Can't use function return value in write context

**NightShift58** · 02-26-2007 12:11 PM

This could be part of the problem:

PHP Code:


function cleanup_input ($value = "", $presrve = "", $allowed_tags = "")



    {

    

    Global $continue;

        

    if(empty($preserve))

        {

        $value = strip_tags($value, $allowed_tags);

        }

    $value = htmlspecialchars($value);

    return $value;

    }

You've got 2 spellings for "$preserve".

EDIT: Why are you using "global $continue". It's not being bused for anything in this function.

**NightShift58** · 02-26-2007 12:15 PM

Change to:

PHP Code:


function cleanup_input ($value="", $preserve="", $allowed_tags="") {

  if($preserve == "") {

    $value = strip_tags($value, $allowed_tags);

  }

  return htmlspecialchars($value);

}

**lightnb** · 02-26-2007 12:26 PM

Originally Posted by NightShift58

Why are you using "global $continue". It's not being bused for anything in this function.

You know, just in case....

Honestly, I don't know why that's there, considering a $continue variable isn't used in the entire site....

I've modified the cleanup_input function as sugguested but still get an error:

PHP Code:


I've Failed You For The Last Time:

# Script Name: /RVM/registration/register2.php

# Include File: /home/rahl/public_html/RVM/include/functions.php

# errorno=1064

# error=You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1

# query= 1



Array

(

    [0] => Array

        (

            [file] => /home/rahl/public_html/RVM/include/functions.php

            [line] => 217

            [function] => safe_query

            [args] => Array

                (

                    [0] => 1

                )



        )



    [1] => Array

        (

            [file] => /home/rahl/public_html/RVM/registration/register2.php

            [line] => 29

            [function] => form_validator_names

            [args] => Array

                (

                    [0] => Dr.

                    [1] => Lastname

                    [2] => Nick

                    [3] => 23456

                )



        )



)

**NightShift58** · 02-26-2007 12:46 PM

Try this:

PHP Code:


function safe_query ($query="") {

  echo "<hr>$query<hr>";

  $result = FALSE;

  if (!empty($query)) {

    $result = @mysql_query($query);

    if (!$result) {

      echo "I've Failed You:<br>";

      echo "<li>Script Name: " . $_SERVER['PHP_SELF'];

      echo "<li>Include File: " . __FILE__;

      echo "<li>errorno=" . mysql_errno();

      echo "<li>error="   . mysql_error();

      echo "<li>query= "  . $query;

      echo "<pre>";

      print_r(debug_backtrace());

      echo "</pre>";

      exit;

    }

  }

  return $result;

}

**lightnb** · 02-26-2007 01:17 PM

Code:

is the contents of the query it lists at the top of the screen.

Somehow it's getting a value of 1 from somewhere.

**NightShift58** · 02-26-2007 01:24 PM

Where else besides form_validator() is safe_query being used?

**bokeh** · 02-26-2007 02:35 PM

PHP Code:


<?php



echo true; // 1



?>

My guess is the query is being converted to a boolean by something in the chain.

**bokeh** · 02-26-2007 02:50 PM

Originally Posted by lightnb

Code:

	if(empty($error))
		{
		$query = mysql_query("UPDATE Users SET title='$title',last_name='$l_name',first_name='$f_name',zip='$zip' WHERE handle='$user_name'") 
		or die(mysql_error());  
		
		safe_query($query);

I don't understand what is going on here. Anyway I was right about a boolean. It is an UPDATE query and mysql_query is returning true. Then for some reason you are running that boolean as if it were another query. Also what is the point having that function if you never use the return value for anything.

**NightShift58** · 02-26-2007 02:51 PM

Yes, that's what's happening but it's not clear to me where- based on the posted snippets.

**NightShift58** · 02-26-2007 02:53 PM

Originally Posted by bokeh

I don't understand what is going on here. Anyway I was right about a boolean. It is an UPDATE ...

Where did you find this snippet?

EDIT: Found it... Didn't see it before... Should be:

PHP Code:


if(empty($error)) {

        $query = "UPDATE Users SET title='$title',last_name='$l_name',first_name='$f_name',zip='$zip' WHERE handle='$user_name'";

        $result = safe_query($query);

EDIT: Based on Bokeh's observation...

**bokeh** · 02-26-2007 03:05 PM

Originally Posted by NightShift58

PHP Code:


safe_query($query);

Yeah, but you also need to pick up the return value and do something with it.

**lightnb** · 02-26-2007 09:03 PM

Thanks guys! That fixed the query problem. It now reads:

PHP Code:


UPDATE Users SET title='Ms.',last_name='dsfad',first_name='dfasf',zip='23456' WHERE handle=''

It doesn't seem to be passing the user name from page one correctly though.

When I type the user name in registration1.php and it fowards to the next page, it shows up in the header as "....php?user_name=doofus", and I can get it using HTTP_GET_VARS[] and display it back to the user, (as in "Thank you, Doofus for completing page one!") but once the submit button is pressed on the second page, it seems to 'forget' the username. Maybe it needs to be put into a hidden form field?

Also, I'm wondering if there's not a more secure way to do this (even if it's a bit more complex). My fear is that a malicious user could change the "?user_name=john" line, and use the second registration page to change people's information. (since the record is modified based on the posted username)

How else would it work? Session variables or cookies?

Thanks again for everything,

Nick

**bokeh** · 02-27-2007 07:47 AM

This is probably happening because your form uses the POST method.

**lightnb** · 02-27-2007 08:53 AM

I've switched to session variables to handle all of the passing of information from one page to another, and I have *most* everything working.

I'm having trouble with my email confirmation page now, and I can't figure out why. It changes the database corectly, but it isn't printing the error or confirmation method.

I've been working on it for a couple hours now and I can get the message to print under the table, but not inside it!

This is the confirmation page:

PHP Code:


<?PHP

session_start( );

$location_ID ="RVM Email Confirmation"; // Set the location variable 



// Include the registration forms functions page

Require('../registration/registration_forms.php');



// Include Database connection information 

Require('../include/SQL_connect.php');



// Include the shared registration functions

Require('../include/functions.php');





// get the confirmation code

$code = $HTTP_GET_VARS["confirmation_code"];



check_confirmation_code($code);



//$_SESSION["return_message"] = check_confirmation_code($code);







?>

and this is the function that goes with it:

PHP Code:


function check_confirmation_code($code)

    {

    $query = "SELECT * FROM Users WHERE confirmation_code = '$code'";

    $result = safe_query($query);

    if (mysql_num_rows($result) > 1)

        {

        $return_message = "AAAAAAAAHHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!!!!<br/> Something has gone teribly wrong. Please email technical support,

        or <a href='../registration/dc_request.php' class='inline_link'>request a new confirmation code here</a>.";

        

        // draw the page

        registration_email_confirmation();    

        

        }

        elseif (mysql_num_rows($result) < 1)

        {

        $return_message = "I'm sorry, but the confirmation code you have entered isn't valid.<br/>Please be sure you are using the

        code provided in your confirmation email, and that you are doing so within 24 hours of receiving it.

        If you need to, you may <a href='../registration/dc_request.php' class='inline_link'>request a new confirmation code here</a>.";

    

        // draw the page

        registration_email_confirmation();    

        

        }

        elseif (mysql_num_rows($result) == 1)

        {

        

        $row = mysql_fetch_array( $result );

                

        session_register("l_name");

        $_SESSION["l_name"] = $row['last_name'];

        

        session_register("title");

        $_SESSION["title"] = $row['title'];

        

        session_register("user_name");

        $_SESSION["user_name"] = $row['handle'];

        

                session_register("email");

        $_SESSION["email"] = $row['email'];

        

        session_register("confirmation_code");

        $_SESSION["confirmation_code"] = $row['confirmation_code'];

        

        $return_message = "Thank you, ".$_SESSION["title"]."&nbsp;".$_SESSION["l_name"].".<br/><br/><br/>

        You are now registered under the username: ".$_SESSION["user_name"]." Using the email address: ".$_SESSION["email"]."

        <br/><br/> From here, you can <a href='../interface/user_home.php' class='inline_link'>go to your homepage</a>.... more options when I acctually code somewhere to go.";

        

        $query = "UPDATE Users SET confirmation_code='0',confirmed='1' WHERE confirmation_code='".$_SESSION["confirmation_code"]."'";

        $result = safe_query($query);

        

        // draw the page

        registration_email_confirmation();

        

        }

    

    }

and this is the function that prints the HTML, and *should* be printing out the $return_message variable inside of it:

PHP Code:


function registration_email_confirmation()

    {

    

    // Include the header information



    global $return_message;



    Require('../include/header.php');

    

    echo "

    

<table align='center' background='http://www.rahlentertainment.com/RVM/Images/registration/register_generic.jpg' border='0' width='778px' height='379px'>



<! ROW ONE >



    <tr height='75px'>

        <td>

        

        </td>

    </tr>

    

<! ROW TWO >



    <tr height='35px'>

        <td>

        <Table border='0'>

            <tr>

                <td width='240px'>

                

                </td>

                <td width='450px' align='left'>

                </td>

                <td>

                </td>

            </tr>

        </table>

        </td>

    </tr>



<!ROW THREE>

    <tr height='120px' valign='top'>

        <td>

            <table width='522px' align='right'>

                <tr>

                    <td>

                    <div class='form_instructions'>

                    ".$return_message."

                    </div>

                    </td>

                </tr>

            </table>

        </td>

    </tr>



<! ROW FOUR >



    <tr height='89'>

        <td>

        

        </td>

    </tr>

    

<! ROW FIVE >



    <tr>

        <td>

        <table border='0'>

            <tr>

                <td width='131'>

                

                </td>

                <td>

                <a href='#' class='small_text_links'>Terms of Use</a>

                </td>

                <td width='346px'>

                </td>

                <td>

                <a href='#' class='small_text_links'>Privacy Policy</a>

                </td>

            </tr>

        </table>

        </td>

    </tr>

</table>

    ";

    

    }

Thread: Can't use function return value in write context

Thread Tools

Display

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions