limor01 Posted July 6, 2007 Share Posted July 6, 2007 Excelent idea that needs more work. 1. it has SQL injection risks. you need to make sure you clean the data from the URL before you insert it into your database as a query. like: $mfo_auction_query = mysql_fetch_object( tep_db_query('select auctions_starting_price, expires_date, overbid_amount from ' . TABLE_AUCTIONS_PRODUCTS . ' where products_id = ' . $_GET['products_id'] . ' and status')); 2. it has many bugs in implementation and design. For instance, If you use a module to make some of the code why not use two modules to make product_info as clean as possible. 3. Timestamp is not saved in the bid, mistakes with table names, forgotten code parts. fixed: $sql_auction = "insert into ".TABLE_AUCTIONS_BIDS." (auctions_bids_id, auctions_id,customers_id,bid_price,bid_status, bid_date_added) values('','$auction_id','$customers_id','$bid_price', '', now())"; thanks I hope to add some bug fixes to this post. Quote Link to comment Share on other sites More sharing options...
Guest Posted July 6, 2007 Share Posted July 6, 2007 Excelent idea that needs more work.1. it has SQL injection risks. you need to make sure you clean the data from the URL before you insert it into your database as a query. like: $mfo_auction_query = mysql_fetch_object( tep_db_query('select auctions_starting_price, expires_date, overbid_amount from ' . TABLE_AUCTIONS_PRODUCTS . ' where products_id = ' . $_GET['products_id'] . ' and status')); 2. it has many bugs in implementation and design. For instance, If you use a module to make some of the code why not use two modules to make product_info as clean as possible. 3. Timestamp is not saved in the bid, mistakes with table names, forgotten code parts. fixed: $sql_auction = "insert into ".TABLE_AUCTIONS_BIDS." (auctions_bids_id, auctions_id,customers_id,bid_price,bid_status, bid_date_added) values('','$auction_id','$customers_id','$bid_price', '', now())"; thanks I hope to add some bug fixes to this post. I wonder where this post belongs? Quote Link to comment Share on other sites More sharing options...
bkellum Posted July 6, 2007 Share Posted July 6, 2007 Excelent idea that needs more work. 1. it has SQL injection risks. you need to make sure you clean the data from the URL before you insert it into your database as a query. like: $mfo_auction_query = mysql_fetch_object( tep_db_query('select auctions_starting_price, expires_date, overbid_amount from ' . TABLE_AUCTIONS_PRODUCTS . ' where products_id = ' . $_GET['products_id'] . ' and status')); 2. it has many bugs in implementation and design. For instance, If you use a module to make some of the code why not use two modules to make product_info as clean as possible. 3. Timestamp is not saved in the bid, mistakes with table names, forgotten code parts. fixed: $sql_auction = "insert into ".TABLE_AUCTIONS_BIDS." (auctions_bids_id, auctions_id,customers_id,bid_price,bid_status, bid_date_added) values('','$auction_id','$customers_id','$bid_price', '', now())"; thanks I hope to add some bug fixes to this post. Hey Don, What contribution are you making comments about?? :blink: Quote Bill Kellum Sounds Good Productions STS Tutorials & more: STSv4.6, STS Add-ons (STS Power Pack), STS V4 Forum STS Forum FREE TEMPLATE Link to comment Share on other sites More sharing options...
JangoF Posted July 6, 2007 Share Posted July 6, 2007 The Auction contribution. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.