PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Dec 18, 2014 8:25 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Thu Sep 13, 2012 8:35 am 
Offline
Forum Newbie

Joined: Fri Sep 07, 2012 6:20 pm
Posts: 16
Hi to all. I have a script that modified some dates in a mysql table. When I modify some thing with this script I what to modify a folder name. In this script I use php function rename. But on submit button I get the error "Invalid argument in /home/a9225197/public_html/admin/edit_post.php on line 87", and I understand that I do something wrong this sql query.
My cod is:
Syntax: [ Download ] [ Hide ]
<?php
/**
 *
 * eliteCMS - The Lightweight CMS Copyright © 2008 elite-graphix.net.
 * eliteCMS is a free software to use for personal websites.
 * Anyone can use eliteCMS for free as long as he retain the
 * copyright note at the footer.
 * If anyone wants to remove the copyright note for commercial
 * use of the software can contact raj@elite-graphix.net.
 * eliteCMS comes with absolutely no warranty and is provided as-is.
 * raj - THE AUTHOR of the software or elite-graphix - THE COMPANY
 * will not be held responsible for any damage this software might cause.
 * You run this software at your own risk and agree not to hold author or company.
 * You are not allowed to make any profit from this software unless you
 * have a written authorization from the author to use the software for commercial use.
 *
 */

include ("includes/headerRefresh.php");
include ("includes/config.php");
include ("functions/functions.php");
require_once ("includes/session.php");
check_login();
?>
<?php get_settings(); ?>
<?php if ((intval($_GET['page']) == 0) || (intval($_GET['post']) == 0)) {
    redirect_to("manage_posts.php");
} ?>
<?php include ("header.php") ?>
<?php
$errors = array();
if (isset($_POST['submit'])) {
        $postid= $posts['id'];
$query2 = "SELECT * FROM posts where id='$postid'";
$result2 = mysql_query($query2);
while($row = mysql_fetch_array($result2)){
$oldname = $row['dirname'];
echo $oldname;
}

    if ($_POST['title'] == "")
        $errors['title'] = "Title of the Post is required !";

    if ($_POST['position'] == "")
        $errors['position'] = "Position of the Post is required !";

    if ($_POST['content'] == "")
        $errors['content'] = "Content of the Post is required !";


    if (empty($errors)) {

        $id = mysql_prep($_GET['post']);
        $page_id = mysql_prep($_POST['page_id']);
        $title = mysql_prep($_POST['title']);
        $active = mysql_prep($_POST['active']);
        $position = mysql_prep($_POST['position']);
        $content = mysql_prep($_POST['content']);
                $address = mysql_prep($_POST['address']);
                $phone = mysql_prep($_POST['phone']);
                $web = mysql_prep($_POST['web']);
                $email = mysql_prep($_POST['email']);
                $video = mysql_prep($_POST['video']);
                $map = mysql_prep($_POST['map']);
                $valid = mysql_prep($_POST['valid']);
                $dirname= mysql_prep($_POST['title']);

        $query = "UPDATE posts SET page_id = '{$page_id}', title = '{$title}', active = '{$active}', position = '{$position}', content = '{$content}', address='{$address}', phone='{$phone}', web='{$web}', email='{$email}', video='{$video}', map='{$map}', valid='{$valid}', dirname='{$dirname}'  WHERE id = {$id} ";
        $result = mysql_query($query);
        confirm_query($result);
        if (mysql_affected_rows() == 1) {
            $successMSG = "Post updated Successfully !";

        } else {
            $errorMSG = "Nothing to Update ! </br>" . mysql_error() . " ";

        }


    } else {
        $displayError = '<div class="errorMSG"><ul style="list-style:none;">';

        foreach ($errors as $error) {
            $displayError .= "<li>$error</li>";
        }
        $displayError .= '</ul></div>';
    }
rename("../uploads/".$oldname, "../uploads/".$dirname);
} else {
    //$errorMSG = "";
}

?>

<div id="body">
<div class="box bigBox">
<h1>Add New Post</h1>
<?php display_msg(); ?>
<?php selected_page(); ?>
<form action="<?php echo $PHP_SELF; ?>" method="post">
<table width="100%" align="center" cellpadding="0" cellspacing="0" id="post_form">
<tr bgcolor="#EEF7FD">
<td width="27%" class="padd">Categoria Companie :</td>
<td width="73%" class="padd">
<select name="page_id" class="select1" onChange="MM_jumpMenu('parent',this,0)">
<?php
if (isset($selected_page['id'])) {
    echo "<option value=\"{$selected_page['id']}\">{$selected_page['menu_name']}</option>\n";
} else {
    $query = "SELECT * FROM pages ORDER BY id";
    $result = mysql_query($query);
    confirm_query($result);
    while ($pages = mysql_fetch_array($result)) {
        echo "<option value=\"add_post.php?page={$pages['id']}\">{$pages['menu_name']}</option>\n";
    }
}
?>
</select>
</td>
</tr>
<tr>
<td class="padd">Denumire Companie :</td>
<td class="padd">
<input name="title" type="text" class="input" id="title" value="<?php echo $selected_post['title'] ?>"/>
<?php if (!empty($errors['title'])) {
    echo "&nbsp;<span class=\"mend\">*</span>";
} ?>
</td>
</tr>
<tr bgcolor="#EEF7FD">
<td class="padd">Post Published :</td>
<td class="padd">
<select name="active" class="select">
<option value="1" <?php if ($selected_post['active'] == 1) {
    echo "selected";
} ?>>Yes</option>
<option value="0" <?php if ($selected_post['active'] == 0) {
    echo "selected";
} ?>>No</option>
</select>
</td>
</tr>
<tr>
<td valign="bottom" class="padd">Post Position :</td>
<td valign="bottom" class="padd">
<?php if (isset($_GET['page'])) {
    display_acquired_posts();

} ?>
<input name="position" type="text" class="inputSmall" id="position" value="<?php echo
$selected_post['position'] ?>"/>
<?php if (!empty($errors['position'])) {
    echo "&nbsp;<span class=\"mend\">*</span>";
} ?>
</td>
</tr>
<tr bgcolor="#EEF7FD">
<td class="padd">Descriere Companie</td>
<td class="padd">
<script language="JavaScript1.2" type="text/javascript">
  WYSIWYG.attach('content', full);
  </script>
<textarea name="content" id="content" class="contentArea"><?php echo $selected_post['content'] ?></textarea>
<?php if (!empty($errors['content'])) {
    echo "&nbsp;<span class=\"mend\">*</span>";
} ?>
</td>
</tr>
<tr>
<td class="padd">Adresa Companie :</td>
<td class="padd">
<input name="address" type="text" class="input" id="address" value="<?php echo $selected_post['address'] ?>"/>
<?php if (!empty($errors['address'])) {
    echo "&nbsp;<span class=\"mend\">*</span>";
} ?>
</td>
</tr>

<tr>
<td class="padd">Nr. Telefon Companie :</td>
<td class="padd">
<input name="phone" type="text" class="input" id="phone" value="<?php echo $selected_post['phone'] ?>"/>
<?php if (!empty($errors['phone'])) {
    echo "&nbsp;<span class=\"mend\">*</span>";
} ?>
</td>
</tr>

<tr>
<td class="padd">Adresa Web :</td>
<td class="padd">
<input name="web" type="text" class="input" id="web" value="<?php echo $selected_post['web'] ?>"/>
<?php if (!empty($errors['web'])) {
    echo "&nbsp;<span class=\"mend\">*</span>";
} ?>
</td>
</tr>

<tr>
<td class="padd">Email Companie :</td>
<td class="padd">
<input name="email" type="text" class="input" id="email" value="<?php echo $selected_post['email'] ?>"/>
<?php if (!empty($errors['email'])) {
    echo "&nbsp;<span class=\"mend\">*</span>";
} ?>
</td>
</tr>

<tr>
<td class="padd">Video Link :</td>
<td class="padd">
<input name="video" type="text" class="input" id="video" value="<?php echo $selected_post['video'] ?>"/>
<?php if (!empty($errors['video'])) {
    echo "&nbsp;<span class=\"mend\">*</span>";
} ?>
</td>
</tr>

<tr>
<td class="padd">Harta Companie :</td>
<td class="padd">
<input name="map" type="text" class="input" id="map" value="<?php echo $selected_post['map'] ?>"/>
<?php if (!empty($errors['map'])) {
    echo "&nbsp;<span class=\"mend\">*</span>";
} ?>
</td>
</tr>

<tr>
<td class="padd">Activ pina la: </td>
<td class="padd">
<input name="valid" type="text" class="input" id="valid" value="<?php echo $selected_post['valid'] ?>"/>
<?php if (!empty($errors['valid'])) {
    echo "&nbsp;<span class=\"mend\">*</span>";
} ?>
</td>
</tr>
<tr>
<td>&nbsp;</td>
<td class="padd">
<input type="submit" name="submit" id="submit" value="Update Post"  class="formBU" style="margin-left:120px;"/>
<a href="manage_posts.php" target="_self" class="linkBU">Cancel</a>
<a href="manage_uploads.php" target="_self" class="linkBU">Manage Images</a></td>
</tr>
</table>
</form>
</div>
</div>
<?php include ("footer.php") ?>


And the script from other page that redirects to this page
Syntax: [ Download ] [ Hide ]
<?php
/**
 *
 * eliteCMS - The Lightweight CMS Copyright © 2008 elite-graphix.net.
 * eliteCMS is a free software to use for personal websites.
 * Anyone can use eliteCMS for free as long as he retain the
 * copyright note at the footer.
 * If anyone wants to remove the copyright note for commercial
 * use of the software can contact raj@elite-graphix.net.
 * eliteCMS comes with absolutely no warranty and is provided as-is.
 * raj - THE AUTHOR of the software or elite-graphix - THE COMPANY
 * will not be held responsible for any damage this software might cause.
 * You run this software at your own risk and agree not to hold author or company.
 * You are not allowed to make any profit from this software unless you
 * have a written authorization from the author to use the software for commercial use.
 *
 */

include ("includes/headerRefresh.php");
include ("includes/config.php");
include ("functions/functions.php");
require_once ("includes/session.php");
check_login();
get_settings();
include ("header.php") ?>
<div id="body">
<div class="box bigBox">
<h1>Manage CMS Posts</h1>
<?php
if (isset($_GET['deleted']) && $_GET['deleted'] == 1) {
    $successMSG = "The post has been deleted successfully !.";

}
if (isset($_GET['newpost']) && $_GET['newpost'] == 1) {
    $successMSG = "Post created successfully !.";

}
?>

<?php display_msg(); ?>
<a href="add_post.php" title="Add New Post" target="_self" class="addPageButton">Add New Post</a>
<?php
echo "<table cellspacing=\"0\" cellpadding=\"0\" id=\"pageList\">\n";
echo "<tr>\n";
echo "<th width=\"26%\" scope=\"col\">Page Name</th>\n";
echo "<th width=\"30%\" scope=\"col\"style=\"text-align:left; padding-left:40px;\">Post Title</th>\n";
echo "<th width=\"11%\" scope=\"col\">Post Order</th>\n";
echo "<th width=\"11%\" scope=\"col\">Published</th>\n";
echo "<th width=\"11%\" scope=\"col\">Edit Post</th>\n";
echo "<th width=\"11%\" scope=\"col\">Delete Post</th>\n";
echo "</tr>\n";
$i = 0;
$color1 = "#EEF7FD";
$color2 = "#FFFFFF";
$query = "SELECT * FROM posts ORDER BY page_id";
$result = mysql_query($query);
confirm_query($result);
while ($posts = mysql_fetch_array($result)) {
    $query = "SELECT * FROM pages WHERE id ={$posts['page_id']}";
    $result1 = mysql_query($query);
    confirm_query($result1);
    $page = mysql_fetch_array($result1);
    $i++;
    echo "<tr bgcolor=\"" . (($i % 2 == 0) ? $color1 : $color2) . "\">\n";
    echo "<td>{$page['menu_name']}</td>\n";
    echo "<td style=\"text-align:left; padding-left:5px;\">{$posts['title']}</td>\n";
    echo "<td>{$posts['position']}</td>\n";
    echo "<td>";
    if ($posts['active'] == 0) {
        echo "No";
    } else {
        echo "Yes";
    }
    echo "</td>\n";
    echo "<td><a href=\"edit_post.php?page=" . urlencode($page['id']) . "&post=" .
        urlencode($posts['id']) . "\"><img src=\"images/post_edit.png\" width=\"16\" height=\"16\" /></a></td>\n";
    echo "<td><a href=\"delete_post.php?post=" . urlencode($posts['id']) . "\"><img src=\"images/post_delete.png\" width=\"16\" height=\"16\" onClick=\"return confirm('Are you sure you wann delete this post. This action can not be undone!.');\"/></a></td>\n";
    echo "</tr>\n";

}
echo "</table>\n";
?>
</div>
</div>
<?php include ("footer.php") ?>


Top
 Profile  
 
PostPosted: Thu Sep 13, 2012 3:23 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 12721
Location: New York, NY, US
The error is with line:
Syntax: [ Download ] [ Hide ]
rename("../uploads/".$oldname, "../uploads/".$dirname);
Do you know what the values of $oldname and $dirname are?

_________________
(#10850)


Top
 Profile  
 
PostPosted: Thu Sep 13, 2012 4:17 pm 
Offline
Forum Newbie

Joined: Fri Sep 07, 2012 6:20 pm
Posts: 16
Yes, the problem is in rename function, I know it. But I dont know how to pass a variable into sql query, the problem is in this cod
Syntax: [ Download ] [ Hide ]
$postid= $posts['id'];
$query2 = "SELECT * FROM posts where id='$postid'";
$result2 = mysql_query($query2);
while($row = mysql_fetch_array($result2)){
$oldname = $row['dirname'];
echo $oldname;
}

I need to get the value that is pass from other page, I think from this one:
Syntax: [ Download ] [ Hide ]
echo "<td><a href=\"edit_post.php?page=" . urlencode($page['id']) . "&post=" .
        urlencode($posts['id']) . "\"><img src=\"images/post_edit.png\" width=\"16\" height=\"16\" /></a></td>\n";


Top
 Profile  
 
PostPosted: Fri Sep 14, 2012 10:01 am 
Offline
Forum Newbie

Joined: Fri Sep 07, 2012 6:20 pm
Posts: 16
Ok, the question will be how to get the value of ($posts['id']) that is pass from this code
Syntax: [ Download ] [ Hide ]
echo "<td><a href=\"edit_post.php?page=" . urlencode($page['id']) . "&post=" .
        urlencode($posts['id']) . "\"><img src=\"images/post_edit.png\" width=\"16\" height=\"16\" /></a></td>\n";
from one page to other page. I need to use this value to make a sql query.


Top
 Profile  
 
PostPosted: Mon Sep 17, 2012 4:51 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
You will find the value in $_GET['post'] in the other page.
Note that there are multiple SQL injection problems with the script as-is, and what you are doing with blindly calling rename() is completely unsafe.
Are you the author of this CMS and if not - why did you chose it specifically? It doesn't look very well written to me.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Yahoo [Bot] and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group