Safely Remove Mb_strtolower

abyse Notable Member

Messages:: 346

Likes Received:: 9

Best Answers:: 1

Trophy Points:: 245

#1

Hi guys, please help me to remove the mb_strtolower function from a script.

1: There I enter a tag ex: Bigbang
code:
{input name='tags[]' type='autocomplete_list' ajaxFile='ajax_tagsList.php' id='tags' default_description=$default_description values=$wallpaper.tags}
Code (markup):
2: script calls ajax_tagsList.php
code:

<?php
include "config.php";

if ($_GET['action']=='add')
{
$_GET['q'] = mb_strtolower($_GET['q']);
$sql = "SELECT * FROM `".DB_PREFIX."tags` WHERE `user_id`='".$_SESSION['user_id']."' AND `name`='".$_GET['q']."' ";
$tagCheck = $DB->get($sql);
if (count($tagCheck)==0)
{
$sql = "INSERT INTO `".DB_PREFIX."tags` SET `user_id`='".$_SESSION['user_id']."', `name`='".$_GET['q']."', `created`=NOW(), `modified`=NOW() ";
$DB->query($sql);
}
}

$str_where = '';
if (isset($_GET['q']) and $_GET['q']!='')
{
$str_where = " AND `name` LIKE '%".$_GET['q']."%' ";
}

$sql = "SELECT * FROM `".DB_PREFIX."tags` WHERE `user_id`='".$_SESSION['user_id']."' ".$str_where." ";
$tags = $DB->getAll($sql);

$i=1;
foreach($tags as $tag)
{
$arr = array("name" => $tag['name'],
"short_name" => $tag['short_name'],
"id" => $tag['id']);
if (!extension_loaded('json'))
$json_data[$i++] = $arr;
else
$json_data[] = $arr;
}

if (!extension_loaded('json')){
$json = new JSON;
$objs = $json->serialize($json_data);
}
else{
$objs = json_encode($json_data);
}
echo $objs;
?>
Click to expand...

3: Script display the tag as: bigbang
code:

<?php

class TagsModule extends Module
{
function TagsModule()
{
$this->name = 'TagsModule';
$this->version = '1.02';
$this->displayName = 'Tags Module';

parent::Module();

$this->page = basename(__FILE__, '.php');

//$this->warning = $this->l('You have not yet set your Tags Module ID');

$this->description = $this->l('Integrate the Tags Module script into your site');
$this->confirmUninstall = $this->l('Are you sure you want to uninstall the Tags Module module?');
}

function install()
{
if (!parent::install() OR !$this->registerHook('content'))
return false;
return true;
}

function uninstall()
{
if (!parent::uninstall())
return false;
return true;
}

function hookContent($params)
{
global $step, $smarty, $DB, $page_name_pieces, $page_name_pieces_wo_page;

if ($params['page_name']!='tag') return '';
if ($page_name_pieces[1]=='') return '';
$page = $params["page"];

$arr_param = $page_name_pieces_wo_page;
array_shift($arr_param);
$tag = UTF8::strtolower(implode('/', $arr_param));

if (strpos($tag, " ")!==false)
{
redirect(smarty_modifier_url(str_replace(' ', URL_WORD_SEPARATOR, $tag), 'tag'));
exit();
}

$tag = str_replace(URL_WORD_SEPARATOR, ' ', $tag);

$sql = "SELECT a.* FROM `".DB_PREFIX."items` a,
`".DB_PREFIX."tags` b,
`".DB_PREFIX."tags_items` c
WHERE
c.item_id=a.id AND
b.id=c.tag_id AND
LOWER(b.name)='".$DB->s($tag)."' AND
a.`enabled`=1 AND
a.`visible`=1
ORDER BY `created` DESC
LIMIT ".(ITEMS_PER_PAGE*($page-1)).",".ITEMS_PER_PAGE;

//echo $sql;

$items = $DB->getAll($sql);

for($i=0; $i<count($items); $i++)
{
$items[$i][thumb_rating] = rating_bar($items[$i]['id'], '5', 'static');
}

$smarty->assign("items", $items);

$items = $DB->get("SELECT COUNT(a.id) as `total` FROM `".DB_PREFIX."items` a,
`".DB_PREFIX."tags` b,
`".DB_PREFIX."tags_items` c
WHERE
c.item_id=a.id AND
b.id=c.tag_id AND
LOWER(b.name)='".mb_strtolower($DB->s($tag))."' AND
a.`enabled`=1 AND
a.`visible`=1 ");
$total = $items['total'];
$smarty->assign("tag", $tag);
$smarty->assign("pagination", $DB->show_pagination($total, $page));

if (PAGE_OUTPUT == "rss")
{
$smarty->assign("meta_title", $this->l('Wallpapers tagged with %s Rss', array('p1'=>$tag)));
}
else

$smarty->assign("meta_title", $this->l('Wallpapers tagged with %s - Page %s', array('p1'=>$tag, 'p2'=>$page)));
$smarty->assign("meta_description", $this->l('Wallpapers tagged with %s - Free Wallpapers - Page %s', array('p1'=>$tag, 'p2'=>$page)));
$smarty->assign("meta_keywords", $this->l('%s, wallpapers, free, desktop, stock, photos', array('p1'=>$tag)));

$output = $this->display(__FILE__, 'tagsmodule.tpl');

return $output;
}

}
?>
Click to expand...

This scrip is from a wallpaper site, the problem is when I add a tag ex: Bigbang the script will insert the word as "bigband" in mysql and displays at "bigband"

I want to use capital letters in some tags, but i can't remove the .mb_strtolower function :/

any help would be greatly appreciated, thanks.

Last edited: Feb 10, 2013

abyse, Feb 10, 2013 IP

gavo Active Member

Messages:: 123

Likes Received:: 4

Best Answers:: 1

Trophy Points:: 70

#2

Cant you just use ucfirst("$string"); when displaying the tags? if you remove strtolower function all existing tags may break.

http://php.net/manual/en/function.ucfirst.php

gavo, Feb 10, 2013 IP

tribulant Active Member

Messages:: 352

Likes Received:: 37

Best Answers:: 0

Trophy Points:: 85

#3

It seems like your script stores and reads the 'name' value via MySQL as lowercase.

You can remove mb_strtolower() where the values are being stored so that they are stored into the 'name' field as they are typed in so that everything isn't lowercase automatically.

tribulant, Feb 11, 2013 IP

abyse Notable Member

Messages:: 346

Likes Received:: 9

Best Answers:: 1

Trophy Points:: 245

#4

so I remove mb_strtolower from this line:

LOWER(b.name)='".mb_strtolower($DB->s($tag))."' AND
Click to expand...

it would be:

LOWER(b.name)='".($DB->s($tag))."' AND
Click to expand...

but how ti remove from this line? :

if ($_GET['action']=='add')
{
$_GET['q'] = mb_strtolower($_GET['q']);
$sql = "SELECT * FROM `".DB_PREFIX."tags` WHERE `user_id`='".$_SESSION['user_id']."' AND `name`='".$_GET['q']."' ";
$tagCheck = $DB->get($sql);
if (count($tagCheck)==0)
{
$sql = "INSERT INTO `".DB_PREFIX."tags` SET `user_id`='".$_SESSION['user_id']."', `name`='".$_GET['q']."', `created`=NOW(), `modified`=NOW() ";
$DB->query($sql);
}
}
Click to expand...

abyse, Feb 11, 2013 IP

innozemec Active Member

Messages:: 84

Likes Received:: 3

Best Answers:: 1

Trophy Points:: 68

#5

simply cut out this line $_GET['q'] = mb_strtolower($_GET['q']);

innozemec, Feb 11, 2013 IP

gavo Active Member

Messages:: 123

Likes Received:: 4

Best Answers:: 1

Trophy Points:: 70

#6

LOWER(b.name)='".$DB->s($tag)."' AND

gavo, Feb 11, 2013 IP

deathshadow Acclaimed Member

Messages:: 9,732

Likes Received:: 1,999

Best Answers:: 253

Trophy Points:: 515

#7

If you don't want it to change $_GET, store it in a variable for the places that need it changed and leave it alone where you want it 'mixed'... and why can't you just remove strtolower?!?

Though... I know I shouldn't be too surprised at bad/insecure PHP when I see someone using smarty -- the two seem to go hand in hand... but... wow...

You seem to be using some form of object based SQL, so why aren't you using prepared queries and instead seem to be blindly plugging in values to a string making the whole thing injection city? Goofy reverse quotes and string addition to build queries is decade out of date practices at best... Just what is that $db object because what you are doing with it is ... just wrong. Insecure, dangerous, just asking to be pwned.

Also not sure why you're bothering with the object version of JSON with the detection since it would work either way with the just function...

deathshadow, Feb 11, 2013 IP

Log in or Sign up

Safely Remove Mb_strtolower

abyse Notable Member

gavo Active Member

tribulant Active Member

abyse Notable Member

innozemec Active Member

gavo Active Member

deathshadow Acclaimed Member

Useful Searches