How do all..

I am going to release my image gallery hack (in action http://www.overgrow.com/edge/index.php) without the admin piece.. I am still trying to finish it up without having to re-write all the vB delete routines.. Plus some of you may want to write your own way of administering the images that get uploaded and keeping things clean..

When my admin piece is finished I will post it here as well..

Features: Not too many.. very basic..

-- Only allows gif or jpg files to be uploaded.. I'm sure you can easily modify this for other file types.. PHP really makes things easy..

-- To start a thread in the gallery you must upload an image.. (doesn't apply when replying)

-- You can set a file size limit for upload..

-- Stores information in a new vB table for use later.. (ie; admin stuff. Currently the admin piece is in progress..)

You can download the instructions here - http://www.overgrow.com/tmp/imggalhack.zip

It is a fairly simple hack with a few mods to global.php, newthread.php and newreply.php and a few new templates.. It is not automated, the download is just a text file with the modification intructions..

Please let me know if I made the instructions to confusing and what ya think..

Have Fun..
Herb

I don't know regular expressions in PHP by the back of my hand but there has got to be a way to replace the following lines with just one line of code:


$fileupload_name = str_replace(" ","",$fileupload_name);
$fileupload_name = str_replace("%","",$fileupload_name);
$fileupload_name = str_replace("!","",$fileupload_name);
$fileupload_name = str_replace("@","",$fileupload_name);
$fileupload_name = str_replace("#","",$fileupload_name);
$fileupload_name = str_replace("~","",$fileupload_name);
$fileupload_name = str_replace("^","",$fileupload_name);
$fileupload_name = str_replace("&","",$fileupload_name);
$fileupload_name = str_replace("+","",$fileupload_name);
$fileupload_name = str_replace("=","",$fileupload_name);


Otherwise, nice job Herb ;)

Excellent man I've been waiting a long time for this, Thank you!

upimage should be filename or the other way around. please note this....ROCK on...i love this image hack

upimage should be filename or the other way around. please note this....ROCK on...i love this image hack
Not sure what you mean here.. upimage should be upimage.. this is the field name in the table, filled on the insert by the variable TheFileNameIs.. Your welcome to change it to something else though.. ;)

i don't know how to explain it really in depth, i have been up to late. but i will just show you what i am talking about, the table created doesn't have a field for upimage. so upimage should be filename.


CREATE TABLE imagegal (
imagegalid int(10) unsigned DEFAULT '0' NOT NULL auto_increment,
postid int(10) unsigned DEFAULT '0' NOT NULL,
filename varchar(100) NOT NULL,
username varchar(50) NOT NULL,
userid int(10) unsigned DEFAULT '0' NOT NULL,
PRIMARY KEY (imagegalid)
);




if (isset($fileupload)) {

$DB_site->query("INSERT INTO imagegal (imagegalid,postid,upimage,username,userid) VALUES ('NULL','$mypostid','$TheFileNameIs','".addslashes($username)."','$userid')");

}


cause i got this error


Database error in vBulletin: Invalid SQL: INSERT INTO imagegal (imagegalid,postid,upimage,username,userid) VALUES ('NULL','15','CaddilacEscalade.gif','poil11','1')
mysql error: Unknown column 'upimage' in 'field list'
mysql error number: 1054
Date: Thursday 28th of September 2000 01:57:59 PM
Script: /boards/newthread.php
newthread.php?action=newthread&forumid=24

you are right my man.. My bag.. As soon as my ftp server comes back I will re-upload with the correct field name..

thanks..

Herb could you please let us know once you have uploaded the file?

ok I have changed the imageupload for filename, but how would I go if I did not want the users to HAVE to upload a picture when starting a thread?
How can I remove this option, so users can upload pictures whenever they want?
NOTE: this is prolly very easy to do, I apologize for my ignorance on PHP!

Thanks

conan - I uploaded the new zip with the correct create table fields.. sorry about that..

How can I remove this option, so users can upload pictures whenever they want?

Ok in newthread.php find this code that you added for the hack..

if (isset($fileupload)){

and change it to

if (isset($fileupload) and $fileupload != "none") {

Then below the above should be

if ($fileupload == "none") {
eval("echo standarderror(\$bbtitle,\"".gettemplate("error_filenone")."\");");
exit();
}

Remove that check..

Then find

// ##### Image Upload Hack (update image table) #####

if (isset($fileupload)) {

$DB_site->query("INSERT INTO imagegal (imagegalid,postid,upimage,username,userid) VALUES ('NULL','$mypostid','$TheFileNameIs','".addslashes($username)."','$userid')");

}

// ##### Image Upload Hack (update image table) #####

and change it to:

// ##### Image Upload Hack (update image table) #####

if (isset($fileupload) and $fileupload != "none") { {

$DB_site->query("INSERT INTO imagegal (imagegalid,postid,upimage,username,userid) VALUES ('NULL','$mypostid','$TheFileNameIs','".addslashes($username)."','$userid')");

}

// ##### Image Upload Hack (update image table) #####


I think that should do it for ya..

Herb



[Edited by Herb on 09-29-2000 at 10:25 AM]

Whoa Thanks a lot for the fast reply and help!
I can't wait to install this hack!

Herb, While evaluating PHP forum software I found the AGORA open source project http://www.araxe.fr/w-agora
with some examples of the forum implemented for use with uploading image attachments. In fact two are use as photo galleries. I've listed the sites
below. Maybe these can give you some ideas.

Two being used as Q&A forums:
http://www.lymanboats.com/agora/w-agora.php3?bn=qa_qna&expnd=all
http://www.lbsna.org/lymanboard/w-agora.php3?bn=Lyman_Boat_Society
One being used as a news page:
http://www.highlandsofohio.com/agora/w-agora.php3?bn=news_news
And a similar setup being used as a photo gallery:
http://www.lbsna.org/agora/w-agora.php3?bn=lbsna_photo

http://www.Synfibers.com
http://www.cj.synfibers.com
http://www.akulscarpets.com used as photo gallery

Herb
I installed the hack and it works fine, but the remove part gives me a Parse error! on the newthread.php file, and I checked and double checked, and I have no idea why, I thought it was an extra } but it didn't work even then, could you please help me solve this problem?
Thanks again for all your help!

scott - thanks for the links I will have to look those over.. ;)

conan - I am sorry I am not following you.. A parse error could be something as simple as a missing ;

Maybe you can post the portion of code you think is giving you a problem..

To everyone who's currently using this hack:

I suggest you temporarily remove it, as it leaves a very large security problem in your board. I couldn't find a way to contact Herb, but if he'd be so kind as to contact me (ICQ: 16435685) I'll help him develop a resolution for the problem.

Once again, the issue is quite large, and can be used to retrieve anything from your /etc/passwed to your mysql database info.

Stay tuned.

I've notified Herb via email and PM, he should respond shortly. I've shown him what you were able to do and I agree that anyone using this hack should remove it until the security hole is patched.

Well let us know what it is soon enough so we can avoid doing it in another hack.

Are we manipulating showthread to send something else instead of the intended picture?

Well, it's kinda (really kinda) equivalent to taint checking in Perl. It involves the PHP upload feature. It's easily abuseable so we're trying to avoid posting it :)

Herb- I'd say you've got the file types covered with
.JPG and .GIF for now but in the future other small size files allowable would be .txt, .doc, and acrobat files.

I could not ever see any video or music files as they are too large.

something else to think about is limiting max file size
and displaying the file size so a user will know what to expect as far as load time etc. No one likes surprises.

Have you considered some hashing routine to store the attachment files in folders by hashed names as function
of file name ? as the attachments begin to number in thousands that will be important.

Well my hack has an upload feature so why don't you just email me the problem please.

E-mail sent.

Herb I double checked and I I'm not missing ; or anything the code is exactly like you posted, I will wait for you guys to solve this security issue, thanks for the heads up Stallion!

And thanks for the fast replies and for all your work Herb!

Oh and please let us know once this security issue is solved!

Stallion - Please email me at hgreen@lmi-net.net as I do not do ICQ..

Thanks..

How do all..

Well thanks to stallion the security hole has been fixed.. :o

I appologize to anyone who may have tried this hack..

I uploaded a new set of instructions at http://www.overgrow.com/tmp/imggalhack.zip

conan - I would work backwards and reset your forums to where they were before you added the hack and start over with the new instructions.. Sorry about the problems..

Thanks a lot Herb, but I installed on a test board ;)
been there before! hehe
I'm looking forward to test this now!
Again thanks for the great work!

I just wanted to say thank you for this hack! I've been searching for this hack on the web for some time!

Then I came back home to see it on the hack list!

Thank you, again! It works great!

this is the attachments hack... bump to the top for Marty & vB oard

Has the security hole been fixed?

What is this attachments hack you are taking about?

Yes, Stallion worked with Herb and the hole was patched.

This hack allows the users to upload attachments to your board. It is meant for images- gif's and jpg's- but I suppose you could use it for anything. It automatically puts the image in the message, but could be changed if you're not using images.

Has any enhancements been done to the zip file since [i]Herbs last post on 10-01-2000![i]

I installed about 2 days after that!

I just love the hack! :D

I checked the file date under FTP and it's last modified is 10-01-00 so you have the latest version. Glad you like it! Our users couldn't live without it.

I know the feeling! ;) Looking at your site also! :D

Sorry, don't mean to full your thread full of non-bugs!

*thinking*

hey there.

Would it be possible to make a forum where it had thumbnails also?

I'm thinking of making a place like this and wonder if you would mind if I could modify your code to display the pictures as a thumbnailed list.... :) It would of course do a check for mogrify, etc.

SC - You may do what you wish with the code.. :)

Current zip includes the security fix..

Herb

Excellent hack! I'm busy integrating it into the pages of Breaking Art - what better use than an art gallery?!

Noticed that the current zip does not correctly limit file size. However replace $secured_size with $fileupload_size in the instructions and it works fine..

Have some plans for how I can enhance the hack. If they get anywhere then I'll let you all know!

Alan

--
http://www.breakingart.com/
breaking art from a different perspective

This is a great hack but i have 2 issues...

1) Can you make it work in preview mode? Right now it wont let you preview a uploaded picture, so you have to post it then edit it after if it didnt come out right.

2) Can this please work with normal forums, I want this hack to be an addition to a regular forum.
Right now if i don't upload a picture it fails to post just text.

Thanks

Originally posted by Herb
conan - I uploaded the new zip with the correct create table fields.. sorry about that..

How can I remove this option, so users can upload pictures whenever they want?

Ok in newthread.php find this code that you added for the hack..

if (isset($fileupload)){

and change it to

if (isset($fileupload) and $fileupload != "none") {

Then below the above should be

if ($fileupload == "none") {
eval("echo standarderror(\$bbtitle,\"".gettemplate("error_filenone")."\");");
exit();
}

Remove that check..

Then find

// ##### Image Upload Hack (update image table) #####

if (isset($fileupload)) {

$DB_site->query("INSERT INTO imagegal (imagegalid,postid,upimage,username,userid) VALUES ('NULL','$mypostid','$TheFileNameIs','".addslashes($username)."','$userid')");

}

// ##### Image Upload Hack (update image table) #####

and change it to:

// ##### Image Upload Hack (update image table) #####

if (isset($fileupload) and $fileupload != "none") { {

$DB_site->query("INSERT INTO imagegal (imagegalid,postid,upimage,username,userid) VALUES ('NULL','$mypostid','$TheFileNameIs','".addslashes($username)."','$userid')");

}

// ##### Image Upload Hack (update image table) #####


I think that should do it for ya..

Herb



[Edited by Herb on 09-29-2000 at 10:25 AM]

There were 2 { in your code above in case anyone tries this...

I made a modification to this. If anyone knows if this is secure, would appreciate the feedback.

I like to be able to separate the uploads into a user directory. Personally I think it's tricky to give the username a directory due to funny characters, but with vb, we can use userid which is always a number and always safe.

So in newthread.php, instead of the instruction, simply add
mkdir ("$uppath/$userid", 0777);
copy("$secured","$uppath/$userid/$secured_name");

probably you can be more restrictive than 0777. Also, this code goes right above
$TheFileNameIs = $secured_name;
$TheFileLinkIs = "\n\n\[img\]$bburl/$upfolder/$userid/$TheFileNameIs\[/img\]";
$message = "$message".stripslashes($TheFileLinkIs)."";

and instead of saving your files to an upload directory, it will save it to upload/$userid/*.gif if you know what I mean.

ok, tightened the permissions to more restrictive and checked if the file exists first:

if (!is_dir("$uppath/$userid")){
mkdir ("$uppath/$userid", 0766);
}

I keep getting this error when trying to post an image:

Warning: Unable to open '/tmp/phpjv2608' for reading: No such file or directory in /web/dojo/paintball/forums/newthread.php on line 208


It seems as though it does not create the temporary directory. I've even tried changing the code in global.php to have to write to another temporary directory called "galtmp" and set the correct permissions and ownerships and it still did not work.

I think the code in global.php is not creating the temporary name directory in the "/tmp" directory.

Can someone please help me. I'd love to have this feature setup.

Thanks.

Sorry, but why don't you just install V2?

Hello,

Because I'm running a custimzed VB that allows for one global user DB over a span of multiple forums so I want to wait until VB 2.0 is out of beta before upgrading.

VirtueTech, have you installed this hack?
I'm interested in it.

Saturn: this hack definitely works. Check out our Image Gallery forum (http://www.overgrow.com/edge/forumdisplay.php?forumid=13)-- it's our most popular.. some threads have over 15,000 views.

I've made a similar mod to DWH-- I have it upload the images into the /userid/ directory with similar checks.

VT: I'm confused as to your problem though, do you have the image hack already working and you're trying to do the Userid directory addition, or have you never had images working?

Ouf.....i have don't install it
Note to Stallion:Help herbes cause this hack will be very cool with no ptoblems of security

What version are you using?

Stallion did fix the security hole for herb.. the latest version in the first page link should be secure.

Overgrow, where can I find the gallery hack?

I tried the link in the previous pages but it doesn't work.

has the file been removed from the server.... could u please upload it here ...........on vbulletin.com board

Since I upgraded to 1.16, the images won't upload. I get the following error:

Warning: Unable to open '/tmp/phpg42489' for reading: No such file or directory in /usr/local/apache/htdocs/babyu/htdocs/babyuniversity.com/htdocs/forums/newreply.php3 on line 210

Any ideas? My visitors loved this feature and are going nuts because they can't upload now! Thanks!

Originally posted by BabyU
Since I upgraded to 1.16, the images won't upload. I get the following error:

Warning: Unable to open '/tmp/phpg42489' for reading: No such file or directory in /usr/local/apache/htdocs/babyu/htdocs/babyuniversity.com/htdocs/forums/newreply.php3 on line 210


Any ideas? My visitors loved this feature and are going nuts because they can't upload now! Thanks!

Check your line 210 on newreply.php3
There is maybe a comment

Herb,
the file is not located on your server anymore. Does anyone else have this img gallery hack and can upload it here?

Definitely want to try this one out.

where?

So did anyone ever reupload this hack....?

Check this thread, it is about a photo album script

http://www.vbulletin.com/forum/showthread.php?threadid=11950

Maybe someone is interested in this and can help me out with it.

plz put link to it.

Iam tired waiting???

Locations:

http://www.overgrow.com/archive/imggalhack.zip

personal photo album (early version, works only with this gallery hack, not the vB2 uploads. I will be updating this code soon.)

http://www.overgrow.com/archive/gallery.zip

and for reference:

http://www.overgrow.com/archive/KillFile.zip

is the ignore user hack

:eek:

Herb I really need help. I downloaded your Image Hack almost three weeks ago and I am still having problems.

I did everything possible that you said to do on the txt file but I keep getting this same error message:




Warning: SAFE MODE Restriction in effect. The script whose uid is 233701 is not allowed to access /tmp/phpCUGh9h owned by uid 0 in /web/sites/124/bahamascope/www.bahamascope.f2s.com/newthread.php on line 179

I am not familiar with PHP, but something is wrong. My site is Bahamascope.net, but my board is here:
http://www.bahamascope.f2s.com

I really need help!!!

Herb. I asked for help some days ago and I think that its messed up you don't answer help questions from persons like me in serious needs.

You only help the people who already know what they are doing. Please help me. :eek:

Umm sorry, Herb moved about 3000 miles away. You might try sending him mail through this system if his profile allows it. I'm not Herb though... not to mention people that write hacks do it for free and you should not expect support.

>>Warning: SAFE MODE Restriction in effect. The script whose uid is 233701 is not allowed to access

That error is something that your ISP / Host will handle, that is not an error with the script or database.

Isn't F2s a free host service? The error is telling you that your scripts do not have permission to write to the server's hard drive. That's not surprising if it's a free host. Call them / write to them.. ask if that is the case. If so, you cannot use this script with that host and you will need to find another server if you want to support uploads.

Now I know what I have to do!

:mad: I guess now I have no alternative options but to give in and join Host Rocket servers. Thanks for the reply, it really helped, but if you are not herb, then why are you using his image/avatar and his name? This seems like a consipiracy. I think that this REALLY IS Herb but just doesn't want to admit it. But thanks for the help!

Herb:

http://www.vbulletin.com/forum/member.php?action=getinfo&userid=11

Wow, he was user # 11 here! I remember when he first mentioned some guy "porting UBB to PHP"...

Sorry, I will deny all conspiracy theories stating that I am Herb :) He is a friend of mine, but a totally different person. We both run the same site so that is probably why you might confuse us. I've responded a lot in his threads because I know a lot about his hacks.. but if you look at his member profile, he hasn't posted himself in about 4 months.

This is my name, my avatar :)

The Downloadlink is down!
Please re-upload it!
Thx!

Someone already posted that they were having parse error problems with the modifications to reply to threads w/ images.

Please can I get some help? I am experiencing the same problems :rolleyes:

WOW

im speachless Overgrow!

Your board is THE BEST LOOKING bulletin board ive EVER seen, PERIOD.

congrats man!

PS: Im about to install your script right now, wish me luck =)