php code to securely handle user input

Regular Joined: Jan 24, 2008 Posts: 58

I'm really need a good joke module for my wesbite (my members are joke freaks) but no working one that is secure can be found. I have decide to start with the following module:

download link: http://www.clan-themes.co.uk/downloaddetails-9-282-jokes-module-v10.html#dldetails

I code has some bugs (well at least for me) I have worked all that I know but I'm left with the serious concern that data entered via submit joke and submit comment are NOT secure.

Could someone recommend the necessary filter, modification, etc.. I need to do to the user input data to make it safe?

Below is the code from index.php of the download above. This is the location the user inputs data for submit joke and submit comment. It seems unsafe and DOES NOT work as is since it leaves alot of \\\ every where:

[code]<?php
/************************************************************************/
/* Jokes Module FOR PHP-NUKE */
/* ------------------------- */
/* Copyright (c) 2006 by ADAMIN */
/* http://adamin.freehostia.com */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
// Check if user is not accessing the file directly -->
if (!defined('MODULE_FILE')) {
die ("You can't access this file directly...");
}
// Check if user is not accessing the file directly <--
require_once("mainfile.php"); // Including mainfile
$module_name = basename(dirname(__FILE__)); // Module name detection
get_lang("$module_name"); // Language selection

//Configuration variables loading -->
global $prefix, $db;
global $index, $debug, $pagetitle;
global $limit_new, $limit_popular, $limit_top, $max_rating;
global $jokes_per_page, $category_per_line;
global $ShowAddressBar, $show_home_image, $show_category_image;
global $category_image_dir, $default_order;
if (!$result=$db->sql_query("SELECT * FROM ".$prefix."_jokes_config")){
//If configuration variables are failed to load from db then to be
//loaded from the deafult config.php file
require_once("modules/jokes/config.php");
}
else{
$row = $db->sql_fetchrow($result);
$index = $row['show_right_side_box'];
$debug = $row['debug_mode'];
$pagetitle = $row['page_title'];
$limit_new = $row['limit_new'];
$limit_popular = $row['limit_popular'];
$limit_top = $row['limit_top'];
$max_rating = $row['max_rating'];
$jokes_per_page = $row['jokes_per_page'];
$category_per_line = $row['category_per_line'];
$ShowAddressBar = $row['show_address_bar'];
$show_home_image = $row['show_home_image'];
$show_category_image = $row['show_category_image'];
$category_image_dir = $row['category_image_dir'];
$default_order = $row['default_joke_list_order'];
}
//Configuration variables loading <--

//Header creation for jokes module -->
function module_header(){
global $show_home_image;
echo ""
."<center>\n";
if ($show_home_image){
echo ""
."<img src=\"modules/jokes/images/logo.gif\" alt=\"\" border=\"0\" /> \n";
}
echo ""
.""._JOKESTITLE."\n"
."</center>\n";
}
//Header creation for jokes module <--

//TopMenu creation for jokes module -->
function menu(){
echo ""
."<center> \n"
."[ <a href=\"modules.php?name=jokes&op=show_default\">"._CATEGORIES."</a>"
." | "
."<a href=\"modules.php?name=jokes&op=search\">"._SEARCH."</a>"
." | "
."<a href=\"modules.php?name=jokes&op=show_new\">"._NEW."</a>"
." | ".
"<a href=\"modules.php?name=jokes&op=show_popular\">"._POPULAR."</a>"
." | "
."<a href=\"modules.php?name=jokes&op=show_top\">"._TOP."</a> ]\n"
." "
."[ <a href=\"modules.php?name=jokes&op=submit_joke\">"._SUBMITJOKE."</a> ]"
."</center>\n";
CloseTable();
echo ""
." ";
OpenTable();
}
//TopMenu creation for jokes module <--

//Jokes preview/view (two modes) -->
function joke_preview($title, $description, $note, $category, $submitter, $submission_date, $hits, $mode){
OpenTable();
echo ""
."<center>"."$title \n"
." "
.""._CATEGORY.": $category \n"
.(($mode == _VIEW)?"( $hits "._JOKESEEN." ) ":"")
." "
."".$description." "
." "
.(($note == "")?"":""._AUTHORSNOTE.": "." $note")
." "
.(($mode == _VIEW)?"( $submitter "._POSTED." ".(($submission_date == "")?_NOTAVAILABLE:$submission_date)." )":"");
CloseTable();
}
//Jokes preview/view (two modes) <--

//Jokes submission processing -->
function submit_joke($title, $description, $note, $cat, $submit){
global $AllowableHTML, $prefix, $user, $cookie, $anonymous, $db;
if (isset($submit)){
$title = addslashes($title);
$description = addslashes($description);
$note = addslashes($note);
if (!$result = $db->sql_query("SELECT joke_id, title, content FROM ".$prefix."_jokes WHERE title='$title' OR content='$description'")){
modified_die("<center>"._SQLERROR."</center>");
}
if ($db->sql_numrows($result) > 0){
$row = $db->sql_fetchrow($result);
echo ""
."<center>"
.""._JOKEALREADYEXIST.""
." "
.((strtolower($row['title']) == strtolower($title))?"( "._TITLEERROR." )":"( "._CONTENTERROR." )")
." "
."[ <a href=\"javascript:history.back(1)\">"._BACKTEXT."</a> |\n"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">"._CHECKEXISTINGJOKE."</a> ]"
."</center>";
exit();
}
if (!$result = $db->sql_query("SELECT joke_id, title, content FROM ".$prefix."_jokes_tmp WHERE title='$title' OR content='$description'")){
modified_die("<center>"._SQLERROR."</center>");
}
if ($db->sql_numrows($result) > 0){
$row = $db->sql_fetchrow($result);
echo ""
."<center>"
.""._JOKEALREADYEXIST.""
." "
.((strtolower($row['title']) == strtolower($title))?"( "._TITLEERROR." )":"( "._CONTENTERROR." )")
." "
."[ <a href=\"javascript:history.back(1)\">"._BACKTEXT."</a> ] \n"
._REQUESTEDJOKE
."</center>";
exit();
}
if ($submit == _SUBMIT){
if (is_user($user)) {
cookiedecode($user);
$uid = $cookie[0];
$name = $cookie[1];
}
else {
$uid = 1;
$name = "$anonymous";
}
if(!$db->sql_query("INSERT INTO ".$prefix."_jokes_tmp(title, cat, content, notes, submitter_id, submission_date) VALUES ('$title', $cat, '$description', '$note', $uid, '".date("Y-m-d H:i:s")."')")) {
modified_die("<center>"._SQLERROR."</center>");
}
echo ""
."<center>"
._SUBSENT
." "
._THANKSSUB
." "
._SUBTEXT;
}
else{
$title = stripcslashes($title);
$description = stripcslashes($description);
$note = stripcslashes($note);
if ($title == "" || $description == ""){
$warning = ""
."<center>"
._BADTITLETEXT
."\n"
." \n"
."[ <a href=\"javascript:history.back(1)\">"._BACKTEXT."</a> ]\n"
."</center>\n";
modified_die($warning);
}
echo ""
."<center>"
.""._JOKESUBPREVIEW.""
." \n"
.""._JOKELOOK.""
." "
."</center>";
if ($cat == "") {
$warning = ""
."<center>"
.""._SELECTCAT.""
." "
."[ <a href=\"javascript:history.back(1)\">"._BACKTEXT."</a> ]\n"
."</center>";
modified_die($warning);
}
if (is_user($user)) {
cookiedecode($user);
$submitter = $cookie[1];
}
else {
$submitter = $anonymous;
}
if (!$result = $db->sql_query("SELECT title FROM ".$prefix."_jokes_cat WHERE cat_id=$cat")){
modified_die("<center>"._SQLERROR."</center>");
}
$row = $db->sql_fetchrow($result);
joke_preview($title, $description, $note, $row['title'], $submitter, $submission_date, $hits, $rating, _PREVIEW);
echo ""
."<center>"
." "
.""._YOURNAME.": \n"
.(($submitter == $anonymous)?$submitter:"<a href=\"account.html\">$submitter</a>")
.(($submitter == $anonymous)?"":" [ <a href=\"modules.php?name=Your_Account&op=logout\">"._LOGOUT."</a> ]")
."</center>\n"
." \n"
."<form action=\"modules.php?name=jokes&op=submit_joke\" method=\"post\">\n"
."<center>"
._CHECKJOKE." \n"
._HTMLNOTALLOWED
." \n"
."<input type=\"hidden\" name=\"title\" value=\"$title\">\n"
."<input type=\"hidden\" name=\"description\" value=\"$description\">\n"
."<input type=\"hidden\" name=\"note\" value=\"$note\">\n"
."<input type=\"hidden\" name=\"cat\" value=\"$cat\">\n"
."[ <a href=\"javascript:history.back(1)\">"._BACKTEXT."</a> ]\n"
." "._OR." "
."<input type=\"submit\" name=\"submit\" value=\""._SUBMIT."\"></form>\n"
."</center>";
}
}
else{
if (is_user($user)){
getusrinfo($user);
}
echo ""
."<form action=\"modules.php?name=jokes&op=submit_joke\" method=\"post\">"
.""._YOURNAME.": ";
if (is_user($user)) {
cookiedecode($user);
echo ""
."<a href=\"account.html\">$cookie[1]</a> [ <a href=\"modules.php?name=Your_Account&op=logout\">"._LOGOUT."</a> ]";
}
else {
echo ""
."$anonymous [ <a href=\"account.html\">"._NEWUSER."</a> ]";
}
echo ""
." "
.""._SUBTITLE." "
."("._BEDESCRIPTIVE.") "
."<input type=\"text\" name=\"title\" size=\"50\" maxlength=\"80\"> ("._BADTITLES.")"
." "
.""._CATEGORY.": <select name=\"cat\">";
$result = $db->sql_query("SELECT cat_id, title FROM ".$prefix."_jokes_cat WHERE active='1' ORDER BY title");
echo ""
."<option value=\"\">"._SELECTCAT."</option>\n";
while ($row = $db->sql_fetchrow($result)) {
$cat_id = $row['cat_id'];
$title = $row['title'];
echo "<option value=\"$cat_id\">$title</option>\n";
}
echo "</select>\n"
." "
.""._DESCRIPTION.": "
."<textarea cols=\"64\" rows=\"15\" name=\"description\"></textarea> "
." "._NOTE." "
."<textarea cols=\"64\" rows=\"15\" name=\"note\"></textarea> "
."("._AREYOUSURE.") "
.""._HTMLNOTALLOWED.""
." "
."<input type=\"submit\" name=\"submit\" value=\""._PREVIEW."\">"
." ("._SUBPREVIEW.")</form>";
}
}
//Jokes submission processing <--

//Jokes view counter function -->
function hits($joke_id){
global $prefix, $db;
$db->sql_fetchrow($db->sql_query("UPDATE ".$prefix."_jokes set hits=hits+1 WHERE joke_id=$joke_id"));
}
//Jokes view counter function <--

//View the joke requested for -->
function show_joke($joke_id, $next_joke_id, $previous_joke_id){
global $max_rating, $ShowAddressBar, $admin, $prefix, $db;
global $bgcolor1, $bgcolor2, $textcolor1;
hits($joke_id);
$sql = "SELECT joke_id, ".$prefix."_jokes.title 'joke_title', cat_id, ".$prefix."_jokes_cat.title 'category_title', content, notes, submission_date, hits, rating, rating_count, ".$prefix."_jokes.active, username FROM ".$prefix."_jokes, ".$prefix."_jokes_cat, ".$prefix."_users WHERE joke_id=$joke_id AND cat=cat_id AND submitter_id=user_id";
if (!$result = $db->sql_query($sql)){
modified_die("<center>"._SQLERROR."</center>");
}
$row = $db->sql_fetchrow($result);
if ($ShowAddressBar){
echo ""
."\n"
."<a href=\"index.php\">"._HOME."</a> > "
."<a href=\"modules.php?name=jokes&op=show_default\">"._JOKESTITLE."</a> > "
."<a href=\"modules.php?name=jokes&op=show_category&cat_id=".$row['cat_id']."\">".$row['category_title']."</a>"
.""
." ";
}
joke_preview($row['joke_title'], $row['content'], $row['notes'], $row['category_title'], $row['username'], $row['submission_date'], $row['hits'], _VIEW);
echo ""
."<center>"
."[ "
.(is_admin($admin)?"<a href=\"admin.php?op=jokes_edit&joke_id=".$row['joke_id']."\">"._EDIT."</a> | <a href=\"admin.php?op=jokes_delete&joke_id=".$row['joke_id']."\">"._DELETE."</a> | ":"")
."<a href=\"modules.php?name=jokes&op=joke_print&joke_id=$joke_id\" target=\"_blank\">"._PRINTJOKE."</a>"
." ]"
." "
."</center>"
."<form action=\"modules.php?name=jokes\" method=\"post\">\n"
."<center>"
."".$row['rating_count']." "._CURRENTRATING.(($row['rating_count'] == 0)?" ( "._BEFIRST." )":". "._RATING.": ".$row['rating']."/$max_rating"."")
." "
.""._RATETEXT.": "
."<select name=\"rate\" size=\"1\">";
for($i=1;$i<=$max_rating;$i++){
echo ""
."<option value=\"$i\">$i</option>";
}
echo ""
."</select>"
."  "
."<input type=\"hidden\" name=\"joke_id\" value=\"".$joke_id."\" />\n"
."<input type=\"submit\" name=\"op\" value=\""._RATE."\" />\n"
."</center>"
."</form>";
}
//View the joke requested for <--

//Search by joke title (not case-sensitive and match case is enabled) -->
function search($submit, $search_text, $category, $sort_by, $order, $page){
global $jokes_per_page, $prefix, $db;
if (isset($submit)){
$page = (($page == 0)?1:$page);
$sort_by = (($sort_by == "")?"submission_date":$sort_by);
$order = (($order == "")?"desc":$order);
$param = Array('search_text'=>$search_text, 'cat_id'=>$category, 'page'=>$page, 'limit'=>$jokes_per_page);
show_joke_list(_SEARCH, $param, $sort_by, $order);
}
else{
echo ""
."<center>"
."\n"
.":: "._SEARCH." ::"
." "
."</center>"
."<form id=\"search\" action=\"modules.php?name=jokes&op=search\" method=\"post\" name=\"search\">"
."<center>"
."<input type=\"text\" name=\"search_text\" size=\"40\"> "
."<select name=\"category\" size=\"1\">"
."<option value=\"0\">"._ALLCATEGORY."</option>";
$result = $db->sql_query("SELECT cat_id, title FROM ".$prefix."_jokes_cat WHERE active='1' ORDER BY title");
while ($row = $db->sql_fetchrow($result)) {
echo ""
."<option value=\"".$row['cat_id']."\">".$row['title']."</option>\n";
}
echo ""
."</select>"
." "
."<select name=\"sort_by\" size=\"1\">"
."<option value=\"title\">"._JOKETITLE."</option>"
."<option value=\"submission_date\">"._SUBDATE."</option>"
."<option value=\"\">"._SUBBY."</option>"
."</select> "
."<select name=\"order\" size=\"1\">"
."<option value=\"asc\">"._ASCENDING."</option>"
."<option value=\"desc\">"._DESCENDING."</option>"
."</select> "
."<input type=\"submit\" name=\"submit\" value=\""._SEARCH."\">"
."<center>"
."</form>";
}
}
//Search by joke title (not case-sensitive and match case is enabled) <--

//Build dynamic joke list table (function: category/normal view, sorting by and in order, searching result) -->
function show_joke_list($reference, $param, $sort_by, $order){
global $admin, $prefix, $db;
global $bgcolor1,$bgcolor2, $textcolor1;
global $default_order;
$order = ($order == "")?$default_order." ":$order;
if ($reference == _CATEGORY){
$cat_id = $param['cat_id'];
$limit1 = ((($param['page'] == 0)?1:$param['page']) - 1) * $param['limit'];
$limit2 = $param['limit'];
$sort_by = ($sort_by == "")?"submission_date":$sort_by;
$sql = "SELECT joke_id, title, submission_date, hits, rating, username "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE cat = $cat_id AND submitter_id=user_id AND active='1' "
."ORDER BY $sort_by $order "
."LIMIT $limit1, $limit2";
}
elseif($reference == _TOP){
$limit = $param;
$sort_by = ($sort_by == "")?"rating":$sort_by;
$sql = "SELECT joke_id, title, submission_date, hits, rating, username "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE submitter_id=user_id AND active='1' "
."ORDER BY $sort_by $order"
."LIMIT 0, $limit";
}
elseif($reference == _NEW){
$limit = $param;
$sort_by = ($sort_by == "")?"submission_date":$sort_by;
$sql = "SELECT joke_id, title, submission_date, hits, rating, username "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE submitter_id=user_id AND active='1' "
."ORDER BY $sort_by $order"
."LIMIT 0, $limit";
}
elseif($reference == _POPULAR){
$limit = $param;
$sort_by = ($sort_by == "")?"hits":$sort_by;
$sql = "SELECT joke_id, title, submission_date, hits, rating, username "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE submitter_id=user_id AND active='1' "
."ORDER BY $sort_by $order"
."LIMIT 0, $limit";
}
elseif($reference == _SEARCH){
$cat_id = $param['cat_id'];
$limit1 = ((($param['page'] == 0)?1:$param['page']) - 1) * $param['limit'];
$limit2 = $param['limit'];
$sort_by = ($sort_by == "")?"submission_date":$sort_by;
$sql = "SELECT joke_id, title, submission_date, hits, rating, username "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE ".(($param['cat_id'] == 0)?"cat!=0 AND ":"cat = $cat_id AND ")."title LIKE \"%".$param['search_text']."%\" AND submitter_id=user_id AND active='1' "
."ORDER BY $sort_by $order "
."LIMIT $limit1, $limit2";
}
if (!$result = $db->sql_query($sql)){
modified_die("<center>"._SQLERROR."</center>");
}
if ($reference == _CATEGORY){
$sql = "SELECT '' "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE cat = $cat_id AND submitter_id=user_id AND active='1'";
if (!$count = $db->sql_numrows($db->sql_query($sql))){
modified_die("<center>"._NOJOKE."</center>");
}
}
elseif($reference == _SEARCH){
$sql = "SELECT '' "
."FROM ".$prefix."_jokes, ".$prefix."_users "
."WHERE ".(($param['cat_id'] == 0)?"cat!=0 AND ":"cat = $cat_id AND ")."title LIKE \"%".$param['search_text']."%\" AND submitter_id=user_id AND active='1' ";
if (!$count = $db->sql_numrows($db->sql_query($sql))){
modified_die("<center>"._NO." "._RECORDSFOUND."</center>");
}
}
else{
$count = $db->sql_numrows($result);
}
if ($reference == _SEARCH){
$category = (($cat_id == 0)?Array('title'=>_ALLCATEGORY):$db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_jokes_cat WHERE cat_id=$cat_id")));
echo ""
."<center>"
._SEARCHFOR." \"".$param['search_text']."\" "._INCATEGORY." \"".$category['title']."\" "
."( ".(($count == 0)?_NO:$count)." "._RECORDSFOUND." )"
." </center>";
}
echo ""
."<table bgcolor=\"$bgcolor2\" width=\"100%\" cellpadding=\"2\" cellspacing=\"1\" border=\"0\">"
."<tr bgcolor=\"$bgcolor2\">"
."<td align=\"center\">".(($reference == _CATEGORY || $reference == _SEARCH)?"<a href=\"modules.php?name=jokes&op=".(($reference == CATEGORY)?"show_category":"search&submit="._SEARCH)."&cat_id=$cat_id&sort_by=title&order=".(($order == "asc")?"desc":"asc")."&page=".$param['page']."\">":"").""._JOKETITLE."".(($sort_by == "title")?(($order == "asc")?"<img src=\"modules/jokes/images/up.gif\" alt=\""._DESCENDING."\" border=\"0\">":"<img src=\"modules/jokes/images/down.gif\" alt=\""._ASCENDING."\" border=\"0\">"):"")."</a></td>"
."<td align=\"center\">".(($reference == _CATEGORY || $reference == _SEARCH)?"<a href=\"modules.php?name=jokes&op=".(($reference == CATEGORY)?"show_category":"search&submit="._SEARCH)."&cat_id=$cat_id&sort_by=submission_date&order=".(($order == "asc")?"desc":"asc")."&page=".$param['page']."\">":"").""._SUBDATE."".(($sort_by == "submission_date")?(($order == "asc")?"<img src=\"modules/jokes/images/up.gif\" alt=\""._DESCENDING."\" border=\"0\">":"<img src=\"modules/jokes/images/down.gif\" alt=\""._ASCENDING."\" border=\"0\">"):"")."</a></td>"
."<td align=\"center\">".(($reference == _CATEGORY || $reference == _SEARCH)?"<a href=\"modules.php?name=jokes&op=".(($reference == CATEGORY)?"show_category":"search&submit="._SEARCH)."&cat_id=$cat_id&sort_by=username&order=".(($order == "asc")?"desc":"asc")."&page=".$param['page']."\">":"").""._SUBBY."".(($sort_by == "username")?(($order == "asc")?"<img src=\"modules/jokes/images/up.gif\" alt=\""._DESCENDING."\" border=\"0\">":"<img src=\"modules/jokes/images/down.gif\" alt=\""._ASCENDING."\" border=\"0\">"):"")."</a></td>"
."<td align=\"center\">".(($reference == _CATEGORY || $reference == _SEARCH)?"<a href=\"modules.php?name=jokes&op=".(($reference == CATEGORY)?"show_category":"search&submit="._SEARCH)."&cat_id=$cat_id&sort_by=hits&order=".(($order == "asc")?"desc":"asc")."&page=".$param['page']."\">":"").""._HITS."".(($sort_by == "hits")?(($order == "asc")?"<img src=\"modules/jokes/images/up.gif\" alt=\""._DESCENDING."\" border=\"0\">":"<img src=\"modules/jokes/images/down.gif\" alt=\""._ASCENDING."\" border=\"0\">"):"")."</a></td>"
."<td align=\"center\">".(($reference == _CATEGORY || $reference == _SEARCH)?"<a href=\"modules.php?name=jokes&op=".(($reference == CATEGORY)?"show_category":"search&submit="._SEARCH)."&cat_id=$cat_id&sort_by=rating&order=".(($order == "asc")?"desc":"asc")."&page=".$param['page']."\">":"").""._RATING." ".(($sort_by == "rating")?(($order == "asc")?"<img src=\"modules/jokes/images/up.gif\" alt=\""._DESCENDING."\" border=\"0\">":"<img src=\"modules/jokes/images/down.gif\" alt=\""._ASCENDING."\" border=\"0\">"):"")."</a></td>"
.(is_admin($admin)?"<td align=\"center\">"._FUNCTIONS."":"")
."</tr>";
if ($count < 1){
modified_die("<tr><td bgcolor=\"$bgcolor1\" colspan=\"6\"><center>"._NOJOKE."</center></td></tr>");
}
while($row = $db->sql_fetchrow($result)){
echo ""
."<tr bgcolor=\"$bgcolor1\">"
."<td align=\"center\">"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">".$row['title']."</a>"
."</td>"
."<td align=\"center\">"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">".(($row['submission_date'] == "")?_NOTAVAILABLE:$row['submission_date'])."</a>"
."</td>"
."<td align=\"center\">"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">".$row['username']."</a>"
."</td>"
."<td align=\"center\">"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">".$row['hits']."</a>"
."</td>"
."<td align=\"center\">"
."<a href=\"modules.php?name=jokes&op=show_joke&joke_id=".$row['joke_id']."\">".(($row['rating'] == 0)?_NOTAVAILABLE:$row['rating'])."</a>"
."</td>"
.(is_admin($admin)?"<td>[ <a href=\"admin.php?op=jokes_edit&joke_id=".$row['joke_id']."\">"._EDIT."</a> | <a href=\"admin.php?op=jokes_delete&joke_id=".$row['joke_id']."\">"._DELETE."</a> ]</td>":"");
echo ""
."</td></tr>";
}
echo ""
."</table>";
if ($reference == _CATEGORY || $reference == _SEARCH){
echo ""
."<table cellpadding=\"5\" width=\"100%\">"
.(($param['page'] == 1)?"<td width=\"20%\"> </td>":"<td width=\"20%\" align=\"left\"><a href=\"modules.php?name=jokes&op=".(($reference == _CATEGORY)?"show_category&cat_id=".$param['cat_id']:"search&search_text=".$param['search_text']."&submit="._SEARCH)."&sort_by=".$sort_by."&order=".$order."&page=".($param['page']-1)."\">"._PREVIOUS."</td>")
."<td align=\"center\">[ ";
for ($i = 1 ; ceil($count/$param['limit']) >= $i ; $i++){
echo ""
.(($i == $param['page'])?""._PAGE." $i ":"<a href=\"modules.php?name=jokes&op=".(($reference == _CATEGORY)?"show_category&cat_id=".$param['cat_id']:"search&search_text=".$param['search_text']."&submit="._SEARCH)."&sort_by=".$sort_by."&order=".$order."&page=$i\">"._PAGE." $i</a> ");
}
echo ""
." ]</td>"
.(($count > $param['limit'] * $param['page'])?"<td width=\"20%\" align=\"right\"><a href=\"modules.php?name=jokes&op=".(($reference == _CATEGORY)?"show_category&cat_id=".$param['cat_id']:"search&search_text=".$param['search_text']."&submit="._SEARCH)."&sort_by=".$sort_by."&order=".$order."&page=".($param['page']+1)."\">"._NEXT."</td>":"<td width=\"20%\"> </td>")
."</table>";
}
}
//Build dynamic joke list table (function: category/normal view, sorting by and in order, searching result) <--

//Show a requested category -->
function show_category($cat_id, $sort_by, $order, $page){
global $jokes_per_page, $prefix, $db;
global $bgcolor1, $bgcolor2, $textcolor1;
global $ShowAddressBar, $show_category_image;
if ($ShowAddressBar){
echo ""
."\n"
."<a href=\"index.php\">"._HOME."</a> > "
."<a href=\"modules.php?name=jokes&op=show_default\">"._JOKESTITLE."</a>"
."";
}
$row = $db->sql_fetchrow($db->sql_query("SELECT * FROM ".$prefix."_jokes_cat WHERE cat_id = $cat_id"));
echo ""
."<center>";
if ($show_category_image){
echo ""
.(($row['image'] != "")?"<img src=\"".$row['image']."\"> ":"");
}
echo ""
."\n"
.""._JOKESIN." \"".$row['title']."\" "._CATEGORY."\n"
." \n"
.""
.$row['description']
." "
."</center>\n";
$page = (($page == 0)?1:$page);
$sort_by = (($sort_by == "")?"submission_date":$sort_by);
$order = (($order == "")?"desc":$order);
$param = Array('cat_id'=>$cat_id, 'page'=>$page, 'limit'=>$jokes_per_page);
show_joke_list(_CATEGORY, $param, $sort_by, $order);
}
//Show a requested category <--

//Jokes rating function -->
function rate_joke($joke_id,$rate){
global $prefix, $db;
$row = $db->sql_fetchrow($db->sql_query("SELECT rating, rating_count FROM ".$prefix."_jokes WHERE joke_id = $joke_id"));
$rating = ($row['rating']*$row['rating_count']+$rate)/($row['rating_count']+1);
$db->sql_fetchrow($db->sql_query("UPDATE ".$prefix."_jokes set rating=$rating, rating_count=rating_count+1 WHERE joke_id=$joke_id"));
echo ""
."<center>"
._RATINGTHANKS
." "
."[ <a href=\"modules.php?name=jokes&op=show_joke&joke_id=$joke_id\">"._BACKTEXT."</a> ]\n"
."</center>";
}
//Jokes rating function <--

//Show new jokes -->
function show_new(){
global $limit_new;
echo ""
."<center>\n"
."\n"
.""._JOKESNEW.""
." "
."</center>\n";
show_joke_list(_NEW, $limit_new);
}

function show_popular(){
global $limit_popular;
echo ""
."<center>"
."\n"
.""._JOKESPOPULAR.""
." "
."</center>\n";
show_joke_list(_POPULAR, $limit_popular);
}
//Show new jokes <--

//Show top jokes -->
function show_top(){
global $limit_top;
echo ""
."<center>"
."\n"
.""._JOKESTOP.""
." "
."</center>\n";
show_joke_list(_TOP, $limit_top);
}
//Show top jokes <--

//Show default categorical view -->
function show_default() {
global $category_per_line, $prefix, $db;
global $bgcolor1, $bgcolor2;
echo ""
."<center>"
."\n"
.":: "._MAINCATEGORY." ::\n"
." "
."</center>\n";
if (!$result = $db->sql_query("SELECT * FROM ".$prefix."_jokes_cat WHERE active=1")){
modified_die("<center>"._SQLERROR."</center>");
}
if ($db->sql_numrows($result)<1){
modified_die("<center>"._NOJOKECAT."</center>");
}
echo ""
."<table width=\"100%\" cellpadding=\"5\" cellspacing=\"0\" border=\"0\">";
$category_count = 0;
while($row = $db->sql_fetchrow($result)){
if (!$result2 = $db->sql_query("SELECT joke_id FROM ".$prefix."_jokes WHERE active='1' AND cat =".$row['cat_id'])){
modified_die("<center>"._SQLERROR."</center>");
}
$count = $db->sql_numrows($result2);
$category_count++;
echo ""
.(($category_count%$category_per_line == 1)?"<tr>\n":"")
."<td align=\"center\" width=\"".(100/$category_per_line)."%\">"
."<a href=\"modules.php?name=jokes&op=show_category&cat_id=".$row['cat_id']."\">".$row['title']." ($count)</a>"
."</td>\n"
.(($category_count%$category_per_line == 0)?"</tr>\n":"");
}
echo ""
."</table>";
}
//Show default categorical view <--

//Jokes print priview -->
function joke_print($joke_id){
global $currentlang, $prefix, $db;
$sql = "SELECT joke_id, ".$prefix."_jokes.title 'joke_title', "
.$prefix."_jokes_cat.title 'category_title', content, "
."notes, submission_date, username "
."FROM ".$prefix."_jokes, ".$prefix."_jokes_cat, ".$prefix."_users "
."WHERE joke_id=$joke_id AND cat=cat_id AND submitter_id=user_id AND "
.$prefix."_jokes.active=1";
if (!$result = $db->sql_query($sql)){
die("<center>"._SQLERROR."</center>");
}
if ($db->sql_numrows($result)<1){
die("<center>"._NOJOKEFOUND."</center>");
}
$row = $db->sql_fetchrow($result);
$url = "Location: modules/jokes/print.php?language=".$currentlang."&title=".$row['joke_title']."&category=".$row['category_title']."&description=".$row['content']."&note=".$row['notes']."&submitter=".$row['username']."&submission_date=".$row['submission_date'];
Header($url);
}
//Jokes print priview <--

//Custom jokes module footer -->
function module_footer(){
echo ""
."</td>\n"
."</tr>\n";
}
//Custom jokes module footer <--

//Custom die function for synchronization -->
function modified_die($msg, $sql){
global $admin, $debug, $db;
echo ""
.$msg;
if ($debug && is_admin($admin)){
$error = $db->sql_error();
if($error[code] != 0){
echo ""
."<center>"
.""._SQLERRORCODE."[$error[code]]: $error[message]"
."</center>";
}
}
module_footer();
CloseTable();
include("footer.php");
die();
}
//Custom die function for synchronization <--

//display page

include ('header.php');
OpenTable();
module_header();
menu();
if (isset($op)){
switch($op) {
case "submit_joke":
submit_joke($title, $description, $note, $cat, $submit);
break;

case "show_joke":
show_joke($joke_id, $next_joke_id, $previous_joke_id);
break;

case "rate_joke":
case _RATE:
rate_joke($joke_id,$rate);
break;

case "show_category":
show_category($cat_id, $sort_by, $order, $page);
break;

case "show_new":
show_new();
break;

case "show_popular":
show_popular();
break;

case "show_top":
show_top();
break;

case "joke_print":
joke_print($joke_id);
break;

case "search":
search($submit, $search_text, $category, $sort_by, $order, $page);
break;

default:
show_default();
break;
}
}
else{
show_default();
}
module_footer();
CloseTable();
include ('footer.php');
?>[/code]

registered · Posted: Sat Mar 01, 2008 4:50 pm

I don't have time to wade through all that code. But in a nutshell, for PHP-Nuke modules:

call check_html() on all string user input
convert integer user input to integers using a cast or intval()
use addslashes() on any user string input that is going into the database

You are probably seeing lots of \\\ because the code isn't checking for magic quotes (at least I didn't see it). If you use RavenNuke, the RavenNuke check_html() will do this for you.

Posted: Sat Mar 01, 2008 4:55 pm

Thanks ALOT. I do use RavenNuke. I will try the nutshell above.

BTW I love the monkey.

registered · Posted: Tue Mar 04, 2008 9:22 pm

loraxx, please do not double-post. You already have this thread started in "Seeking Applications..." forum. Sad

If you feel that you have posted something in the wrong forum, just politely ask us to move it... or, we may recognize that it needs moving and just move it ourselves without asking. Thanks.

Posted: Tue Mar 04, 2008 11:24 pm

Sorry, Please move as you see appropriate.