The navs function is responsible for printing a list of products that are related to the category our website is in. So if our website has a category named “phone”, the navs function would print links to various phone hardware that we sell.

function navs(){
global $db;
global $http_host;
global $category;
global $trans;

// Start html generation
print ‘ <div id=”navLink”>’.”\n”.
‘ <div id=”navLinkListBackground”>’.”\n”.
‘ <div id=”navLinkList”>’.”\n
<ul>\n<li><a href=\”index.php\”>Home</a></li>\n”;

Find category that belongs to this website.
Don’t think this is vulnerable to an XSS, as $http_host is $_SERVER[’SERVER_NAME’];
The server name of the host that was called from the browser window.
If you don’t use the correct server name, then you will never contact the site

$q = $db->query(”SELECT categories.prod_code from categories,virtual_1 where categories.sub_cat = ‘$category’ AND virtual_1.site_id = ‘$http_host’”);

while ($row = $q->fetchRow()){
$product = $row[0];
$encoded_product = strtr($product, $trans);

// Find products that belong to the category our website claims ownership to.
$q2 = $db->query(”SELECT products.description from products where products.prod_code = ‘$product’”);
while ($row = $q2->fetchRow()){
$prod_desc = strip_tags($row[0]);

$encoded_prod_desc = strtr($prod_desc, $trans);

// Print link list
print “<li><a href=\”$prep?prod_page=$encoded_product\”>$encoded_prod_desc</a></li>\n”;

}
}

print ‘</ul>’.”\n”;
print ‘</div>’.”\n”; // End navLinkList
print ‘</div></div>’.”\n”; // End navLink
} // End nav column

The main page will most likely have a different layout than a product page, so I seperated them.
The header, and footer will remain the same, so each page should still look about the same.

function main_page(){
global $http_host;
global $comments;
navs(); // call our navs function so it gets printed on the mainpage.

print ‘<div id=”supportingText”>’.”\n”;
print ‘<div id=”benefits”>’.”\n”;
print “<p>$comments</p>\n”;
print ‘</div>
</div>’.”\n”; // end benefits div
} // End main page

Have a product page function, so I can print a product page that looks slightly different than
the main page.

function prod_page(){
global $db;
global $http_host;
global $category;
global $trans;

$query_prod_code = mysql_real_escape_string($_GET[’prod_page’]);

navs(); // print our navs again.

// Get image link for product from DB.
$q = $db->query(”SELECT big_image from links where prod_code = ‘$query_prod_code’”);
while ($row = $q->fetchRow()){
$prod_image = $row[0];
}

// Get everything else for product from DB.
$q = $db->query(”SELECT comments,description from products where prod_code = ‘$query_prod_code’”);

while ($row = $q->fetchRow()){
// strip all html markup from the item’s description
$prod_comments = strip_tags($row[0]);
$prod_desc = strip_tags($row[1]);

// encode content, so we remain xhtml compliant.
$encoded_prod_comments = strtr($prod_comments, $trans);
$encoded_prod_desc = strtr($prod_desc, $trans);
}

// strip html markup from comments for use in our image alt tag.
$img_alt_tag = strip_tags($encoded_prod_comments);

print ‘ <div id=”supportingText”>’;
print ” \n<h1>$encoded_prod_desc</h1>\n”;
print “<div id=\”supportingImg\”>\n
<img src=\”http://www.cmh.net$prod_image\” alt=\”$img_alt_tag\” />\n
</div>\n”; // end supportingImg
print ‘<div id=”benefits”>’.”\n”;
print “<p>$encoded_prod_comments</p>\n
</div>\n”; // end benefits
print ‘</div>’.”\n”; // end supportingText
} // End product page

// Error page for bad queries.
function error_page(){
print “error”;

} // End error page
?>