_number, phone, email, regional_sales_coordinator, district_sales_coordinator, ev_id, user_id, ev_title, ev_start, ev_end, login_timestamp, login_status) VALUES ('". $regAgent ."', '". $agentWritingNum ."', '". $phoneText ."', '". $email ."', '". $regSales ."', '". $disSales ."', '". $ev_id ."', '". $user_id ."', '". $ev_title ."', '". $ev_start ."', '". $ev_end ."', '". $timestamp ."', '1')"; $aflacResult = dbquery($aflacQuery); $eventQuery = "UPDATE ".DB_PREFIX."aw_ec_events SET ev_allow_logins='1' WHERE ev_id='".$ev_id."'"; $eventResult = dbquery($eventQuery); $loginsQuery = "INSERT INTO ".DB_PREFIX."aw_ec_logins (ev_id, user_id, login_comment, login_status, login_timestamp) VALUES ('". $ev_id ."', '". $user_id ."', 'Definitely Agreed', '1', '". $timestamp ."')"; $loginsResult = dbquery($loginsQuery); if($aflacResult && $eventResult && $loginsResult){ $eventTimestamp = strtotime($ev_start); $eventDate = date("m-d-Y h:i:s T", $eventTimestamp); $userName = $userdata['user_name']; $to = "kevinmajor1@gmail.com"; $subject = "Event Registration ($ev_title)"; $mailMessage = "<html>\n<head>\n<title>Event Registration Information</title>\n</head>\n\n<body>"; $mailMessage .= "Below is the registration information:<br />\n<br />\n"; $mailMessage .= "Event Name: $ev_title<br />\nEvent Date: $eventDate<br />\nRegistering Agent: $regAgent<br />\nUser Name: $userName<br />\n"; $mailMessage .= "Agent Writing Number: $agentWritingNum<br />\nPhone Number: $phoneText<br />\n"; $mailMessage .= "E-mail Address: $email<br />\nRegional Sales Coordinator: $regSales<br />\n"; $mailMessage .= "District Sales Coordinator: $disSales<br />\n</body>\n</html>"; $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; mail($to, $subject, $mailMessage, $headers); $userName = htmlentities(rawurlencode($userName)); $ev_title = htmlentities(rawurlencode($ev_title)); header("Location: success.php?user=$userName&event=$ev_title"); } else{ echo "<br />Something went wrong with the insert!<br /><br />\n\n"; } } else{ echo "<div style='color: red;'>$errMessage</div><br />"; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Registration Form</title> <link rel="stylesheet" type="text/css" href="formstyles.css"> </head> <body style="text-align: center;"> <div style="width: 400px; margin: 0 auto;"> Registration Form<br /><br /> <form action="<?php echo $_SERVER['PHP_SELF']; ?>?evid=<?php echo $ev_id; ?>" method="post"> <fieldset class="narrow"><legend>Please input your information</legend> <p><label for="regAgent">Registering Agent:</label><input type="text" name="regAgent" value="<?php if(isset($_POST['regAgent'])){echo $_POST['regAgent'];} ?>" /></p> <p><label for="agentWritingNum">Agent Writing Number:</label><input type="text" name="agentWritingNum" value="<?php if(isset($_POST['agentWritingNum'])){echo $_POST['agentWritingNum'];} ?>" /></p> <p><label for="phoneNum">Phone Number:</label>(<input type="text" name="phoneNum[]" size="3" maxlength="3" value="<?php if(isset($_POST['phoneNum'])){echo $_POST['phoneNum'][0];} ?>" />) - <input type="text" name="phoneNum[]" size="3" maxlength="3" value="<?php if(isset($_POST['phoneNum'])){echo $_POST['phoneNum'][1];} ?>" /> - <input type="text" name="phoneNum[]" size="4" maxlength="4" value="<?php if(isset($_POST['phoneNum'])){echo $_POST['phoneNum'][2];} ?>" /></p> <p><label for="emailAddress">E-mail Address:</label><input type="text" name="emailAddress" value="<?php if(isset($_POST['emailAddress'])){echo $_POST['emailAddress'];} ?>" /></p> <p><label for="regionalSales">Regional Sales Coordinator:</label><input type="text" name="regionalSales" value="<?php if(isset($_POST['regionalSales'])){echo $_POST['regionalSales'];} ?>" /></p> <p><label for="districtSales">District Sales Coordinator:</label><input type="text" name="districtSales" value="<?php if(isset($_POST['districtSales'])){echo $_POST['districtSales'];} ?>" /></p> </fieldset> <input type="hidden" name="evid" value="<?php echo $ev_id; ?>" /> <p><input type="submit" name="submit" value="Submit" /></p> </form> </div> </body> </html> <?php require_once "side_right.php"; require_once "footer.php"; ?> success.php (nothing changed) <?php require_once "maincore.php"; require_once "subheader.php"; require_once "side_left.php"; if(!iMEMBER){ fallback(); } if(isset($_GET['user'])){ $userName = $_GET['user']; } if(isset($_GET['event'])){ $eventName = $_GET['event']; } $text = "Thank you $userName for registering for the following event:<br />\n"; $text .= "$eventName<br />\n<br />\n<a href='".BASEDIR."/news.php'>Please click here to return home</a>"; echo $text; require_once "side_right.php"; require_once "footer.php"; ?> I tried urlencode, but it didn't work. I also tried it with htmlentities to no avail. It looks like the combination of htmlentities and rawurlencode should work, as I'm getting the familiar %-something entities in the place of spaces and parentheses, but success.php still won't display properly. In all tests, I get the following HTML: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD> <BODY></BODY></HTML> Event titles without parentheses still work correctly. Quote Link to comment https://forums.phpfreaks.com/topic/57436-solved-get-with-parentheses/#findComment-284210 Share on other sites More sharing options...
KevinM1 Posted June 27, 2007 Author Share Posted June 27, 2007 I figured I might as well bump this up as I still haven't figured it out. Quote Link to comment https://forums.phpfreaks.com/topic/57436-solved-get-with-parentheses/#findComment-284373 Share on other sites More sharing options...
KevinM1 Posted June 28, 2007 Author Share Posted June 28, 2007 I really need help with this, so here's a recap of what's going on. I've made a custom registration script for a PHP-Fusion site. This form acts in conjunction with a 3rd party event calendar addon. It's a pretty straightforward sticky form. Upon successful submission of this form, the data is saved to the database, an e-mail is sent to the site administrator, and the user is redirected to a success page telling them that they've been successfully registered for that particular event. My problem is with the success page. The header call which redirects the user to that page passes the username and event title to it via GET (so something like header("Location: http://www.nightslyr.com/success.php?user=admin&ev_title=Some%20Event")). This works in most cases, but fails when the event title contains parentheses. Hyphens and spaces both work. I've tried, at the suggestion of Thorpe, using urlencode(). That didn't work. Neither did using it in conjunction with htmlentities(). Rawurlencode() - both with and without htmlentities() - fails, too. No matter what I try, I get the same barebones and blank HTML page. Again, this only happens when I use parentheses in an event title. All other tests without parentheses, to this point, work fine. Below is the code in question: edit_event.php - this is the script that creates/edits a calendar event. It came from a 3rd party, but I modified some of it (namely, I added the 'is_reference_date' bits and the myEscape() function): <?php /*************************************************************************** * awEventCalendar * * * * Copyright (C) 2006-2007 Artur Wiebe * * wibix@gmx.de * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * * the Free Software Foundation; either version 2 of the License, or * * (at your option) any later version. * ***************************************************************************/ require_once("../../maincore.php"); require_once(BASEDIR."subheader.php"); require_once(BASEDIR."side_left.php"); function myEscape($string){ return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); } if(!iMEMBER) { fallback("calendar.php"); } require_once("include/common.php5"); if(!iEC_ADMIN && !ec_check_access($ec_settings['post_group'])) { fallback("calendar.php"); } if(isset($_GET['id']) && isNum($_GET['id'])) { $id = $_GET['id']; } else { unset($id); } if(iEC_ADMIN) { $user_access = ""; } else { $user_access = "AND user_id='".$userdata['user_id']."'"; } $title = ""; $access = 0; $body = ""; $disable_smilies = 1; $ev_start = getdate(time()); // $allow_logins = 0; $max_logins = 0; $login_access = 101; // $ev_repeat = 0; $is_private = 0; $errors = 0; if(isset($_GET['errno']) && isNum($_GET['errno'])) { $errno = $_GET['errno']; } else { unset($errno); } /* * ACTION */ if(isset($_POST['save'])) { $title = myEscape($_POST['title']); $body = myEscape($_POST['desc']); if(empty($title) || empty($body)) { $errors++; } $access = $_POST['access']+0; $disable_smilies = (isset($_POST['disable_smileys']) ? "1" : "0"); $ev_start = array( "year" => $_POST['start_year']+0, "mon" => $_POST['start_month']+0, "mday" => $_POST['start_mday']+0, "hours" => $_POST['start_hours']+0, "minutes" => $_POST['start_mins']+0, ); $start = $ev_start['year']."-".$ev_start['mon'] ."-".$ev_start['mday'] ." ".$ev_start['hours'].":".$ev_start['minutes'].":00"; $end = $start; // "0000-00-00 00:00:00"; // FIXME $allow_logins = (isset($_POST['allow_logins']) ? "1" : "0"); $max_logins = $_POST['max_logins']+0; $login_access = $_POST['login_access']+0; if(!$login_access || !ec_check_access($login_access)) { $login_access = 101; } $ev_repeat = $_POST['repeat']+0; $is_private = (isset($_POST['is_private']) ? "1" : "0"); $is_reference_date = (isset($_POST['is_reference_date']) ? "y" : "n"); /* Kevin Line */ $now = time(); if($is_private || iEC_ADMIN) { $status = "0"; } else { $status = ($ec_settings['need_admin_ok'] ? "1" : "0"); } if($is_private) { if($allow_logins) { $allow_logins = "0"; $max_logins = "0"; $login_access = "101"; $errno = EC_ELOGIN; } if($access) { $access = "0"; $errno = EC_EACCESS; } } if($errors==0) { if(!isset($id)) { $query_id = dbquery("INSERT INTO ".DB_PREFIX."aw_ec_events" ." SET" ." user_id='".$userdata['user_id']."'," ." ev_timestamp='$now'," ." ev_body=''"); $id = mysql_insert_id(); } $ok = dbquery("UPDATE ".DB_PREFIX."aw_ec_events" ." SET" ." ev_title='$title', ev_body='$body'," ." ev_start='$start'," ." ev_end='$end'," ." ev_repeat='$ev_repeat'," ." ev_private='$is_private'," ." ev_status='$status'," ." ev_no_smileys='$disable_smilies'," ." ev_allow_logins='$allow_logins'," ." ev_max_logins='$max_logins'," ." ev_access='$access'," ." ev_login_access='$login_access'," ." is_reference_date='$is_reference_date'" /* Kevin Line */ ." WHERE ev_id='$id' $user_access"); if(!$ok) { $errno = EC_EDB; } if(!isset($errno)) { fallback("edit_event.php?id=$id&errno=0"); } } } elseif(isset($_GET['del']) && isset($id)) { $ok = dbquery("DELETE FROM ".DB_PREFIX."aw_ec_events" ." WHERE ev_id='$id' $user_access"); if($ok) { $ok = dbquery("DELETE FROM ".DB_PREFIX."aw_ec_logins" ." WHERE ev_id='$id'"); } if($ok) { if(isset($_GET['back_to'])) { fallback("new_events.php"); } else { fallback("calendar.php"); } } } elseif(isset($_GET['status']) && isset($id) && isset($_GET['time']) && isNum($_GET['time']) && iEC_ADMIN) { $ok = dbquery("UPDATE ".DB_PREFIX."aw_ec_events" ." SET ev_status=MOD(ev_status+1, 2)" ." WHERE ev_id='$id' AND ev_timestamp='".$_GET['time']."'"); if($ok) { if(isset($_GET['back_to'])) { fallback("new_events.php"); } else { fallback("edit_event.php?id=$id"); } } } /* * GET */ if(isset($id)) { $query_id = dbquery("SELECT * FROM ".DB_PREFIX."aw_ec_events" ." WHERE ev_id='$id' $user_access"); if(!dbrows($query_id)) { fallback("calendar.php"); } $event = dbarray($query_id); $title = $event['ev_title']; $body = $event['ev_body']; $ev_repeat = $event['ev_repeat']; $is_private = $event['ev_private']; $is_reference_date = (($event['is_reference_date'] == 'y') ? 1 : 0); /* Kevin Line */ $allow_logins = $event['ev_allow_logins']; $max_logins = $event['ev_max_logins']; $disable_smilies = $event['ev_no_smileys']; $access = $event['ev_access']; // $ev_start = array( "year" => substr($event['ev_start'], 0, 4), "mon" => substr($event['ev_start'], 5, 2), "mday" => substr($event['ev_start'], 8, 2), "hours" => substr($event['ev_start'], 11, 2), "minutes" => substr($event['ev_start'], 14, 2), ); $end = $ev_start; // $login_access = $event['ev_login_access']; } else { $event = array( "ev_status" => "0", ); } function ec_make_select($date, $fname) { global $locale; $date['mday'] = str_pad($date['mday'], 2, "0", STR_PAD_LEFT); $date['mon'] = str_pad($date['mon'], 2, "0", STR_PAD_LEFT); $date['hours'] = str_pad($date['hours'], 2, "0", STR_PAD_LEFT); $date['minutes'] = str_pad($date['minutes'], 2, "0", STR_PAD_LEFT); $sel_day = ""; $sel_month = ""; $sel_mins = ""; $sel_hours = ""; // day for($i=1; $i<=31; ++$i) { $sel_day .= "<option value='$i'" .($i==$date['mday'] ? " selected" : "").">" .$i."</option>\n"; } // month for($i=1; $i<=12; ++$i) { $sel_month .= "<option value='$i'" .($i==$date['mon'] ? " selected" : "").">" .$locale['EC900'][$i]."</option>\n"; } // hours for($i=0; $i<=23; ++$i) { $sel_hours .= "<option value='$i'" .($i==$date['hours'] ? " selected" : "").">" .$i."</option>\n"; } // mins for($i=0; $i<=59; ++$i) { $sel_mins .= "<option value='$i'" .($i==$date['minutes'] ? " selected" : "").">" .$i."</option>\n"; } return "<select class='textbox' name='${fname}_mday'>" .$sel_day."</select>" .".<select class='textbox' name='${fname}_month'>" .$sel_month."</select>" .".<input type='text' class='textbox' name='${fname}_year'" ." value='".$date['year']."' size='5' maxlength='4'>" ." / " ." <select class='textbox' name='${fname}_hours'>" .$sel_hours."</select>" .":<select class='textbox' name='${fname}_mins'>" .$sel_mins."</select>\n"; } function ec_get_timestamp($fname) { return mktime($_POST[$fname."_hours"], $_POST[$fname."_mins"], 0, $_POST[$fname."_month"], $_POST[$fname."_mday"], $_POST[$fname."_year"]); } /* * GUI */ $sel_access = ""; $sel_login_access = ""; $fusion_groups = getusergroups(); foreach($fusion_groups as $group) { list($gid, $gname) = $group; if(!ec_check_access($gid)) { continue; } $sel_access .= "<option value='$gid'" .($gid==$access ? " selected" : "").">" .$gname."</option>\n"; if(!$gid) { continue; } $sel_login_access .= "<option value='$gid'" .($gid==$login_access ? " selected" : "").">" .$gname."</option>\n"; } $sel_repeat = ""; foreach($locale['EC125'] as $rep => $text) { $sel_repeat .= "<option value='$rep'" .($ev_repeat==$rep ? " selected" : "").">" ."$text</option>\n"; } /* * GUI - <input type='button' value='".EC_BREAK."' class='button' onClick=\"insertText('comment_message', '".EC_BREAK."');\">\n"; */ opentable(isset($id) ? $locale['EC101'] : $locale['EC100']); echo ec_get_menu(); $action = FUSION_SELF; if(isset($id)) { $action .= "?id=$id"; echo "<div align='right'><a href='view_event.php?id=$id'>" .$locale['EC102']."</a>\n"; if(iADMIN) { echo " | <a href='$action&status=1'>".($event['ev_status'] ? $locale['EC306'] : $locale['EC307']) ."</a>\n"; } echo "</div>\n"; } if($errors) { echo "<p><div style='text-align:center;'><strong>" .$locale['EC119']."</strong></div></p>\n"; } if(isset($errno) && isset($locale['EC113'][$errno])) { echo "<p><div style='text-align:center;'><strong>" .$locale['EC113'][$errno]."</strong></div></p>\n"; } if($event['ev_status']) { $status = "<tr> <td class='forum-caption' height='50' colspan='2' align='center' valign='center'>" .$locale['EC113'][EC_ESTATUS]."</td> </tr>\n"; } else { $status = ""; } echo "<p><span class='small2'>".$locale['EC118']."</span> <form action='$action' method='post' name='inputform'> <table width='100%' class='tbl-border' cellspacing='1'> $status <tr> <td class='tbl2' width='150'>".$locale['EC103'].": *</td> <td class='tbl1'><input value='$title' type='text'" ." name='title' class='textbox' style='width:100%;'></td> </tr> <tr> <td class='tbl2'>".$locale['EC116'].":</td> <td class='tbl1'><select class='textbox' name='access'>" ."$sel_access</select></td> </tr> <tr> <td class='tbl2' valign='top'>".$locale['EC104'].": *</td> <td class='tbl1'><textarea name='desc' rows='8'" ." class='textbox' style='width:100%;'>".$body ."</textarea><br>" .ec_get_bb_smileys("desc", true, $disable_smilies)."</td> </tr> <tr> <td class='tbl2'>".$locale['EC105'].":</td> <td class='tbl1'>".ec_make_select($ev_start, "start") ."<br><span class='small2'>".$locale['EC120']."</span></td> </tr> <!-- logins --> <tr> <td class='forum-caption' colspan='2'><input type='checkbox'" ." name='allow_logins'".($allow_logins ? " checked" : "") ."> ".$locale['EC109']."</td> </tr> <tr> <td class='tbl2'>".$locale['EC110'].":</td> <td class='tbl1'><input type='text' class='textbox' name='max_logins'" ." value='$max_logins' size='5' maxlength='5'>" ." <span class='small2'>".$locale['EC110_1']."</span></td> </tr> <tr> <td class='tbl2'>".$locale['EC116'].":</td> <td class='tbl2'><select name='login_access' class='textbox'>$sel_login_access</select></td> </tr> <!-- misc --> <tr> <td class='forum-caption' colspan='2'>".$locale['EC122']."</td> </tr> <tr> <td class='tbl2'>".$locale['EC107'].":</td> <td class='tbl1'><select class='textbox' name='repeat'>" ."$sel_repeat</select></td> </tr> <tr> <td class='tbl2' valign='top'>".$locale['EC106'].":</td> <td class='tbl1'><input type='checkbox' name='is_private'" .($is_private ? " checked" : "")." />".$locale['EC108']."<br /> <input type='checkbox' name='is_reference_date'".($is_reference_date ? " checked" : "")." />Is reference event</td> <!-- Kevin Line --> </tr> <tr> <td class='tbl2' colspan='2' align='center'>" ."<input type='submit' name='save' class='button'" ." value='".$locale['EC111']."'></td> </tr> </table> </form>"; closetable(); require_once(BASEDIR."side_right.php"); require_once(BASEDIR."footer.php"); ?> registration.php - my custom registration script: <?php require_once "maincore.php"; require_once "subheader.php"; require_once "side_left.php"; function myEscape($string){ return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); } if(file_exists(INFUSIONS."aw_ecal_panel/locale/".$settings['locale'].".php")) { include INFUSIONS."aw_ecal_panel/locale/".$settings['locale'].".php"; } else { include INFUSIONS."aw_ecal_panel/locale/German.php"; } if(!iMEMBER){ fallback(); } if(isset($_GET['evid'])){ $ev_id = myEscape($_GET['evid']); $ev = dbquery("SELECT * FROM ".DB_PREFIX."aw_ec_events WHERE ev_id='$ev_id'"); $event = dbarray($ev); $ev_id = $event['ev_id']; $user_id = $userdata['user_id']; $ev_title = $event['ev_title']; $ev_start = $event['ev_start']; $ev_end = $event['ev_end']; } $errMessage = NULL; if(isset($_POST['submit'])){ $ev_id = myEscape($_POST['evid']); $ev = dbquery("SELECT * FROM ".DB_PREFIX."aw_ec_events WHERE ev_id='$ev_id'"); $event = dbarray($ev); $ev_id = $event['ev_id']; $user_id = $userdata['user_id']; $ev_title = $event['ev_title']; $ev_start = $event['ev_start']; $ev_end = $event['ev_end']; if(!empty($_POST['regAgent']) && preg_match("/^[a-zA-Z]+([ a-zA-Z\.-]+)*$/i", $_POST['regAgent'])){ $regAgent = myEscape($_POST['regAgent']); $ra = TRUE; } else{ $errMessage .= "Please enter your name!<br />\n"; } if(!empty($_POST['agentWritingNum']) && preg_match("/^[0-9a-zA-Z]*$/i", $_POST['agentWritingNum'])){ $agentWritingNum = myEscape($_POST['agentWritingNum']); $awn = TRUE; } else{ $errMessage .= "Please enter your writing number!<br />\n"; } if(!empty($_POST['phoneNum'])){ $phoneNum = $_POST['phoneNum']; if(preg_match("/^[0-9]{3}$/i", $phoneNum[0]) && preg_match("/^[0-9]{3}$/i", $phoneNum[1]) && preg_match("/^[0-9]{4}$/i", $phoneNum[2])){ $areaCode = myEscape($phoneNum[0]); $firstPart = myEscape($phoneNum[1]); $secondPart = myEscape($phoneNum[2]); $phoneText = "$areaCode-$firstPart-$secondPart"; $phone = TRUE; } else{ $errMessage .= "Please enter your correct phone number!<br />\n"; } } else{ $errMessage .= "Please enter your phone number!<br />\n"; } if(!empty($_POST['emailAddress']) && preg_match("/^[\w-]+(\.[\w-]+)*@([\w-]+\.)+[a-zA-Z]{2,7}$/i", $_POST['emailAddress'])){ $email = myEscape($_POST['emailAddress']); $e = TRUE; } else{ $errMessage .= "Please enter your e-mail address!<br />\n"; } if(!empty($_POST['regionalSales']) && preg_match("/^[a-zA-Z]+([ a-zA-Z\.-]+)*$/i", $_POST['regionalSales'])){ $regSales = myEscape($_POST['regionalSales']); $rs = TRUE; } else{ $errMessage .= "Please enter the name of your regional sales coordinator!<br />\n"; } if(!empty($_POST['districtSales']) && preg_match("/^[a-zA-Z]+([ a-zA-Z\.-]+)*$/i", $_POST['districtSales'])){ $disSales = myEscape($_POST['districtSales']); $ds = TRUE; } else{ $errMessage .= "Please enter the name of your district sales coordinator!<br />\n"; } if($ra && $awn && $phone && $email && $rs && $ds){ //start the big process of updating tables and e-mailing results $timestamp = strtotime("now"); $aflacQuery = "INSERT INTO ".DB_PREFIX."aflac (registering_agent, agent_writing_number, phone, email, regional_sales_coordinator, district_sales_coordinator, ev_id, user_id, ev_title, ev_start, ev_end, login_timestamp, login_status) VALUES ('". $regAgent ."', '". $agentWritingNum ."', '". $phoneText ."', '". $email ."', '". $regSales ."', '". $disSales ."', '". $ev_id ."', '". $user_id ."', '". $ev_title ."', '". $ev_start ."', '". $ev_end ."', '". $timestamp ."', '1')"; $aflacResult = dbquery($aflacQuery); $eventQuery = "UPDATE ".DB_PREFIX."aw_ec_events SET ev_allow_logins='1' WHERE ev_id='".$ev_id."'"; $eventResult = dbquery($eventQuery); $loginsQuery = "INSERT INTO ".DB_PREFIX."aw_ec_logins (ev_id, user_id, login_comment, login_status, login_timestamp) VALUES ('". $ev_id ."', '". $user_id ."', 'Definitely Agreed', '1', '". $timestamp ."')"; $loginsResult = dbquery($loginsQuery); if($aflacResult && $eventResult && $loginsResult){ $eventTimestamp = strtotime($ev_start); $eventDate = date("m-d-Y h:i:s T", $eventTimestamp); $userName = $userdata['user_name']; $to = "kevinmajor1@gmail.com"; $subject = "Event Registration ($ev_title)"; $mailMessage = "<html>\n<head>\n<title>Event Registration Information</title>\n</head>\n\n<body>"; $mailMessage .= "Below is the registration information:<br />\n<br />\n"; $mailMessage .= "Event Name: $ev_title<br />\nEvent Date: $eventDate<br />\nRegistering Agent: $regAgent<br />\nUser Name: $userName<br />\n"; $mailMessage .= "Agent Writing Number: $agentWritingNum<br />\nPhone Number: $phoneText<br />\n"; $mailMessage .= "E-mail Address: $email<br />\nRegional Sales Coordinator: $regSales<br />\n"; $mailMessage .= "District Sales Coordinator: $disSales<br />\n</body>\n</html>"; $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; mail($to, $subject, $mailMessage, $headers); $userName = htmlentities(rawurlencode($userName)); $ev_title = htmlentities(rawurlencode($ev_title)); header("Location: success.php?user=$userName&event=$ev_title"); } else{ echo "<br />Something went wrong with the insert!<br /><br />\n\n"; } } else{ echo "<div style='color: red;'>$errMessage</div><br />"; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Registration Form</title> <link rel="stylesheet" type="text/css" href="formstyles.css"> </head> <body style="text-align: center;"> <div style="width: 400px; margin: 0 auto;"> Registration Form<br /><br /> <form action="<?php echo $_SERVER['PHP_SELF']; ?>?evid=<?php echo $ev_id; ?>" method="post"> <fieldset class="narrow"><legend>Please input your information</legend> <p><label for="regAgent">Registering Agent:</label><input type="text" name="regAgent" value="<?php if(isset($_POST['regAgent'])){echo $_POST['regAgent'];} ?>" /></p> <p><label for="agentWritingNum">Agent Writing Number:</label><input type="text" name="agentWritingNum" value="<?php if(isset($_POST['agentWritingNum'])){echo $_POST['agentWritingNum'];} ?>" /></p> <p><label for="phoneNum">Phone Number:</label>(<input type="text" name="phoneNum[]" size="3" maxlength="3" value="<?php if(isset($_POST['phoneNum'])){echo $_POST['phoneNum'][0];} ?>" />) - <input type="text" name="phoneNum[]" size="3" maxlength="3" value="<?php if(isset($_POST['phoneNum'])){echo $_POST['phoneNum'][1];} ?>" /> - <input type="text" name="phoneNum[]" size="4" maxlength="4" value="<?php if(isset($_POST['phoneNum'])){echo $_POST['phoneNum'][2];} ?>" /></p> <p><label for="emailAddress">E-mail Address:</label><input type="text" name="emailAddress" value="<?php if(isset($_POST['emailAddress'])){echo $_POST['emailAddress'];} ?>" /></p> <p><label for="regionalSales">Regional Sales Coordinator:</label><input type="text" name="regionalSales" value="<?php if(isset($_POST['regionalSales'])){echo $_POST['regionalSales'];} ?>" /></p> <p><label for="districtSales">District Sales Coordinator:</label><input type="text" name="districtSales" value="<?php if(isset($_POST['districtSales'])){echo $_POST['districtSales'];} ?>" /></p> </fieldset> <input type="hidden" name="evid" value="<?php echo $ev_id; ?>" /> <p><input type="submit" name="submit" value="Submit" /></p> </form> </div> </body> </html> <?php require_once "side_right.php"; require_once "footer.php"; ?> success.php - the script that basically just outputs "Yay, you registered correctly!" <?php require_once "maincore.php"; require_once "subheader.php"; require_once "side_left.php"; if(!iMEMBER){ fallback(); } if(isset($_GET['user'])){ $userName = $_GET['user']; } if(isset($_GET['event'])){ $eventName = $_GET['event']; } $text = "Thank you $userName for registering for the following event:<br />\n"; $text .= "$eventName<br />\n<br />\n<a href='".BASEDIR."/news.php'>Please click here to return home</a>"; echo $text; require_once "side_right.php"; require_once "footer.php"; ?> The resulting HTML of the failed attempts: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD> <BODY></BODY></HTML> Any ideas? I'd be especially grateful if someone who played around with PHP-Fusion responded. I'm thinking there may be something in maincore.php (Fusion's engine) that may be conflicting with my scripts. EDIT: I'm not a pro at regular expressions, but could the following code in maincore.php be screwing me up? <?php // Prevent any possible XSS attacks via $_GET. foreach ($_GET as $check_url) { if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) || (eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) || (eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) || (eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) || (eregi("\"", $check_url))) { die (); } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/57436-solved-get-with-parentheses/#findComment-284959 Share on other sites More sharing options...
KevinM1 Posted June 28, 2007 Author Share Posted June 28, 2007 I'm not a pro at regular expressions, but could the following code in maincore.php be screwing me up? <?php // Prevent any possible XSS attacks via $_GET. foreach ($_GET as $check_url) { if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) || (eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) || (eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) || (eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) || (eregi("\"", $check_url))) { die (); } } ?> Apparently this is the problem. Quote Link to comment https://forums.phpfreaks.com/topic/57436-solved-get-with-parentheses/#findComment-285066 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.