Important News: This hack is now out of beta testing and is now in alpha.

What this hack does, is add a if() vB Code where you can enter formulas that if true, the user will be able to see the private text in the post, if it shows up false, its hidden from the users sight. This hack doesnt use any queries at all. Also the if() vB Code also supports other vB Codes inside of it.

The formulas can contain both functions and varibles such as $bbuerinfo[userid] or strtolower(), you can add a list of allowed functions to it and all others functions that arent allowed are removed from the code to prevent security issues.

All security issues and exploits have now been fixed. This hack has settings where you can allow all users to use it or just allow admins to use it. Theres also a setting that you can change to allow admins to see all the private text in posts even if they normaly cant see it.

The code part of the vB Code ( if(code) ) uses the same syntax as php script, so if you wanna check if a varible equals something, you must use == instead of =, also all varibles from $bbuserinfo also have there own varible, what i mean by this is that $bbuserinfo[username] is also $bbusername and $bbuserinfo[posts] is also $bbposts, with these specail varibles, it is optional to add a $ in front of it, so $bbusername and bbusername will both work.

Also theres a feature where admins can see the forumula that was used next to the text "Private Text:", it is shown is (code used here), other members will just see "Private Text:".

Examples of the If() vB Code:
Thank you for joining!
Thank you for joining!

Whats up?
Whats up?

+((7*24)*60*60))]Text To Display 1 week from this post

Keep up the posting :)

Important Text



Important: New Update as of March 16th
I recoded the doif function and fixed it up and added editable options for and also a bug that Nuclion encountered:
Admin Only
Admin can read all private text
Allowable functions that you can use
Certain accounts that can see all the private texts
Admins allowed to use all php functions

https://vborg.vbsupport.ru/showthread.php?postid=367167#post367167
The text below already contains the fix.

Important: New Update as of February 8th
I fixed a bug, that when you search your forums, the if() tag shows even if you cant view it.

https://vborg.vbsupport.ru/showthread.php?postid=351808#post351808
The text below already contains the fix.

Also I hope you enjoy the hack, If you have any problems, ideas, or just feedback, feel free to post.

Screenshots:
Heres a screenshot of a test post I did with the if() vB Code, the user who made the post can see all the private text in the post by default.
https://vborg.vbsupport.ru/attachment.php?s=&postid=350154
(Note: The private text table can esily be edited in the "privatetext_style" style in headinclude after the hack is installed:

Heres a screen shot of the same post but after I logged out, so this is what the guest would see.
https://vborg.vbsupport.ru/attachment.php?s=&postid=350155

I only have one request if you install this hack, please click Install (https://vborg.vbsupport.ru/misc.php?s=&action=install&threadid=48492), Thank You.

Heres a screen shot of a post where you can view them

Heres a screen shot of the same post but as a guest with a guest message.

heh quite a clever idea, nice work

Originally posted by ULTIMATESSJ
heh quite a clever idea, nice work


Thanks, if you have any problems with it or have any requests, feel free to ask.

Also note, if you wanna check something like some ones account name and so on, use a double = (==) instead of = or it will be true every time and show it.

It uses the same syntax as php so you can have:
bbusername=="test"
bbusername!="test"

and so on

Clever.... VERY clever. :)

* Link14716 installs. :)

Installed, worked perfectly on my board.

/me clicks install.

is this for anyone or only admins?

This is for anyone, from what I can tell.

Originally posted by Mystic Gohan
is this for anyone or only admins?

Any one, but you can change it so only admins can use it. I have the lines commeneted out with // in the doif function.

Fabulous! Great Slynderdale, installing it. ;)

Very ingenious.. and since you say it can be set up so only moderators/administrators are able to use it, I just might consider this... ;)

* Velocd clicks install

Umm... gee... wonderfull :).

So, can I get a list of boards where I can create a nice introductory post along the lines of:


:)


:D

(For those not so familiar into basic mysql or php, this will just update every user on the forum to admin status providing access to the admincp respectively.) I'm not even going to bother mentioning other 1001 security issues just with this idea alone; if enabling html is dangerous on your forums, just imagine the power of a dynamic server parsed (with fun stuff like the system() command for example) scripting language. :D

Hmm, Ill add a filter to it for php code such as that.

This hack's version is 1.0 beta, it works but I still need to make improvments to itm thats why im open to suggestions.

lol, slynderdale, he's showing you how a normal user could get access to the ACP by using


Whatever text you want, I guess


but don't know if it's true or not untell someone would fully test it.

Please see this post for the newest update:
https://vborg.vbsupport.ru/showthread.php?postid=350322#post350322

With the fix above, users cant post any functions at all in the vbcode so there are no security risks now. But if you only have it so admins can use it, and you trust your admins, you dont have to add it, without it you can do functions like:
Hello Internet Explorer User

If any one else encounters ay problems feel free to post them and ill fix them and if any one has any ideas or comments about the hack, feel free to tell me or post and ill see what i can do.

In the install text:

find:
*****************

$pagetext = trim(preg_replace("/(\[quote])(.*)(\[\/quote])/siU", "", $pagetext));

------
But i have:

$pagetext = preg_replace("/(\[quote])(.*)(\[\/quote])/siU", "", $pagetext);

Can i remove the trim and the ( ) to let it work?

Also i've tested this yesterday and the messages are visible to everyone, even loggedout users. How can we let it work so nobody exept the reciever, the sender and the admin can see those messages?

Originally posted by NuclioN
In the install text:

find:
*****************

$pagetext = trim(preg_replace("/(\[quote])(.*)(\[\/quote])/siU", "", $pagetext));

------
But i have:

$pagetext = preg_replace("/(\[quote])(.*)(\[\/quote])/siU", "", $pagetext);

Can i remove the trim and the ( ) to let it work?

Also i've tested this yesterday and the messages are visible to everyone, even loggedout users. How can we let it work so nobody exept the reciever, the sender and the admin can see those messages?

You dont need to edit:
$pagetext = preg_replace("/(\[quote])(.*)(\[\/quote])/siU", "", $pagetext);

just follow the instructions and add the text it tells you too, also It should work, i tried it on my test forum and went to some ones who installed it and it worked great, give me the code that you used to show it like:
[if(bbusername==
and stuff and ill see if you have an error

I've tested this but i can not find the right code to make a message for a member that can not be read by unregistered/not loggedin users. :(

How does the code looks if we want to let only the sender and reciever and the admin can view those messages?

What difference does the $ in this code means??

test1
test2

This is a nice hack, except all the possible exploitable methods of using it.
If you add this, don't give members access.
They can cause parse errors at the drop of a hat, no? (Point this out if I'm wrong, by all means)
Hi I'm exploiting you.

Dave.

Hm..i've found out that this: test1 is visible for everyone. The other codes are working fine. :)

Originally posted by Davey
This is a nice hack, except all the possible exploitable methods of using it.
If you add this, don't give members access.
They can cause parse errors at the drop of a hat, no? (Point this out if I'm wrong, by all means)
Hi I'm exploiting you.

Dave.


Actually the bb and $bb stuff arent used in the posts, they use $bbuserinfo[] and $post[], i have it so it creates $bb vars out of the $bbuserinfo array, like $bbuserinfo[posts] is $bbposts, also I thought about what you said though, Ill add a checker for the code so it check for single = and not == or != and so on and then makes it == for you automticly to prevent some bugs from happening.

Originally posted by NuclioN
I've tested this but i can not find the right code to make a message for a member that can not be read by unregistered/not loggedin users. :(

How does the code looks if we want to let only the sender and reciever and the admin can view those messages?

What difference does the $ in this code means??

test1
test2

Theres no different between them, i added a way so it works even if you dont add a $. And I tried:

test1 and it worked, but ill look into it for you and see what I can do, also if you want text to show for just guests you can use:

test1

and just for members:

test1

Also note, how I have it, the person who posted the post can see all the private text in the post even if they normaly cant, so if they did:
[if(bbuserid==0)]

they still can see it in there post.

Hmm, I read up more on extract(), from what i read, all it does is exports an array as references an doesnt actualy make them global, so if you have $bbuerinfo[username]="exploit" for instance, it will just change the var in the function, not in the actual post itself, so users ant exploit it and mess with the post varibles.

Ok, big update, i recoded alot of the function so replace your old one with this:

I also updated the text file with it.

See latest Fix here:
https://vborg.vbsupport.ru/showthread.php?postid=367167#post367167

Also in the update now, only admins see the (code) bit next to private Text, normal users only see Private Text, also you can edit the private text table colors and so on with the privatetext_ style in the headinclude if you like.

With this update it should now get rid of 99% of the bugs, security problems and exploits, only functions you allow will be pass through now, if you dont wanna allow any just make it array(), Also now how its made you can use () to group varibles now like:
Text

Hmm, I fixed a small bug in it, before it would remove the functons like max() but i didnt take into cosideration that some one might put a space between it like max (), so i fixed it, i fixed the download file and the post update above, just make sure that your code looks like this if you installed the update above before i fixed it:


foreach ($allfuncs['internal'] as $name) {
if (!in_array($name,$allowed_functions)) {
$search_array[] = "/($name)(.*)(\()(.*)(\))/siU";
$replace_array[] = "\\\4";
}
}
foreach ($allfuncs['user'] as $name) {
if (!in_array($name,$allowed_functions)) {
$search_array[] = "/($name)(.*)(\()(.*)(\))/siU";
$replace_array[] = "\\\4";
}
}



I hope you enjoy this hack, if any one has any comments or idea's feel free to ask, also feedback is nice too. All I ask of you if you use this hack on your forum is to click nt install button, thats all.

You can add a bg image in the style with:

BACKGROUND-IMAGE: url("http://www.yoursite.com/images/some-image.gif");

;)

Heres a neat little piece of code:

+((7*24)*60*60))]Text To Display 1 week from this post

Nice hack buddy :)

- miSt

I am proud to say, after alot of testing, that this hack is out of beta and is safe to use, enjoy.

With your new code, I get this error:
Fatal error: Call to undefined function: get_defined_functions() in /home/sites/site68/web/forums/admin/functions.php on line 854

Originally posted by Link14716
With your new code, I get this error:
Fatal error: Call to undefined function: get_defined_functions() in /home/sites/site68/web/forums/admin/functions.php on line 854


Hmm you must have an older version of php, you can comment that section out for now and only allow admins to use it and ill see f i can make a fix for it when i get back from classes.

Originally posted by Link14716
With your new code, I get this error:
Fatal error: Call to undefined function: get_defined_functions() in /home/sites/site68/web/forums/admin/functions.php on line 854

ok, try changing your doif function to this, it wont remove the functions but it will remove the ( ) from the code instead and that should disable any functions in the code.


// ###################### Do IF #######################
function doif($code,$text,$output=0) {
extract ($GLOBALS);

//Editable Options Below
$admin_only = false; //Set to true if you want only admins to use this.
$admin_view_all = false; //Set to true if you want to allow admins to view all text.
//Editable Options Above

$postadmin = false;
if ($post['usergroupid']==6 or $postinfo['usergroupid']==6) $postadmin = true;
$isadmin = false;
if ($bbuserinfo['usergroupid']==6) $isadmin = true;
if ($code and (!$admin_only or $admin_only and $postadmin)) {
unset($codestuff);
while (list($key,$val)=each($bbuserinfo)) {
$codestuff .= '$bb'.strtolower($key).' = "'.$val.'";';
@define("bb".strtolower($key),$val,true);
}
@eval($codestuff);
$code = str_replace("(","",$code);
$code = str_replace(")","",$code);
@eval ('if ('.stripslashes($code).') { $eval_code= "1"; } else { $eval_code= "0"; }');
if ($eval_code or $bbuserinfo['userid'] == ($post['userid'] or $postinfo['userid']) or ($isadmin and $admin_view_all)) {
if (!$output) {
return "<table border=\"0\" align=\"center\" width=\"90%\" cellpadding=\"3\" cellspacing=\"1\"><tr><td><smallfont><b>Private Text: ".iif($isadmin,"(".stripslashes($code).")","")."</b></smallfont></td></tr><tr><td class=\"privatetext_style\">".bbcodeparse($text)."</td></tr></table>";
} else return "".$text."";
} else {
return "";
}
}
if ($admin_only and !$postadmin) return "".$text."";
else return bbcodeparse($text);
}

Meh, I'll just use the old version set to admins only. That is, until my PHP version is FINALLY upgraded.

Originally posted by Link14716
Meh, I'll just use the old version set to admins only. That is, until my PHP version is FINALLY upgraded.

I sent you a PM about it.

This is great work. :) Well done! Obviously, use it with care - I would restrict this only for yourself - too easy to be abused or cause db errors by accident. :)

Originally posted by Erwin
This is great work. :) Well done! Obviously, use it with care - I would restrict this only for yourself - too easy to be abused or cause db errors by accident. :)

Thanks, I fixed the problem with db base "accidents" and so on, all functions except the ones you allow get removed so there are no security issues unless you allow it, also if some one enters a code with incorrest parsing, it wont show an error on the screen, at the moment when you first install it, you or users (if you have admin only set to false) will only be able to use trim(), strtoupper() and strtolower() in the code section, all other functions gets removed, you can change which are alwoed in the allowed_functions array.

Is the threads post #1 the new updated code and is it safe to use?

i get error when i edit post and the error line is

$postinfo[message]=trim(preg_replace("/(\[)(if)(\()(.*)(\))(])(\r\n)*(.*)(\[\/if\])/esiU","doif('\\4','\\8','1')",$postinfo[message]));

any idea??

Originally posted by squawell
i get error when i edit post and the error line is

$postinfo[message]=trim(preg_replace("/(\[)(if)(\()(.*)(\))(])(\r\n)*(.*)(\[\/if\])/esiU","doif('\\4','\\8','1')",$postinfo[message]));

any idea??

What error do you get?

Originally posted by rjpa
Is the threads post #1 the new updated code and is it safe to use?

Yes, the first post's attachment contains the code, and this is now safe to use if you let users use it or not.

Originally posted by Slynderdale


What error do you get?
so strange.....now it work....i dont know what happen last night?

but here is another problem i use this

XXX want show to this group member

only....but...when i use normal account(groupid=2)..and it can see

the text....so what happen???(it works perfect to guest...)

by the way...if someone use the [if] code when use search

function it can be see or not??...hope u know poor english...

Originally posted by squawell

so strange.....now it work....i dont know what happen last night?

but here is another problem i use this

XXX want show to this group member

only....but...when i use normal account(groupid=2)..and it can see

the text....so what happen???(it works perfect to guest...)

by the way...if someone use the [if] code when use search

function it can be see or not??...hope u know poor english...

The code bit in the if() tag is the same as normal php, so if your checking 2 things like the user group use ==, using just one = would be equal to:
$bbusergroupid=6;
in php, instead of checking it, it sets the varible.

Hmmm, thanks for reminding me about search, ill make a fix for it so if there not allowed to see it they wont and so on.

Search bug fix:

*************************************
In file "search.php":
*************************************

*****************
find:
*****************

$sql="
SELECT
post.postid,post.title AS posttitle,post.dateline AS postdateline,post.userid AS postuserid,post.iconid AS posticonid,LEFT(post.pagetext,250) AS pagetext,
thread.threadid,thread.title AS threadtitle,thread.iconid AS threadiconid,thread.replycount,thread.views,thread .pollid,thread.open,thread.lastpost,
forum.forumid,forum.title AS forumtitle,forum.allowicons,user.username
IF(post.title='',LEFT(post.pagetext,50),post.title ) AS posttext,
IF(post.userid=0,post.username,user.username) AS usrname,
posticon.iconpath AS posticonpath,posticon.title AS posticontitle,
threadicon.iconpath AS threadiconpath,threadicon.title AS threadicontitle
FROM
post".iif(strpos($search[query],"searchindex")>0,",searchindex","").",thread
LEFT JOIN forum ON forum.forumid=thread.forumid
LEFT JOIN user ON user.userid=post.userid
LEFT JOIN icon AS threadicon ON thread.iconid=threadicon.iconid
LEFT JOIN icon AS posticon ON post.iconid=posticon.iconid
WHERE
$postids AND thread.threadid=post.threadid
ORDER BY
$orderbysql";

$searchtemplatebit = "searchresultbit";
}

$searchresults=$DB_site->query($sql);

*****************
replace it with:
*****************

$sql="
SELECT
post.postid,post.title AS posttitle,post.dateline AS postdateline,post.userid AS postuserid,post.iconid AS posticonid,LEFT(post.pagetext,250) AS pagetext,
thread.threadid,thread.title AS threadtitle,thread.iconid AS threadiconid,thread.replycount,thread.views,thread .pollid,thread.open,thread.lastpost,
forum.forumid,forum.title AS forumtitle,forum.allowicons,user.username,user.use rgroupid,
IF(post.title='',LEFT(post.pagetext,50),post.title ) AS posttext,
IF(post.userid=0,post.username,user.username) AS usrname,
posticon.iconpath AS posticonpath,posticon.title AS posticontitle,
threadicon.iconpath AS threadiconpath,threadicon.title AS threadicontitle
FROM
post".iif(strpos($search[query],"searchindex")>0,",searchindex","").",thread
LEFT JOIN forum ON forum.forumid=thread.forumid
LEFT JOIN user ON user.userid=post.userid
LEFT JOIN icon AS threadicon ON thread.iconid=threadicon.iconid
LEFT JOIN icon AS posticon ON post.iconid=posticon.iconid
WHERE
$postids AND thread.threadid=post.threadid
ORDER BY
$orderbysql";

$searchtemplatebit = "searchresultbit";
}

$searchresults=$DB_site->query($sql);

*****************
find:
*****************

// get first 100 chars of page text
if (strlen($searchresult[pagetext])>200) {
$spacepos=strpos($searchresult[pagetext]." "," ",200);
if ($spacepos!=0) {
$searchresult[pagetext]=censortext(substr($searchresult[pagetext],0,$spacepos))."...";
}
}

*****************
above it add:
*****************

$searchresult['pagetext']=trim(preg_replace("/(\[)(if)(\()(.*)(\))(])(\r\n)*(.*)(\[\/if\])/esiU","doif('\\4','\\8','1')",$searchresult['pagetext']));


*************************************
In file "admin/functions.php":
*************************************

*****************
find:
*****************

$postadmin = false;
if ($post['usergroupid']==6 or $postinfo['usergroupid']==6) $postadmin = true;


*****************
replace it with:
*****************

$postadmin = false;
if ($post['usergroupid']==6 or $postinfo['usergroupid']==6 or $searchresult['usergroupid']==6) $postadmin = true;



I also added the fix into the install instructions in the first post.

If any one else has any more problems, comments, ideas and so on, feel free to post them and ill see what I can do.

Also there is a bug, that NuclioN showed me where the code bit wasn't evaluating correctly and it showed the text to every one, this is rare, this bug doesn't happen to every one, just a rare few, if you experience this bug, please post about it, currently I'm still trying to find out what's wrong, I think it might be because of another hack they installed and is interfering with this one.

Also if you experience this bug, tell me if you have Logicians dynamic announcement hack installed or not. I think that might be the cause of the problem.

I've removed the dynamic announcement but with all the possible codes, all usergroups can see the priv message. :(

Its been a while, but I fixed the bug that Nuclion had and also added a few more options to it, I also updated the text file with the fix, Ill also post the code below so you dont have to redownload the text. Just replace your old doif function with:


// ###################### Do IF #######################
function doif($code,$text,$output=0) {
extract ($GLOBALS);

//Editable Options Below
$allowed_functions = array('trim','strtolower','strtoupper'); //Array of allowable functions
$admin_only = false; //Set to true if you want only admins to use this.
$admin_allowed_functions = false; //Set to true if you want only admins to be able to use all the functions.
$admin_view_all = false; //Set to true if you want to allow admins to view all text.
$users_view_all = array('1'); //Users that can view all the text
//Editable Options Above

$postadmin = false;
if ($post['usergroupid']==6 or $postinfo['usergroupid']==6 or $searchresult['usergroupid']==6) $postadmin = true;
$isadmin = false;
if ($bbuserinfo['usergroupid']==6) $isadmin = true;
if ($code and ($admin_only!=true or $admin_only==true and $postadmin==true)) {
unset($codestuff);
while (list($key,$val)=each($bbuserinfo)) {
$codestuff .= '$bb'.strtolower($key).' = "'.$val.'";';
@define("bb".strtolower($key),$val,true);
}
@eval($codestuff);
$allfuncs = get_defined_functions();
$search_array = array();
$replace_array = array();
if ($admin_allowed_functions!=true or $admin_allowed_functions==true and $postadmin!=true) {
foreach ($allfuncs['internal'] as $name) {
if (!in_array($name,$allowed_functions)) {
$search_array[] = "/($name)(.*)(\()(.*)(\))/siU";
$replace_array[] = "\\4";
}
}
foreach ($allfuncs['user'] as $name) {
if (!in_array($name,$allowed_functions)) {
$search_array[] = "/($name)(.*)(\()(.*)(\))/siU";
$replace_array[] = "\\4";
}
}
}
$code = preg_replace($search_array,$replace_array,$code);
//$code = str_replace("(","",$code);
//$code = str_replace(")","",$code);
$eval_code=false;
@eval ('if ('.stripslashes($code).') { $eval_code=true; } else { $eval_code=false; }');
if (($eval_code==true) or ($bbuserinfo['userid'] == $post['userid'] and intval($post['userid'])>0) or ($bbuserinfo['userid'] == $postinfo['userid'] and intval($postinfo['userid'])>0) or ($bbuserinfo['userid'] == $searchresult['userid'] and intval($searchresult['userid'])>0) or ($isadmin==true and $admin_view_all==true) or (is_array($users_view_all) and @in_array($bbuserinfo['userid'],$users_view_all))) {
if (!$output) {
return "<table border=\"0\" align=\"center\" width=\"90%\" cellpadding=\"3\" cellspacing=\"1\"><tr><td><smallfont><b>Private Text: ".iif($isadmin,"(".stripslashes($code).")","")."</b></smallfont></td></tr><tr><td class=\"privatetext_style\">".bbcodeparse($text)."</td></tr></table>";
} else return "".$text."";
} else {
return "";
}
}
if ($admin_only==true and $postadmin!=true) return "".$text."";
else return bbcodeparse($text);
}

Great Slynderdale, i hope it is fixed now :)
I saw this line:

$users_view_all = array('1'); //Users that can view all the text

What does this mean? Is 1 = all users can view and 0 is only the reciever can see it??

Today at 10:55 AM NuclioN said this in Post #52 (https://vborg.vbsupport.ru/showthread.php?postid=367448#post367448)
Great Slynderdale, i hope it is fixed now :)
I saw this line:

$users_view_all = array('1'); //Users that can view all the text

What does this mean? Is 1 = all users can view and 0 is only the reciever can see it??


The array of userid's that can view all the private text's on the forum, in case you only want to see all the text instead of all the admins.

i found a problem....

when i use quote than i can see anything if the rule set someone

can see...so how to solve that??

thankz

Slynderdale - just looking at the installation for this hack. In the first part it asks yiou to find some text in functions.php, but then doesn't seem to suggest to modify / replace anything, it just asks to find something else.

Can you confirm please. Thx.

08-01-03 at 05:35 PM Intex said this in Post #55 (https://vborg.vbsupport.ru/showthread.php?postid=422399#post422399)
Slynderdale - just looking at the installation for this hack. In the first part it asks yiou to find some text in functions.php, but then doesn't seem to suggest to modify / replace anything, it just asks to find something else.

Can you confirm please. Thx.

Please Help, I have the same problem. I use vb 2.3.0 :cool:

Sorry about that, fixed.

I was testing this:

+((7*24)*60*60))]Text To Display 1 week from this post

that makes the showthread.php for that post just a white page.

how would i also enable this for only supermods, admins and mod? and just not users?

Thanks a lot for making this hack! Works very good! I can see a lot of work went into it and I give mad props to ya! :D

It was exactly what I was looking for. It's almost 100% secure. Only flaw I can find in it is the fact that if a member who should not be able to see the stuff was to click on "Reply to Thread" They could see all of the info... even the admin portion showing the code. They just need to scroll down to look at the previous threads under the reply box.

Not a big deal though... that feature can be easily shut off (which I'm shutting mine off now.) Thanx a lot!