I reviewed the codes above, and offer my suggestion in 2 areas,
1. Security - your dbquery event_id is unsanitized. Highly recommend to sanitize it.
2. If SQL error, it will generate a lot of errors.
My adjustments input:
<?php
/*-------------------------------------------------------+
| PHP-Fusion Content Management System
| Copyright (C) PHP-Fusion Inc
| http://www.php-fusion.co.uk/
+--------------------------------------------------------+
| Filename: edit_event.php
| Author: Terry Broullette(Grimloch)
| Copyright © 2018 Terry Broullette(Grimloch)
| Web: https://www.whisperwillow.com
| Email: webmaster@whisperwillow.com
+--------------------------------------------------------+
| This program is released as free software under the
| Affero GPL license. You can redistribute it and/or
| modify it under the terms of this license which you
| can read by viewing the included agpl.txt or online
| at www.gnu.org/licenses/agpl.html. Removal of this
| copyright header is strictly prohibited without
| written permission from the original author(s).
+--------------------------------------------------------*/
require_once "../../../maincore.php";
require_once THEMES . "templates/admin_header.php";
include INFUSIONS . "bday_panel/infusion_db.php";
if (file_exists(INFUSIONS . "bday_panel/locale/" . $settings['locale'] . ".php")) {
include INFUSIONS . "bday_panel/locale/" . $settings['locale'] . ".php";
} else {
include INFUSIONS . "bday_panel/locale/English.php";
}
if (ini_get('register_globals') != 1) {
if ((isset($_POST) == TRUE) && (is_array($_POST) == TRUE)) extract($_POST, EXTR_OVERWRITE);
if ((isset($_GET) == TRUE) && (is_array($_GET) == TRUE)) extract($_GET, EXTR_OVERWRITE);
}
if (!checkrights("BDC") || !defined("iAUTH") || $_GET['aid'] != iAUTH) {
redirect(BASEDIR . "index.php");
}
add_to_head(
"<script type='text/javascript' src='https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/jquery-ui.min.js'></script>"
);
add_to_head("<script type='text/javascript' src='" . INFUSIONS . "bday_panel/include/date.js'></script>");
add_to_head("<script type='text/javascript' src='" . INFUSIONS . "bday_panel/include/jquery.datePicker.js'></script>");
add_to_head("<link rel='stylesheet' href='" . INFUSIONS . "bday_panel/css/datePicker.css' type='text/css' />");
add_to_head("<link rel='stylesheet' href='" . INFUSIONS . "bday_panel/css/calendar.css' type='text/css' />");
add_to_head(
"<script type='text/javascript' charset='utf-8'>
Date.firstDayOfWeek = 0;
Date.format = 'yyyy-mm-dd';
$(function()
{
$('.date-pick').datePicker({startDate:'1996-01-01'});
});
</script>"
);
require_once INCLUDES . "bbcode_include.php";
if (isset($_POST['edit_event'])) {
if (isset($_POST['event_title'])) {
$event_title = stripinput($_POST['event_title']);
}
if (isset($_POST['event_desc'])) {
$event_desc = stripinput($_POST['event_desc']);
}
if (isset($_POST['link_url'])) {
$link_url = stripinput($_POST['link_url']);
}
if (isset($_POST['link_name'])) {
$link_name = stripinput($_POST['link_name']);
}
if (isset($_POST['event_start'])) {
$event_start = stripinput($_POST['event_start']);
}
if (isset($_POST['event_end'])) {
$event_end = stripinput($_POST['event_end']);
}
if (isset($_POST['start_time'])) {
$start_time = stripinput($_POST['start_time']);
}
if (isset($_POST['end_time'])) {
$end_time = stripinput($_POST['end_time']);
}
if (isset($_POST['all_day'])) {
$all_day = stripinput($_POST['all_day']);
}
$var = "";
$mon = "";
$mon_name = "";
$month_name = "";
$event_day = "";
$part = $event_start;
$var = substr($part, 5, 2);
if ($var == '01') {
$mon = "1";
} else if ($var == '02') {
$mon = "2";
} else if ($var == '03') {
$mon = "3";
} else if ($var == '04') {
$mon = "4";
} else if ($var == '05') {
$mon = "5";
} else if ($var == '06') {
$mon = "6";
} else if ($var == '07') {
$mon = "7";
} else if ($var == '08') {
$mon = "8";
} else if ($var == '09') {
$mon = "9";
} else {
$mon = $var;
}
$event_month = $mon;
if ($mon == '1') {
$mon_name = $locale['bp_900'];
} else if ($mon == '2') {
$mon_name = $locale['bp_901'];
} else if ($mon == '3') {
$mon_name = $locale['bp_902'];
} else if ($mon == '4') {
$mon_name = $locale['bp_903'];
} else if ($mon == '5') {
$mon_name = $locale['bp_904'];
} else if ($mon == '6') {
$mon_name = $locale['bp_905'];
} else if ($mon == '7') {
$mon_name = $locale['bp_906'];
} else if ($mon == '8') {
$mon_name = $locale['bp_907'];
} else if ($mon == '9') {
$mon_name = $locale['bp_908'];
} else if ($mon == '10') {
$mon_name = $locale['bp_909'];
} else if ($mon == '11') {
$mon_name = $locale['bp_910'];
} else {
$mon_name = $locale['bp_911'];
}
$month_name = $mon_name;
$event_day = substr($part, 8, 2);
$result = dbquery(
"UPDATE " . DB_BDAY_EVENTS . " SET event_title='$event_title', event_desc='$event_desc', link_url='$link_url', link_name='$link_name', event_start='$event_start', event_end='$event_end', event_month='$event_month', month_name='$month_name', start_time='$start_time', end_time='$end_time', all_day='$all_day', event_day='$event_day' WHERE event_id='$event_id'"
);
redirect(BASEDIR . "index.php");
}
$content = "Error encountered"; // localize this.
if (isset($_GET['event_id']) && isnum($_GET['event_id'])) {
$event = dbquery("SELECT * FROM " . DB_BDAY_EVENTS . " WHERE event_id='" . intval($_GET['event_id']) . "'");
$data = dbarray($event);
$evid = $data['event_id'];
$evtitle = $data['event_title'];
$evdesc = $data['event_desc'];
$evurl = $data['link_url'];
$evname = $data['link_name'];
$evstart = $data['event_start'];
$evend = $data['event_end'];
$stime = $data['start_time'];
$etime = $data['end_time'];
$all_day = $data['all_day'];
$tspan = "";
if ($all_day == '1') {
$tspan = " All Day";
}
$time_span = $tspan;
if ($stime) {
$time_span = $stime . " to " . $etime . $tspan;
}
$content = "<form name='editform' method='post' action='" . FUSION_SELF . $aidlink . "'>\n";
$content .= "<table width='60%' border='0' cellpadding='0' cellspacing='0' align='center' class='tbl-brdr2'><tr>\n";
$content .= "<td align='center' width='100%'>\n";
$content .= "<table width='100%' border='0' cellpadding='5' cellspacing='5' align='center' class='tbl-brdr0'><tr>\n";
$content .= "<td class='title0' align='center' colspan='2'>" . $locale['bp_314'] . "</td>\n";
$content .= "</tr><tr>\n";
$content .= "<td height='8' colspan='2'></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td valign='middle'> " . $locale['bp_301'] . "*</td><td><input type='text' name='event_title' value='$evtitle' size='60' class='textbox' /></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td height='8' colspan='2'></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td valign='middle'> " . $locale['bp_302'] . "</td><td><textarea name='event_desc' cols='58' rows='8' class='textbox' style='width:98%'>$evdesc</textarea></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td height='8' colspan='2'></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td valign='middle'> " . $locale['bp_312'] . "</td><td>" . display_bbcodes(
"98%", "event_desc", "editform"
) . "</td>\n";
$content .= "</tr><tr>\n";
$content .= "<td height='8' colspan='2'></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td valign='middle'> " . $locale['bp_303'] . "<br /> " . $locale['bp_304'] . "</td><td><input type='text' name='link_url' value='$evurl' size='60' class='textbox' /></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td height='8' colspan='2'></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td valign='middle'> " . $locale['bp_305'] . "<br /> " . $locale['bp_306'] . "</td><td><input type='text' name='link_name' value='$evname' size='60' class='textbox' /></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td height='8' colspan='2'></td>\n";
$content .= "</tr><tr>\n";
/* start New datePicker coding */
$content .= "<td valign='middle'> " . $locale['bp_307'] . "</td><td valign='middle'><input class='date-pick' name='event_start' id='date-pick' value='$evstart'></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td height='8' colspan='2'></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td valign='middle'> " . $locale['bp_308'] . "</td><td valign='middle'><input class='date-pick' name='event_end' id='date-pick' value='$evend'></td>\n";
$content .= "</tr><tr>\n";
/* end New datePicker coding */
$content .= "<td height='8' colspan='2'></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td valign='middle'> " . $locale['bp_317'] . "<br /> " . $locale['bp_318'] . "</td><td><input type='time' name='start_time' value='$stime'>" . $locale['bp_319'] . "<input type='time' name='end_time' value='$etime'>" . $locale['bp_320'] . "";
if ($all_day == "yes") {
$content .= "<input type='radio' name='all_day' value='yes' checked />" . $locale['bp_322'] . " <input type='radio' name='all_day' value='no' />" . $locale['bp_321'] . "</td>\n";
} else {
$content .= "<input type='radio' name='all_day' value='yes' />" . $locale['bp_322'] . " <input type='radio' name='all_day' value='no' checked />" . $locale['bp_321'] . "</td>\n";
}
$content .= "</tr><tr>\n";
$content .= "<td height='8' colspan='2'></td>\n";
$content .= "</tr><tr>\n";
$content .= "<td class='title0' colspan='2' align='center'><input type='hidden' name='event_id' value='" . $evid . "' /><input type='submit' name='edit_event' class='button' value='" . $locale['bp_309'] . "'></td>\n";
$content .= "</tr></table></td></tr></table><br /><br />\n";
$content .= "</form>\n";
}
opentable($locale['bp_300']).$content.closetable();
require_once THEMES . "templates/footer.php";