[wdvltalk] Re: Strange error page

K.F. Wu Sat, 13 Dec 2003 14:05:54 -0800

Hi Sheila,

Thank you so much for directing me to fix the bug. I am not so much a php expert, so maybe your kindness of working on the code will save me greatly. The following code is the part involves the bug in product_info.php:

<script language="javascript"></script> <noscript> <?php echo '<a href="' . tep_href_link(DIR_WS_IMAGES . $product_info['products_bimage']) . '" target="_blank">' . tep_image(DIR_WS_IMAGES . $product_info['products_bimage'], $product_info['products_name']) . '<br>' . TEXT_CLICK_TO_ENLARGE . '</a>'; ?> </noscript>

Note that the bug is with the $product_info['products_name'] Since the code will take actual products_name from database on the fly, the compiler will take it as an error and stop executing it. Maybe (I think) the fix you suggested should be applied to not above code, but to somewhere in the db query code before the javascript:

$product_info_query = tep_db_query("select p.products_id, pd.products_name, pd.products_description, p.products_model, p.products_quantity, p.products_image, p.products_bimage, pd.products_url, p.products_price, p.products_tax_class_id, p.products_date_added, p.products_date_available, p.manufacturers_id from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd where p.products_status = '1' and p.products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "' and pd.products_id = p.products_id and pd.language_id = '" . (int)$languages_id . "'"); $product_info = tep_db_fetch_array($product_info_query);

tep_db_query("update " . TABLE_PRODUCTS_DESCRIPTION . " set products_viewed = products_viewed+1 where products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "' and language_id = '" . (int)$languages_id . "'");

if ($new_price = tep_get_products_special_price($product_info['products_id'])) { $products_price = '<s>' . $currencies->display_price($product_info['products_price'], tep_get_tax_rate($product_info['products_tax_class_id'])) . '</s> <span class="productSpecialPrice">' . $currencies->display_price($new_price, tep_get_tax_rate($product_info['products_tax_class_id'])) . '</span>'; } else { $products_price = $currencies->display_price($product_info['products_price'], tep_get_tax_rate($product_info['products_tax_class_id'])); }

if (tep_not_null($product_info['products_model'])) { $products_name = $product_info['products_name'] . '<br><span class="smallText">[' . $product_info['products_model'] . ']</span>'; } else { $products_name = $product_info['products_name']; }

I would very appreciate your help on fixing this bug. Currently, I just change $product_info['products_name'] to $product_info[''] to eliminate the image alt text. Thanks

KoaFar

At 08:58 AM 12/13/2003, you wrote:

K.F. Wu wrote:
However, since all products have one same product_info.php file template and the image's alt parameter comes from each product name that is stored in the database, I have no way to edit and have the ' escaped from each individual product_info file that is created in the fly.
The PHP function addslashes() will do this
http://www.php.net/manual/en/function.addslashes.php
If you want to post some of product_info.php, where it's writing the javascript, I'll show what changes to make.

Also, you should file a bug report with whoever wrote the code.

Sheila
--
Sheila Fenelon
http://www.shefen.com/
CGI and Database Programming

____ • The WDVL Discussion List from WDVL.COM • ____ To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] Send Your Posts To: [EMAIL PROTECTED] To set a personal password send an email to [EMAIL PROTECTED] with the words: "set WDVLTALK pw=yourpassword" in the body of the email. To change subscription settings to the wdvltalk digest version: http://wdvl.internet.com/WDVL/Forum/#sub

________________ http://www.wdvl.com _______________________

You are currently subscribed to wdvltalk as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]

[wdvltalk] Re: Strange error page

Reply via email to