1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
<?php
error_reporting(E_ALL | E_STRICT);
ini_set("display_errors", 1);
/* create connection */
$connection = mysql_connect("localhost", "sandbox", "brotato333");
if (!$connection)
die("Could not connect to the database: " . mysql_error());
/* once you get the handle, select a database to use */
$db_select = mysql_select_db("sandbox", $connection);
if (!$db_select)
die("Failed to select a database: " . mysql_error());
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Hacker's Corner</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
<h2>Fire fire fire!</h2>
<?php
$menu_name = mysql_real_escape_string($_POST['menu_name']);
$position = mysql_real_escape_string($_POST['position']);
$visible = $_POST['visible'];
$requirements = array("menu_name" => 30);
if (empty($menu_name) || !validation($requirements, $_POST) || !isset($_POST['visible'])) /* visible is a boolean AFAIK */
{
header("Location: forms.php");
exit;
}
/* string needs single quotes */
$query = "insert into subjects (
menu_name, position, visible
) VALUES (
'{$menu_name}', {$position}, {$visible}
)";
$result = mysql_query($query, $connection);
if ($result)
{
header("Location: fetch.php");
exit;
}
else
{
echo "<p>Subject creation failed.</p>\n";
echo "<p>" . mysql_error() . "</p>\n";
}
/* kinda went freestyle, check to make sure not overflow the sql */
function validation($rules, $source)
{
foreach ($rules as $rule => $max_length)
{
if (strlen($source[$rule]) > $max_length)
{
echo "{$rule} is over {$max_length} characters long!<br />\n";
return false;
}
}
return true;
}
mysql_close($connection);
?>
</body>
</html>
|
