Article 6NSW2 CodeSOD: Don't Read This Email

CodeSOD: Don't Read This Email

by
Remy Porter
from The Daily WTF on (#6NSW2)

Evan sent us 545 lines of PHP code from a file called spec_email.php. It appears to participate in sending an email, with a nice big pile of HTML in it. We're going to take it in a few chunks, because... choices were made.

It opens with this check, and a few variable declarations:

if(!empty($_GET['action']) && ($_GET['action'] == 'send') ) { $template = implode('', file(DIR_FS_CATALOG . 'email/index.htm')); $assign = array( 'BASE' => HTTP_SERVER . DIR_WS_CATALOG, 'TOPTEXT' => $_POST['txt'], 'HEADER1' => $_POST['head1'], 'HEADER2' => $_POST['head2'], 'HEADER3' => $_POST['head3'], );

Note both the $template and $assign variables- these are going to be important.

But before we play with those, let's take a look at our first major block of code.

$table1 = '<table width="636" border="0" cellspacing="0" cellpadding="0" align="center"> <tr><td width="25%"><td><td width="25%"><td><td width="25%"><td><td width="25%"><td></tr> <tr>'; if(!empty($_POST['directors1'])) { $k = 1; $tot = 1; $data_query = mysql_query("SELECT p.products_price, pd.products_name, pd.products_description, p.products_id, s.specials_new_products_price, p.products_image FROM " . TABLE_PRODUCTS . " p LEFT JOIN " . TABLE_SPECIALS . " s ON p.products_id = s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd WHERE p.products_id = pd.products_id AND pd.language_id = '" . $_SESSION['languages_id'] . "' AND p.products_id IN(" . join(",", $_POST['directors1']) . ")"); $num = mysql_num_rows($data_query); while($data = mysql_fetch_assoc($data_query)) { $table1 .= '<td align="center" width="25%" style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;">'; $table1 .= '<a style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;" href="' . tep_catalog_href_link('product_info.php', 'products_id=' . $data['products_id']) . '"><img src="' . HTTP_SERVER . DIR_WS_CATALOG . 'sp.php?id=' . $data['products_id'] . '" width="100" height="138" alt="" border="0"></a><br>'; $table1 .= '<a style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;" href="' . tep_catalog_href_link('product_info.php', 'products_id=' . $data['products_id']) . '">' . '$' . sprintf("%.2f", $data['specials_new_products_price']) . '</a>'; $table1 .= '</td>'; if($k == 4 && ($tot != $num)) { $table1 .= '</tr><tr>'; $k = 0; } $k++; $tot++; } } $table1 .= '</tr></table>'; $assign['TABLE1'] = $table1;

This creates an HTML table about "directors", with several links per row. They're using the table as a grid layout tool, which normally would be bad, but for emails is still a common thing, as many email clients don't properly support full HTML.

Note how the result gets stuffed into $assign['TABLE1'].

We repeat this for $table2 and $table3, which I'm skipping over right now.

Then we get this delightful bit:

 foreach($assign as $key => $value) { $template = str_replace('{' . $key . '}', $value, $template); }

Remember that $template? We do repeated find-and-replaces with everything in our $assign array. This is their home brew templating engine. They make no attempt to be efficient, they just find-and-replace over and over and over again.

Finally, we can send the email.

 $headers = "From: " . STORE_OWNER . " <" . STORE_OWNER_EMAIL_ADDRESS . ">\r\n"; $headers .= "Content-Type: text/html; charset=iso-8859-1\r\n"; if(!empty($_POST['preview'])) { if(!empty($_POST['preview_email'])) { //tep_mail($_POST['preview_email'], $_POST['preview_email'], $_POST['ttl'], $template, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS); // $headers .= 'Bcc: php4script@gmail.com' . "\r\n"; mail($_POST['preview_email'], $_POST['ttl'], $template, $headers,"-f".STORE_OWNER_EMAIL_ADDRESS); $message = 'Email sent'; } } elseif(!empty($_POST['real'])) { $cast_array = array(); $data_query = mysql_query("SELECT customers_email_address FROM " . TABLE_CUSTOMERS . " WHERE customers_specials = 1"); while($data = mysql_fetch_assoc($data_query)) { array_push($cast_array, $data['customers_email_address']); } $emails_str = join(",", $cast_array); $headers .= 'Bcc: ' . $emails_str . "\r\n"; mail(STORE_OWNER_EMAIL_ADDRESS, $_POST['ttl'], $template, $headers,"-f".STORE_OWNER_EMAIL_ADDRESS); }

If we preview the email, we send it to a preview_email address, otherwise we send it to a real address list of customers. At least they're doing it in BCC.

And that's the end of the if statement which opened this code, but it's not the end of our work. We also need to output the UI here. This is less of a mess of string concatenation and more of a mess of gigantic PHP blobs of code.

I'll share the full code, but there's one highlight. This is how they populate a drop down list:

while ($data = tep_db_fetch_array($query)) { $sel = 'selected'; if (trim($data['products_name'])) { echo '<OPTION value="'.$data['products_id'].'" '.$sel.'>'.$data['products_name'].'</OPTION>'."\n"; }}

Once upon a time, they wanted to make only the first item selected, but they forgot how, so instead they just apply the selected attribute to every item.

Evan shares that this was implemented by contractors who were very expensive, but also, clearly didn't care, but also clearly worked very hard on it. Harder than anyone should have, but hey, it's a lot of code!

Here is the code in its entirety:

<?phprequire('includes/application_top.php');if(!empty($_GET['action']) && ($_GET['action'] == 'send') ) { $template = implode('', file(DIR_FS_CATALOG . 'email/index.htm')); $assign = array( 'BASE' => HTTP_SERVER . DIR_WS_CATALOG, 'TOPTEXT' => $_POST['txt'], 'HEADER1' => $_POST['head1'], 'HEADER2' => $_POST['head2'], 'HEADER3' => $_POST['head3'], ); $table1 = '<table width="636" border="0" cellspacing="0" cellpadding="0" align="center"> <tr><td width="25%"><td><td width="25%"><td><td width="25%"><td><td width="25%"><td></tr> <tr>'; if(!empty($_POST['directors1'])) { $k = 1; $tot = 1; $data_query = mysql_query("SELECT p.products_price, pd.products_name, pd.products_description, p.products_id, s.specials_new_products_price, p.products_image FROM " . TABLE_PRODUCTS . " p LEFT JOIN " . TABLE_SPECIALS . " s ON p.products_id = s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd WHERE p.products_id = pd.products_id AND pd.language_id = '" . $_SESSION['languages_id'] . "' AND p.products_id IN(" . join(",", $_POST['directors1']) . ")"); $num = mysql_num_rows($data_query); while($data = mysql_fetch_assoc($data_query)) { $table1 .= '<td align="center" width="25%" style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;">'; $table1 .= '<a style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;" href="' . tep_catalog_href_link('product_info.php', 'products_id=' . $data['products_id']) . '"><img src="' . HTTP_SERVER . DIR_WS_CATALOG . 'sp.php?id=' . $data['products_id'] . '" width="100" height="138" alt="" border="0"></a><br>'; $table1 .= '<a style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;" href="' . tep_catalog_href_link('product_info.php', 'products_id=' . $data['products_id']) . '">' . '$' . sprintf("%.2f", $data['specials_new_products_price']) . '</a>'; $table1 .= '</td>'; if($k == 4 && ($tot != $num)) { $table1 .= '</tr><tr>'; $k = 0; } $k++; $tot++; } } $table1 .= '</tr></table>'; $assign['TABLE1'] = $table1; $table2 = '<table width="636" border="0" cellspacing="0" cellpadding="0" align="center"> <tr><td width="25%"><td><td width="25%"><td><td width="25%"><td><td width="25%"><td></tr> <tr>'; if(!empty($_POST['directors2'])) { $k = 1; $tot = 1; $data_query = mysql_query("SELECT p.products_price, pd.products_name, pd.products_description, p.products_id, s.specials_new_products_price, p.products_image FROM " . TABLE_PRODUCTS . " p LEFT JOIN " . TABLE_SPECIALS . " s ON p.products_id = s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd WHERE p.products_id = pd.products_id AND pd.language_id = '" . $_SESSION['languages_id'] . "' AND p.products_id IN(" . join(",", $_POST['directors2']) . ")"); $num = mysql_num_rows($data_query); while($data = mysql_fetch_assoc($data_query)) { $table2 .= '<td align="center" width="25%" style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;">'; $table2 .= '<a style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;" href="' . tep_catalog_href_link('product_info.php', 'products_id=' . $data['products_id']) . '"><img src="' . HTTP_SERVER . DIR_WS_CATALOG . 'sp.php?id=' . $data['products_id'] . '" width="100" height="138" alt="" border="0"></a><br>'; $table2 .= '<a style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;" href="' . tep_catalog_href_link('product_info.php', 'products_id=' . $data['products_id']) . '">' . '$' . sprintf("%.2f", $data['specials_new_products_price']) . '</a>'; $table2 .= '</td>'; if($k == 4 && ($tot != $num)) { $table2 .= '</tr><tr>'; $k = 0; } $k++; $tot++; } } $table2 .= '</tr></table>'; $assign['TABLE2'] = $table2; $table3 = '<table width="636" border="0" cellspacing="0" cellpadding="0" align="center"> <tr><td width="25%"><td><td width="25%"><td><td width="25%"><td><td width="25%"><td></tr> <tr>'; if(!empty($_POST['directors3'])) { $k = 1; $tot = 1; $data_query = mysql_query("SELECT p.products_price, pd.products_name, pd.products_description, p.products_id, s.specials_new_products_price, p.products_image FROM " . TABLE_PRODUCTS . " p LEFT JOIN " . TABLE_SPECIALS . " s ON p.products_id = s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd WHERE p.products_id = pd.products_id AND pd.language_id = '" . $_SESSION['languages_id'] . "' AND p.products_id IN(" . join(",", $_POST['directors3']) . ")"); $num = mysql_num_rows($data_query); while($data = mysql_fetch_assoc($data_query)) { $table3 .= '<td align="center" width="25%" style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;">'; $table3 .= '<a style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;" href="' . tep_catalog_href_link('product_info.php', 'products_id=' . $data['products_id']) . '"><img src="' . HTTP_SERVER . DIR_WS_CATALOG . 'sp.php?id=' . $data['products_id'] . '" width="100" height="138" alt="" border="0"></a><br>'; $table3 .= '<a style="text-align:center; padding-right:5px; color: #303030; font-weight:bold; font-family: helvetica; font-size:16px; text-decoration:none;" href="' . tep_catalog_href_link('product_info.php', 'products_id=' . $data['products_id']) . '">' . '$' . sprintf("%.2f", $data['specials_new_products_price']) . '</a>'; $table3 .= '</td>'; if($k == 4 && ($tot != $num)) { $table3 .= '</tr><tr>'; $k = 0; } $k++; $tot++; } } $table3 .= '</tr></table>'; $assign['TABLE3'] = $table3; foreach($assign as $key => $value) { $template = str_replace('{' . $key . '}', $value, $template); } $headers = "From: " . STORE_OWNER . " <" . STORE_OWNER_EMAIL_ADDRESS . ">\r\n"; $headers .= "Content-Type: text/html; charset=iso-8859-1\r\n"; if(!empty($_POST['preview'])) { if(!empty($_POST['preview_email'])) { //tep_mail($_POST['preview_email'], $_POST['preview_email'], $_POST['ttl'], $template, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS); // $headers .= 'Bcc: php4script@gmail.com' . "\r\n"; mail($_POST['preview_email'], $_POST['ttl'], $template, $headers,"-f".STORE_OWNER_EMAIL_ADDRESS); $message = 'Email sent'; } } elseif(!empty($_POST['real'])) { $cast_array = array(); $data_query = mysql_query("SELECT customers_email_address FROM " . TABLE_CUSTOMERS . " WHERE customers_specials = 1"); while($data = mysql_fetch_assoc($data_query)) { array_push($cast_array, $data['customers_email_address']); } $emails_str = join(",", $cast_array); $headers .= 'Bcc: ' . $emails_str . "\r\n"; mail(STORE_OWNER_EMAIL_ADDRESS, $_POST['ttl'], $template, $headers,"-f".STORE_OWNER_EMAIL_ADDRESS); } }?><!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"><html <?php echo HTML_PARAMS; ?>><head><meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>"><title><?php echo TITLE; ?></title><link rel="stylesheet" type="text/css" href="includes/stylesheet.css"><script language="javascript" src="includes/general.js"></script><script language="JavaScript" src="includes/javascript/main.js"></script></head><body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0" bgcolor="#FFFFFF"><!-- header //--><?php require(DIR_WS_INCLUDES . 'header.php'); ?><!-- header_eof //--><!-- body //--><table border="0" width="100%" cellspacing="2" cellpadding="2"> <tr> <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="1" cellpadding="1" class="columnLeft"><!-- left_navigation //--><?php require(DIR_WS_INCLUDES . 'column_left.php'); ?><!-- left_navigation_eof //--> </table></td><!-- body_text //--> <td width="100%" valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr> <td><table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr> <td class="pageHeading"><?php echo HEADING_TITLE; ?></td> <td class="pageHeading" align="right"><?php echo tep_draw_separator('pixel_trans.gif', HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td> </tr> </table></td> </tr> <tr> <td><form action="<?=tep_href_link(FILENAME_SPEC_EMAIL, 'action=send');?>" method="post"> <?if(!empty($message)) { echo '<p style="color:red">' . $message . '</p>';}$cur_day = date("j");$cur_month = date("n");$cur_year = date("Y");$dow = date('w');if($dow == 0) { $dow = 7;}$dow1 = $dow-1;$week1_begin = date("Y/m/d", mktime(0,0,0,$cur_month,$cur_day-$dow1,$cur_year));$week1_end = date("Y/m/d", mktime(0,0,0,$cur_month,$cur_day-$dow1+6,$cur_year));$week2_begin = date("Y/m/d", mktime(0,0,0,$cur_month,$cur_day-$dow1+7,$cur_year));$week2_end = date("Y/m/d", mktime(0,0,0,$cur_month,$cur_day-$dow1+6+7,$cur_year));$week3_begin = date("Y/m/d", mktime(0,0,0,$cur_month,$cur_day-$dow1+7+7,$cur_year));$week3_end = date("Y/m/d", mktime(0,0,0,$cur_month,$cur_day-$dow1+6+7+7,$cur_year));$week4_begin = date("Y/m/d", mktime(0,0,0,$cur_month,$cur_day-$dow1+7+7+7,$cur_year));$week4_end = date("Y/m/d", mktime(0,0,0,$cur_month,$cur_day-$dow1+6+7+7+7,$cur_year));$data_week[] = array('id' => '', 'text' => 'All');$data_week[] = array('id' => '1', 'text' => 'This Week (' . $week1_begin . ' - ' . $week1_end . ')');$data_week[] = array('id' => '2', 'text' => 'Next Week (' . $week2_begin . ' - ' . $week2_end . ')');$data_week[] = array('id' => '3', 'text' => 'Week 3 (' . $week3_begin . ' - ' . $week3_end . ')');$data_week[] = array('id' => '4', 'text' => 'Week 4 (' . $week4_begin . ' - ' . $week4_end . ')');if(!empty($_POST['week'])) { $date_begin = ${'week' . intval($_POST['week']) . '_begin'}; $date_begin = str_replace('/', '-', $date_begin); $date_end = ${'week' . intval($_POST['week']) . '_end'}; $date_end = str_replace('/', '-', $date_end); $from_filter = ", " . TABLE_SPECIALS_PERIODS . " sp "; $where_filter = " and p.products_id = sp.products_id and sp.date_start = '" . $date_begin . "' and sp.date_end = '" . $date_end . "'";}?> <table> <tr> <td class="main">Show Me: </td> <td><?=tep_draw_pull_down_menu('week', $data_week, $week, ' onChange=this.form.submit(); ');?></td> </tr> <tr> <td class="main">Email Title: </td> <td><input type="text" name="ttl" value="<?=$ttl;?>" size="75"></td> </tr> <tr> <td class="main">Text At Top: </td> <td><?=tep_draw_fckeditor('txt','800','300', $txt);?></td> </tr> <tr> <td colspan="2">&nbsp;</td> </tr> <tr> <td class="main">Heading 1: </td> <td><input type="text" name="head1" value="<?=$head1;?>" size="75"></td> </tr> <tr> <td></td> <td class="main"> <!-- begin list1 sarch --><table><?php$directors1 = $_POST['directors1'];if(empty($directors1)) $directors1 = array(-1);if(isset($directors1) && (count($directors1) > 0) ) { $query = tep_db_query("SELECT pd.products_id, pd.products_name FROM " . TABLE_PRODUCTS_DESCRIPTION . " pd WHERE pd.language_id = '" . $_SESSION['languages_id'] . "' and pd.products_id IN(" . join(",",$directors1) . ") ORDER BY pd.products_name");}?> <tr> <td class="main"> Movies under this heading: <table border="0" cellspacing="0" cellpadding="0"> <tr> <td class="main"> <SELECT name="directors1[]" multiple style="width:250px; height:120px"> <?phpwhile ($data = tep_db_fetch_array($query)) { $sel = 'selected'; if (trim($data['products_name'])) { echo '<OPTION value="'.$data['products_id'].'" '.$sel.'>'.$data['products_name'].'</OPTION>'."\n"; }}?> </SELECT> </td> <td class="main" valign="middle"><?echo '&nbsp;&nbsp;';echo tep_draw_input_field('director_left2right1','>>',' onclick="copyToList(\'directorslist1[]\',\'directors1[]\'); selectAll(\'directors1[]\');"',false,'button');echo '&nbsp;&nbsp;<br>&nbsp;&nbsp;';echo tep_draw_input_field('director_right2left1','<<',' onclick="copyToList(\'directors1[]\',\'directorslist1[]\'); selectAll(\'directors1[]\');"',false,'button');echo '&nbsp;&nbsp;';?> </td> <td class="main"> <div id="director_search"> <? if($browser == 'IE') { ?> <SELECT name="directorslist1[]" multiple style="width:250px; height:120px" onkeyup="if(event.keyCode == 13){ copyToList('directors1[]','directorslist1[]'); selectAll('directors1[]'); document.forms['search'].directors_search.value=''; document.forms['search'].directors_search.focus();}" onKeyDown="if(event.keyCode == 9) { selectNext('directorslist1[]'); return false;}" > <? } else { ?> <SELECT name="directorslist1[]" multiple style="width:250px; height:120px" onkeyup="if(event.keyCode == 13){ copyToList('directors1[]','directorslist1[]'); selectAll('directors1[]'); document.forms['search'].directors_search.value=''; document.forms['search'].directors_search.focus();}" onKeyPress="if(event.keyCode == 9) { selectNext('directorslist1[]'); return false;}"> <? } $specials_query_raw = "select p.products_id, pd.products_name, pd.products_alt_title, p.products_price, p.products_tax_class_id, p.products_image, s.specials_new_products_price, s.expires_date, p.am_orelease_date from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_SPECIALS . " s" . $from_filter . " where p.products_status = '1' and s.products_id = p.products_id and p.products_id = pd.products_id and pd.language_id = '" . (int)$languages_id . "' /*and s.status = '1'*/" . $where_filter . " order by s.specials_date_added DESC"; $specials_query = tep_db_query($specials_query_raw); while ($data = tep_db_fetch_array($specials_query)) { if (trim($data['products_name']) && !in_array($data['products_id'], $directors1) ) { echo '<OPTION value="'.$data['products_id'].'">'.$data['products_name'].'</OPTION>'."\n"; } } // print $specials_query_raw;// exit; ?> </SELECT> </div> </td> </tr> </table> </td> </tr></table><!-- end list1 sarch --> </td> </tr> <tr> <td colspan="2">&nbsp;</td> </tr> <tr> <td class="main">Heading 2: </td> <td><input type="text" name="head2" value="<?=$head2;?>" size="75"></td> </tr> <tr> <td></td> <td class="main"> <!-- begin list2 sarch --><table><?php$directors2 = $_POST['directors2'];if(empty($directors2)) $directors2 = array(-1);if(isset($directors2) && (count($directors2) > 0) ) { $query = tep_db_query("SELECT pd.products_id, pd.products_name FROM " . TABLE_PRODUCTS_DESCRIPTION . " pd WHERE pd.language_id = '" . $_SESSION['languages_id'] . "' and pd.products_id IN(" . join(",",$directors2) . ") ORDER BY pd.products_name");}?> <tr> <td class="main"> Movies under this heading: <table border="0" cellspacing="0" cellpadding="0"> <tr> <td class="main"> <SELECT name="directors2[]" multiple style="width:250px; height:120px"> <?phpwhile ($data = tep_db_fetch_array($query)) { $sel = 'selected'; if (trim($data['products_name'])) { echo '<OPTION value="'.$data['products_id'].'" '.$sel.'>'.$data['products_name'].'</OPTION>'."\n"; }}?> </SELECT> </td> <td class="main" valign="middle"><?echo '&nbsp;&nbsp;';echo tep_draw_input_field('director_left2right2','>>',' onclick="copyToList(\'directorslist2[]\',\'directors2[]\'); selectAll(\'directors2[]\');"',false,'button');echo '&nbsp;&nbsp;<br>&nbsp;&nbsp;';echo tep_draw_input_field('director_right2left2','<<',' onclick="copyToList(\'directors2[]\',\'directorslist2[]\'); selectAll(\'directors2[]\');"',false,'button');echo '&nbsp;&nbsp;';?> </td> <td class="main"> <div id="director_search"> <? if($browser == 'IE') { ?> <SELECT name="directorslist2[]" multiple style="width:250px; height:120px" onkeyup="if(event.keyCode == 13){ copyToList('directors2[]','directorslist2[]'); selectAll('directors2[]'); document.forms['search'].directors_search.value=''; document.forms['search'].directors_search.focus();}" onKeyDown="if(event.keyCode == 9) { selectNext('directorslist2[]'); return false;}" > <? } else { ?> <SELECT name="directorslist2[]" multiple style="width:250px; height:120px" onkeyup="if(event.keyCode == 13){ copyToList('directors2[]','directorslist2[]'); selectAll('directors2[]'); document.forms['search'].directors_search.value=''; document.forms['search'].directors_search.focus();}" onKeyPress="if(event.keyCode == 9) { selectNext('directorslist2[]'); return false;}"> <? } $specials_query_raw = "select p.products_id, pd.products_name, pd.products_alt_title, p.products_price, p.products_tax_class_id, p.products_image, s.specials_new_products_price, s.expires_date, p.am_orelease_date from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_SPECIALS . " s" . $from_filter . " where p.products_status = '1' and s.products_id = p.products_id and p.products_id = pd.products_id and pd.language_id = '" . (int)$languages_id . "' /*and s.status = '1'*/" . $where_filter . " order by s.specials_date_added DESC"; $specials_query = tep_db_query($specials_query_raw); while ($data = tep_db_fetch_array($specials_query)) { if (trim($data['products_name']) && !in_array($data['products_id'], $directors2) ) { echo '<OPTION value="'.$data['products_id'].'">'.$data['products_name'].'</OPTION>'."\n"; } } ?> </SELECT> </div> </td> </tr> </table> </td> </tr></table><!-- end list2 sarch --> </td> </tr> <tr> <td colspan="2">&nbsp;</td> </tr> <tr> <td class="main">Heading 3: </td> <td><input type="text" name="head3" value="<?=$head3;?>" size="75"></td> </tr> <tr> <td></td> <td class="main"><!-- begin list3 sarch --><table><?php$directors3 = $_POST['directors3'];if(empty($directors3)) $directors3 = array(-1);if(isset($directors3) && (count($directors3) > 0) ) { $query = tep_db_query("SELECT pd.products_id, pd.products_name FROM " . TABLE_PRODUCTS_DESCRIPTION . " pd WHERE pd.language_id = '" . $_SESSION['languages_id'] . "' and pd.products_id IN(" . join(",",$directors3) . ") ORDER BY pd.products_name");}?> <tr> <td class="main"> Movies under this heading: <table border="0" cellspacing="0" cellpadding="0"> <tr> <td class="main"> <SELECT name="directors3[]" multiple style="width:250px; height:120px"> <?phpwhile ($data = tep_db_fetch_array($query)) { $sel = 'selected'; if (trim($data['products_name'])) { echo '<OPTION value="'.$data['products_id'].'" '.$sel.'>'.$data['products_name'].'</OPTION>'."\n"; }}?> </SELECT> </td> <td class="main" valign="middle"><?echo '&nbsp;&nbsp;';echo tep_draw_input_field('director_left2right3','>>',' onclick="copyToList(\'directorslist3[]\',\'directors3[]\'); selectAll(\'directors3[]\');"',false,'button');echo '&nbsp;&nbsp;<br>&nbsp;&nbsp;';echo tep_draw_input_field('director_right2left3','<<',' onclick="copyToList(\'directors3[]\',\'directorslist3[]\'); selectAll(\'directors3[]\');"',false,'button');echo '&nbsp;&nbsp;';?> </td> <td class="main"> <div id="director_search"> <? if($browser == 'IE') { ?> <SELECT name="directorslist3[]" multiple style="width:250px; height:120px" onkeyup="if(event.keyCode == 13){ copyToList('directors3[]','directorslist3[]'); selectAll('directors3[]'); document.forms['search'].directors_search.value=''; document.forms['search'].directors_search.focus();}" onKeyDown="if(event.keyCode == 9) { selectNext('directorslist3[]'); return false;}" > <? } else { ?> <SELECT name="directorslist3[]" multiple style="width:250px; height:120px" onkeyup="if(event.keyCode == 13){ copyToList('directors3[]','directorslist3[]'); selectAll('directors3[]'); document.forms['search'].directors_search.value=''; document.forms['search'].directors_search.focus();}" onKeyPress="if(event.keyCode == 9) { selectNext('directorslist3[]'); return false;}"> <? } $specials_query_raw = "select p.products_id, pd.products_name, pd.products_alt_title, p.products_price, p.products_tax_class_id, p.products_image, s.specials_new_products_price, s.expires_date, p.am_orelease_date from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_SPECIALS . " s" . $from_filter . " where p.products_status = '1' and s.products_id = p.products_id and p.products_id = pd.products_id and pd.language_id = '" . (int)$languages_id . "' /*and s.status = '1'*/" . $where_filter . " order by s.specials_date_added DESC"; $specials_query = tep_db_query($specials_query_raw); while ($data = tep_db_fetch_array($specials_query)) { if (trim($data['products_name']) && !in_array($data['products_id'], $directors3) ) { echo '<OPTION value="'.$data['products_id'].'">'.$data['products_name'].'</OPTION>'."\n"; } } ?> </SELECT> </div> </td> </tr> </table> </td> </tr></table><!-- end list3 sarch --> </td> </tr> <tr> <td colspan="2">&nbsp;</td> </tr> <tr> <td class="main" colspan="2">Preview Email, Send To: <input type="text" name="preview_email" value="<?=$preview_email;?>"><input type="submit" name="preview" value="Sent Preview"></td> </tr> <tr> <td class="main" colspan="2">&nbsp;</td> </tr> <tr> <td class="main" colspan="2"><input type="submit" name="real" value="Send Real Email To Specials List"></td> </tr> </table> </form> </td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td> </tr> </table></td><!-- body_text_eof //--> </tr></table><!-- body_eof //--><!-- footer //--><?php require(DIR_WS_INCLUDES . 'footer.php'); ?><!-- footer_eof //--><br></body></html><?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>
buildmaster-icon.png [Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments