PDA

View Full Version : Is it safe to add new columns to vbulletin users table?


SwalyAaron
08-24-2013, 07:43 AM
I have a script that isn't related to vbulletin at all, it adds information in a seperate database.

Today I was thinking what if I add some of the information I submit to this database to the vbulletin users_table to keep track of things?

Basically this is what I'm doing

Someone uses the paypal IPN I've setup, information is submitted to a DB name "payments", one of the columns is "price" so I was thinking if I can do this

$totalpayed += $price;

and add $totalpayed to the vbulletin DB so I can display it in say Usercp later on, or add it to the vbulletin user array for other manipulations.

Can this be done or is it too risky?

Simon Lloyd
08-24-2013, 09:53 AM
you'd have no issues adding a column and writing the values, however when you get the values via a query you have to make sure that any queries are cleaned or escaped as needed.

SwalyAaron
08-24-2013, 11:24 AM
you'd have no issues adding a column and writing the values, however when you get the values via a query you have to make sure that any queries are cleaned or escaped as needed.

Is there a specific way Vbulletin runs its queries to make them safer? if so do you by chance know the syntax?

Simon Lloyd
08-24-2013, 12:12 PM
Im no whizz at database queries at all, however i do know that when you get a string in a query you have to escape that at the end of the query.

If you are to write from another program to vbulletin i believe you have to clean the input variable. Here's an example of where a variable is cleaned:
$vbulletin->input->clean_gpc('r', 'postid', TYPE_INT);
$postid = $vbulletin->GPC['postid'];
and then can be used like this$vbulletin->db->query_write("UPDATE " . TABLE_PREFIX . "post SET mycolumnid = 0 WHERE postid = $postid");
}
That may be more confusing to you than help, hopefully KH99 (aka Kevin) will visit visit thread and help you out, i can only manage the simple stuff with db queries :)

SwalyAaron
08-24-2013, 12:53 PM
Im no whizz at database queries at all, however i do know that when you get a string in a query you have to escape that at the end of the query.

If you are to write from another program to vbulletin i believe you have to clean the input variable. Here's an example of where a variable is cleaned:
$vbulletin->input->clean_gpc('r', 'postid', TYPE_INT);
$postid = $vbulletin->GPC['postid'];
and then can be used like this$vbulletin->db->query_write("UPDATE " . TABLE_PREFIX . "post SET mycolumnid = 0 WHERE postid = $postid");
}
That may be more confusing to you than help, hopefully KH99 (aka Kevin) will visit visit thread and help you out, i can only manage the simple stuff with db queries :)

I'm decent with queries but mostly mysql_query's which are deprecated so no use there and PDO which I'll probably use

I was asking and wondering if vbulletin set up custom functions for there queries looks like they did but yeah I'd still like more input from KH99 thank you by the way

Simon Lloyd
08-24-2013, 01:09 PM
if you're decent with mysql queries you should have no problem, you'll know how to prevent things being left open to sql injection (which is what the CLEAN and $db_escape_string does (i believe) :)

BirdOPrey5
08-25-2013, 12:35 AM
$vbulletin->input->clean_gpc will force an integer for TYPE_INT but it doesn't truly clean a string for TYPE_STR, it just makes sure it is a string.

All strings must be escaped before being saved to the database.



$vbulletin->db->query_write("QUERY HERE");



To write to the database. Make sure you do global $vbulletin; first.