I'm creating a hack that during one of the processes it takes HTML code from a template and sends it to a specified user as a personal message.

The only problem is the HTML code is not parsed.

Say my template called priv_forwardpost contains:

<a href="http://www.lycos.com">hello</a>


Well, in the PM to that user, when he reads it will show exactly as:

<a href="http://www.lycos.com">hello</a>


With not links. I have tried using htmlspecialchars() or bbcodeparse() or addslashes(), just to see if they would do anything put they don't :(

Basically here is the small part of my code where the problem exists:

eval("\$message = \"".gettemplate("priv_forwardpost",1,0)."\";");

$DB_site->query("INSERT INTO privatemessage (privatemessageid,userid,touserid,fromuserid,title ,message,dateline,messageread,folderid) VALUES (NULL,$pm_userid,$pm_userid,$bbuserinfo[userid],'".addslashes(htmlspecialchars($pm_title))."','".addslashes($message)."',".time().",0,0)");

So how can I get it when the user views the PM, the $message is parsed and HTML shows?

Thanks if you can help.

I would have thought the problem would have been that the PM system doesn't parse HTML (for security reasons) which is why it is appearing as the source.

I've found this more than likely to be the problem after viewing private.php.

What I'm needing help for then is a way to bypass the block just for my hack, but not to interfer with regular PM messanging.


For example, say my template priv_forwardpost contained this:

[_url]http://www.lycos.com[/url]

(without the underscore)

Now, wouldn't it seem logical that if I sent this into the database using addslashes(), then it would produce normal when viewing the PM? As parsed?

Only problem is that I can't even get this submitted into the database without recieving a database error, something about it containing bbcode in the template is interferring...

This should work, I don't see why it shouldn't (I don't know if the " around $message will make a difference or not?).

$DB_site->query("INSERT INTO privatemessage (privatemessageid,userid,touserid,fromuserid,title ,message,dateline,messageread,folderid) VALUES (NULL,$pm_userid,$pm_userid,$bbuserinfo[userid],'".addslashes(htmlspecialchars($pm_title))."','".addslashes("$message")."',".time().",0,0)");

It should parse the vB Code like it would if a user was sending it.

Ok..lol, I've found the error but now I'm pondering on a way to fix it.

It error was in the [_url][/url] tag, because in my real code the url contains variables, such as $userid. And code between [_url][/url] cannot contain variables, because they don't get parsed.

Now I'm thinking of a way to get these variables parsed before being submitted into the database..

BUAHAH!!
Finally figured it out, thanks for your help anyway NTLDR

:p