Post between line 60 and 70. It is doubtful the error is still on the SQL injection line.
Post between line 60 and 70. It is doubtful the error is still on the SQL injection line.
lines 46 -> 71
Code:for ($i = 1; $i <= MAX_PRODUCTS; $i++) { $valid = false; $product_exist = false; if(isset($product_name) && $product_name[$i]){ foreach($product_name[$i] as $id => $product_language_name){ if($product_language_name != ''){ if(!$product_exist){ //if(strrchr($product_name[$i], '\\'))$image = substr(strrchr($product_image[$i])), '\\', 1;else $image = substr(strrchr($product_image[$i])), '/', 1; if (eregi('\\', $product_name[$i])) { $image = substr($product_image[$i], 1); } else { $image = str_replace('\\', '/', $image); $image = substr($image, 1); } $db->Execute("INSERT INTO " . TABLE_PRODUCTS . " (products_quantity, products_model, products_image, products_price, products_weight, products_status, products_tax_class_id, manufacturers_id) VALUES (" . $product_quantity[$i] . ", '" . $product_model[$i] . "', '" . $image . "', " . $product_price[$i] . ", " . $product_weight[$i] . ", ". $product_status[$i] . ", " . $product_tax[$i] . ", " . $product_manufacturer[$i] . ")"); $products_id_query = $db->Execute("SELECT products_id from " . TABLE_PRODUCTS . " WHERE products_quantity=" . $product_quantity[$i] ." and products_model='" . $product_model[$i] ."' and products_price=" . $product_price[$i] . " and products_weight=" . $product_weight[$i] . " and products_image='" . $image . "' and products_status=" . $product_status[$i] . " and products_tax_class_id=" . $product_tax[$i] . " and manufacturers_id=" . $product_manufacturer[$i] . "); $products_id = new objectInfo($products_id_query->fields); //$db->Execute("INSERT INTO " . TABLE_PRODUCTS_TO_CATEGORIES . " VALUES ('" . $products_id->products_id . "', '" . $product_categories[$i] . "');"); $db->Execute("INSERT INTO " . TABLE_PRODUCTS_TO_CATEGORIES . " VALUES ('" . (int)$products_id->products_id . "', '" . $product_categories[$i] . "')"); } $db->Execute("INSERT INTO " . TABLE_PRODUCTS_DESCRIPTION . " (products_id, language_id, products_name, products_description) VALUES ('" . $products_id->products_id . "', '" . $languages[$i][$id] . "', '" . $product_language_name . "', '" . $product_description[$i][$id] . "');"); $product_exist = true; $valid = true; } } }
this was another idea we tried...
Code:##// Update database switch ($_GET['action']) { case 'add' : $products_added = 0; for ($i = 1; $i <= MAX_PRODUCTS; $i++) { $valid = false; $product_exist = false; if($_POST['product_name'][$i]){ foreach($_POST['product_name'][$i] as $id => $product_language_name){ if($product_language_name != ''){ if(!$product_exist){ if(strrchr($_POST['product_image'][$i], '\\'))$image = substr(strrchr(trim(stripslashes($_POST['product_image'][$i])), '\\'), 1);else $image = substr(strrchr(trim(stripslashes($_POST['product_image'][$i])), '/'), 1); $db->Execute("INSERT INTO " . TABLE_PRODUCTS . " (products_quantity, products_model, products_image, products_price, products_weight, products_status, products_tax_class_id, manufacturers_id) VALUES (" . $_POST['product_quantity'][$i] . ", '" . $_POST['product_model'][$i] . "', '" . $image . "', " . $_POST['product_price'][$i] . ", " . $_POST['product_weight'][$i] . ", ". $_POST['product_status'][$i] . ", " . $_POST['product_tax'][$i] . ", " . $_POST['product_manufacturer'][$i] . ");"); $products_id_query = "SELECT products_id from " . TABLE_PRODUCTS . " WHERE products_quantity=" . $_POST['product_quantity'][$i] ." and products_model='" . $_POST['product_model'][$i] ."' and products_price=" . $_POST['product_price'][$i] . " and products_weight=" . $_POST['product_weight'][$i] . " and products_image='" . $image . "' and products_status=" . $_POST['product_status'][$i] . " and products_tax_class_id=" . $_POST['product_tax'][$i] . " and manufacturers_id=" . $POST['product_manufacturer'][$i] . ";"; $products_id = $db->Execute($products_id_query); $db->Execute("INSERT INTO " . TABLE_PRODUCTS_TO_CATEGORIES . " VALUES ('" . $products_id->fields['products_id'] . "', '" . $POST['product_categories'][$i] . "');"); } $db->Execute("INSERT INTO " . TABLE_PRODUCTS_DESCRIPTION . " (products_id, language_id, products_name, products_description) VALUES ('" . $products_id->fields['products_id'] . "', '" . $POST['languages'][$i][$id] . "', '" . $product_language_name . "', '" . $POST['product_description'][$i][$id] . "');"); $product_exist = true; $valid = true; } } } if($valid)$products_added++; } $messageStack->add($products_added . ' ' . TEXT_PRODUCTS_ADDED , 'success'); break; }
after finding a few bugs we got the mains screen up for the mod....
The php file seems to be working fine but i have stumbled on an SQL Hiccup..
This is so close to working, and will be a gr8 benefit to all if we can finish it.Code:1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 in: [SELECT products_id from zen_products WHERE products_quantity=50 and products_model='Test' and products_price=50 and products_weight=2 and products_image='Winter.jpg' and products_status=1 and products_tax_class_id=2 and manufacturers_id=;]
I have attached the SS with the main Screen in Zen Admin.
As mentioned earlier, remove all instances of:
into:PHP Code:
"););
PHP Code:
");
We made the mod finally work fairly well in regards to populating the site... there is only 2 problems we have left, 1 is the insertion of the images..and the other is on the very 1st attempt of adding a product it reverts back to the admin login page, this happens only the 1st time and after that t is fine....
i have been through the code many times but still cannot find anything that could cause this....
here is the DB insertion ....
Code:##// Update database switch ($_GET['action']){ case 'add' : $products_added = 0; for ($i = 1; $i <= MAX_PRODUCTS; $i++) { $valid = false; $product_exist = false; if($_POST['product_name'][$i]){ foreach($_POST['product_name'][$i] as $id => $product_language_name){ if($product_language_name != ''){ if(!$product_exist){ echo 'aaaaa'; if(strrchr($_POST['product_image'][$i], '\\'))$image = substr(strrchr(trim(stripslashes($_POST['product_image'][$i])), '\\'), 1);else $image = substr(strrchr(trim(stripslashes($_POST['product_image'][$i])), '/'), 1); $db->Execute("INSERT INTO " . TABLE_PRODUCTS . " (products_quantity, products_model, image, products_price, products_weight, products_status, products_tax_class_id, manufacturers_id) VALUES (" . $_POST['product_quantity'][$i] . ", '" . $_POST['product_model'][$i] . "', '" . $image . "', " . $_POST['product_price'][$i] . ", " . $_POST['product_weight'][$i] . ", ". $_POST['product_status'][$i] . ", " . $_POST['product_tax'][$i] . ", " . $_POST['product_manufacturer'][$i] . ");"); $products_id_query = "SELECT products_id from " . TABLE_PRODUCTS . " WHERE products_quantity=" . $_POST['product_quantity'][$i] ." and products_model='" . $_POST['product_model'][$i] ."' and products_price=" . $_POST['product_price'][$i] . " and products_weight=" . $_POST['product_weight'][$i] . " and products_image='" . $image . "' and products_status=" . $_POST['product_status'][$i] . " and products_tax_class_id=" . $_POST['product_tax'][$i] . " and manufacturers_id=" . $_POST['product_manufacturer'][$i] . ";"; $products_id = $db->Execute($products_id_query); $db->Execute("INSERT INTO " . TABLE_PRODUCTS_TO_CATEGORIES . " VALUES ('" . $products_id->fields['products_id'] . "', '" . $_POST['product_categories'][$i] . "');"); } $db->Execute("INSERT INTO " . TABLE_PRODUCTS_DESCRIPTION . " (products_id, language_id, products_name, products_description) VALUES ('" . $products_id->fields['products_id'] . "', '" . $_POST['languages'][$i][$id] . "', '" . $product_language_name . "', '" . $_POST['product_description'][$i][$id] . "');"); $product_exist = true; $valid = true; } } } if($valid)$products_added++; } $messageStack->add($products_added . ' ' . TEXT_PRODUCTS_ADDED , 'success'); break; }
Bookmarks