I'm getting a very similar error as was mentioned in this thread (https://vborg.vbsupport.ru/showthread.php?t=279259)

I upgraded to ibProArcade v2.7.2+ yesterday and I'm getting this error at the top of the index page of the arcade.

Warning: stristr() [function.stristr]: needle is not a string or an integer in [path]/arcade.php on line 5550

The arcade is functional and when I go to play the game, that error is gone. When I go to submit a high score, I see the same error, but on two consecutive lines. My high score is able to submit properly and there doesn't seem to be any noticeable issue... other than the glaring error at the top of the page.

Just updated and also have this error.

<a href="https://vborg.vbsupport.ru/showpost.php?p=2304863&postcount=13" target="_blank">https://vborg.vbsupport.ru/showp...3&postcount=13</a>

@Hippy

I tried those changes and it did not effect this error. The error points to line 5550...

I've looked at the arcade.php file and line 5550 comes up as....

$inthis = str_ireplace($replacethis,$withthis,$inthis);

The full context of this section is...

function recursive_str_ireplace($replacethis,$withthis,$int his)
{
while (1==1)
{
$inthis = str_ireplace($replacethis,$withthis,$inthis);
if(stristr($inthis, $replacethis) === FALSE)
{
RETURN $inthis;
}
}
RETURN $inthis;
}


Any help would be appreciated.

compare v2.7.1 and 2.7.2 and remove or comment out that code and the link above
stangger5 posted what will work in replace of till Mrz figures out the issue
it fixes the security issue

I updated 20+ arcade and 1/4 of them don't like this code..
it's a server issue I am guessing

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
// remove any SQL-commands

Add below :

$sqlcomm = array();

Then search for :

$value = recursive_str_ireplace($sqlcomm, '', $value);

Comment it out :
// $value = recursive_str_ireplace($sqlcomm, '', $value);

Add after :

foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}


That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

I didnt upgrade to 2.7.2 for just two edits..

My one edit to the arcade.php file and the mod_arcade.php..

So my arcade doesnt have any of the:
// remove any SQL-commands
code..

Thanks for the code update VBDev !! :up:

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
// remove any SQL-commands

Add below :

$sqlcomm = array();

Then search for :

$value = recursive_str_ireplace($sqlcomm, '', $value);

Comment it out :
// $value = recursive_str_ireplace($sqlcomm, '', $value);

Add after :

foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}


That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

so it should like this ?

function ibp_cleansql($value)
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
//check if this function exists
if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes( $value );
}

// remove any SQL-commands
$sqlcomm = array();
$sqlcomm[] = 'create';
$sqlcomm[] = 'database';
$sqlcomm[] = 'table';
$sqlcomm[] = 'insert';
$sqlcomm[] = 'update';
$sqlcomm[] = 'rename';
$sqlcomm[] = 'replace';
$sqlcomm[] = 'select';
$sqlcomm[] = 'handler';
$sqlcomm[] = 'delete';
$sqlcomm[] = 'truncate';
$sqlcomm[] = 'drop';
$sqlcomm[] = 'where';
$sqlcomm[] = 'or';
$sqlcomm[] = 'and';
$sqlcomm[] = 'values';
$sqlcomm[] = 'set';
$sqlcomm[] = 'password';
$sqlcomm[] = 'salt';
$sqlcomm[] = 'concat';
$sqlcomm[] = 'schema';
//$value = recursive_str_ireplace($sqlcomm, '', $value);
foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}
return $value;
}

I been using stangger5's edit and works on every update I did..
I am just wondering at this moment.. thanks

Yep.

Dunno why but I didn't had that error on my install but a customer had the issue.

Anyways I don't know the root cause of this function but honestly that shouldn't be done like that... It removes potential words from comments for example... That sucks :p

--------------- Added 1331204033 at 1331204033 ---------------

I didnt upgrade to 2.7.2 for just two edits..

My one edit to the arcade.php file and the mod_arcade.php..

So my arcade doesnt have any of the:
// remove any SQL-commands
code..

Thanks for the code update VBDev !! :up:

But if I do understand those fixed a security issue but I guess you fixed it manually ;)

The security issue was s_id,, which allowed it to be a string when it was supposed to be a int,, that is what allowed the exploit.
Comments should be ok because of the way strings are put in the database..

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
// remove any SQL-commands

Add below :

$sqlcomm = array();

Then search for :

$value = recursive_str_ireplace($sqlcomm, '', $value);

Comment it out :
// $value = recursive_str_ireplace($sqlcomm, '', $value);

Add after :

foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}


That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

there is nothing in arcade.php

The security issue was s_id was allowed to be a string when it was supposed to be a int, that is what allowed the exploit.
Comments should be ok because of the way strings are put in the database.

Yeah, hence what I said he over corrected...

IMO, IBProArcade really needs a cleanup of the code one day...

there is nothing in arcade.php

If you haven't installed 2.7.2 there indeed is nothing.

i installed 2.7.2+

https://vborg.vbsupport.ru/showthread.php?t=101554&page=442

i installed 2.7.2+

https://vborg.vbsupport.ru/showthread.php?t=101554&page=442

confused

why you confused sir

i installed 2.7.2+

https://vborg.vbsupport.ru/showthread.php?t=101554&page=442

there is nothing in arcade.php

why you confused sir

You said,,,you installed 2.7.2+ and the code below isnt in the arcade.php file..

// remove any SQL-commands

Look on line 5575 in the arcade.php file..

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
// remove any SQL-commands

Add below :

$sqlcomm = array();

Then search for :

$value = recursive_str_ireplace($sqlcomm, '', $value);

Comment it out :
// $value = recursive_str_ireplace($sqlcomm, '', $value);

Add after :

foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}


That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

I made these changes but now there error moved down one line.

Fatal error: Call to undefined function: str_ireplace() in /home/ls2com/public_html/forums/arcade.php on line 5601


2.7.2 does it now required PHP5?

my code in arcade.php
// remove any SQL-commands
$sqlcomm = array();
$sqlcomm[] = 'create';
$sqlcomm[] = 'database';
$sqlcomm[] = 'table';
$sqlcomm[] = 'insert';
$sqlcomm[] = 'update';
$sqlcomm[] = 'rename';
$sqlcomm[] = 'replace';
$sqlcomm[] = 'select';
$sqlcomm[] = 'handler';
$sqlcomm[] = 'delete';
$sqlcomm[] = 'truncate';
$sqlcomm[] = 'drop';
$sqlcomm[] = 'where';
$sqlcomm[] = 'or';
$sqlcomm[] = 'and';
$sqlcomm[] = 'values';
$sqlcomm[] = 'set';
$sqlcomm[] = 'password';
$sqlcomm[] = 'salt';
$sqlcomm[] = 'concat';
$sqlcomm[] = 'schema';
// $value = recursive_str_ireplace($sqlcomm, '', $value);
foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}

Hey
function ibp_cleansql($value)
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
//check if this function exists
if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes( $value );
}

// remove any SQL-commands
$sqlcomm = array();
$sqlcomm[] = 'create';
$sqlcomm[] = 'database';
$sqlcomm[] = 'table';
$sqlcomm[] = 'insert';
$sqlcomm[] = 'update';
$sqlcomm[] = 'rename';
$sqlcomm[] = 'replace';
$sqlcomm[] = 'select';
$sqlcomm[] = 'handler';
$sqlcomm[] = 'delete';
$sqlcomm[] = 'truncate';
$sqlcomm[] = 'drop';
$sqlcomm[] = 'where';
$sqlcomm[] = 'or';
$sqlcomm[] = 'and';
$sqlcomm[] = 'values';
$sqlcomm[] = 'set';
$sqlcomm[] = 'password';
$sqlcomm[] = 'salt';
$sqlcomm[] = 'concat';
$sqlcomm[] = 'schema';
//$value = recursive_str_ireplace($sqlcomm, '', $value);
foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}
return $value;
}

with this code it work fine!
Greetings Jo

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
// remove any SQL-commands

Add below :

$sqlcomm = array();

Then search for :

$value = recursive_str_ireplace($sqlcomm, '', $value);

Comment it out :
// $value = recursive_str_ireplace($sqlcomm, '', $value);

Add after :

foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}


That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

Thanks, that worked for me :D

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
// remove any SQL-commands

Add below :

$sqlcomm = array();

Then search for :

$value = recursive_str_ireplace($sqlcomm, '', $value);

Comment it out :
// $value = recursive_str_ireplace($sqlcomm, '', $value);

Add after :

foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}


That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

Thank you! This fixed the problem for me, it's been driving me nuts.

Hey guys -

Is it possible for stangger5 and Hippy to get "joint custody" of this script since Mr Z is too busy? Having to sift through multiple threads with lengthy discussions about which code to use, what edits are best and why 2.7.1 is the version to use and not 2.72 (???!!!???) gets pretty confusing for us non-coders.

For a long time now, this script is has been officially dormant with new versions few and far between, while fixes (or not) abound in the forums. I understand the original author has expanded his family and his outside comimtments, and I'm not trying to criticize him in the least. Without him, this wouldn't be here in the first place.

That said, stangger5 and Hippy have been doing most of the heaving lifting on this script for some time now, and it seems it would be to everyone's benefit to give them equal access to the official releases along with Mr. Z to make this an equal partnership. The code could get back on track to be the awesome script it could be, instead of limping along and propped up with forum post file edits. They both have demonstrated a commitment to the script, and on their own sites have expanded its capabilities. Let's give 'em a chance to take this script to new heights instead of limiting their talents to covering it with bandaids.

Do I hear an "amen?"

in my sig youll find a link to the post I made with everything youll needl I did the reading and sifting for you all..

If anyone stangger5 is the man..
when it come to this arcade..
but i will be here helping all the same to keep this arcade alive

so it should like this ?

function ibp_cleansql($value)
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
//check if this function exists
if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes( $value );
}

// remove any SQL-commands
$sqlcomm = array();
$sqlcomm[] = 'create';
$sqlcomm[] = 'database';
$sqlcomm[] = 'table';
$sqlcomm[] = 'insert';
$sqlcomm[] = 'update';
$sqlcomm[] = 'rename';
$sqlcomm[] = 'replace';
$sqlcomm[] = 'select';
$sqlcomm[] = 'handler';
$sqlcomm[] = 'delete';
$sqlcomm[] = 'truncate';
$sqlcomm[] = 'drop';
$sqlcomm[] = 'where';
$sqlcomm[] = 'or';
$sqlcomm[] = 'and';
$sqlcomm[] = 'values';
$sqlcomm[] = 'set';
$sqlcomm[] = 'password';
$sqlcomm[] = 'salt';
$sqlcomm[] = 'concat';
$sqlcomm[] = 'schema';
//$value = recursive_str_ireplace($sqlcomm, '', $value);
foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}
return $value;
}

I been using stangger5's edit and works on every update I did..
I am just wondering at this moment.. thanks

This worked for me. Cheers for that Hippy

I made these changes but now there error moved down one line.

Fatal error: Call to undefined function: str_ireplace() in /home/ls2com/public_html/forums/arcade.php on line 5601


2.7.2 does it now required PHP5?

my code in arcade.php
// remove any SQL-commands
$sqlcomm = array();
$sqlcomm[] = 'create';
$sqlcomm[] = 'database';
$sqlcomm[] = 'table';
$sqlcomm[] = 'insert';
$sqlcomm[] = 'update';
$sqlcomm[] = 'rename';
$sqlcomm[] = 'replace';
$sqlcomm[] = 'select';
$sqlcomm[] = 'handler';
$sqlcomm[] = 'delete';
$sqlcomm[] = 'truncate';
$sqlcomm[] = 'drop';
$sqlcomm[] = 'where';
$sqlcomm[] = 'or';
$sqlcomm[] = 'and';
$sqlcomm[] = 'values';
$sqlcomm[] = 'set';
$sqlcomm[] = 'password';
$sqlcomm[] = 'salt';
$sqlcomm[] = 'concat';
$sqlcomm[] = 'schema';
// $value = recursive_str_ireplace($sqlcomm, '', $value);
foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}



In case anyone cares, the new version of Arcade DOES require PHP5, str_ireplace is not available in PHP4.

In case anyone cares, the new version of Arcade DOES require PHP5, str_ireplace is not available in PHP4.

try this ... relace your root arcade file with this one

https://vborg.vbsupport.ru/attachment.php?attachmentid=137966&d=1335142146

try this ... relace your root arcade file with this one

https://vborg.vbsupport.ru/attachment.php?attachmentid=137966&d=1335142146

here is where the confusion creeps in again

do we all use the arcade.php you linked to here or do we do the edits that the rest of the thread talks about as the 2 are completely different

I did the eidtes in the attached file to make it easy for everyone

Hi,

in the forum it works fine. But in the VB admin section (main settings) these errors displayed :

Deprecated: Assigning the return value of new by reference is deprecated in /usr/www/xxxx/arcade.php on line 897

Deprecated: Assigning the return value of new by reference is deprecated in /usr/www/users/xxx/arcade.php on line 5386

Any Idea ?

--------------- Added 1378141057 at 1378141057 ---------------

Solved.

modify of arcade.php in admincp folder.

<a href="https://vborg.vbsupport.ru/showthread.php?p=2328579" target="_blank">https://vborg.vbsupport.ru/showthread.php?p=2328579</a>

I also have one posted here with the edits