vb.org Archive
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   ibProArcade Archive (https://vborg.vbsupport.ru/forumdisplay.php?f=174)
-   -   Alternate fix to injection code in comments (https://vborg.vbsupport.ru/showthread.php?t=279305)

Mark.B 02-29-2012 08:58 PM
But the code Stangger has posted is NOT what changed in 2.7.2.

Hippy 02-29-2012 09:12 PM
stangger5 knows this mod better than anyone here.. so trust what he says ...
he has tested this out for the last few days...

stangger5 02-29-2012 10:19 PM
Quote:
Originally Posted by Mark.B (Post 2304835)
But the code Stangger has posted is NOT what changed in 2.7.2.
MrZ changed this:
2.7.1
PHP Code:
$ibforums->input['s_id'] = ibp_cleansql($ibforums->input['s_id']); 
to this:
2.7.2
PHP Code:
$ibforums->input['s_id'] = intval(ibp_cleansql($ibforums->input['s_id'])); 
I have this:

PHP Code:
$ibforums->input['s_id'] = intval($ibforums->input['s_id']); 
MrZ`s code is tring to clean the int data .
I`m no guru like MrZ...:)

--------------- Added [DATE]1330558171[/DATE] at [TIME]1330558171[/TIME] ---------------

To get this thread back on track,,here is a very good read for the ones wanting to learn some of the vBulletin Input Cleaner..

Using the vBulletin Input Cleaner

rpgamersnet 02-29-2012 10:35 PM
I guess my question was just if the other part that was added is needed, the looping replace function that removes SQL words from comments (but also removes good data). It is near the bottom of the 2.7.2 arcade.php ... needed or just playing it safe?

stangger5 02-29-2012 10:47 PM
I think,,its playing it safe...Which is not a bad thing these days...

I`m looking into using the vBulletin Input Cleaner instead of the ibp_cleansql..

Hippy 02-29-2012 11:03 PM
Quote:
Originally Posted by rpgamersnet (Post 2304867)
I guess my question was just if the other part that was added is needed, the looping replace function that removes SQL words from comments (but also removes good data). It is near the bottom of the 2.7.2 arcade.php ... needed or just playing it safe?
what good data is it removing ?

rpgamersnet 03-01-2012 12:14 PM
Quote:
Originally Posted by Hippy (Post 2304879)
what good data is it removing ?
If you refer to this post: https://vborg.vbsupport.ru/showpost....91&postcount=5

The code I am asking about is the loop that removes all the SQL keywords from the comments. Most I'm sure won't come across in normal comments, but filtering out parts like "or" and "and" are going to catch and mess up standard comments, as given in the example on that post.

"I got the high score!" becomes "I got the high sce!"

"Got a great hand on the last round!" -> "Got a great h on the last round"

Some basic words will get filtered as well, not just the bad SQL data, which is why I suggested that maybe this fix is not the best solution. Code I am questioning is quoted here:

PHP Code:
function recursive_str_ireplace($replacethis,$withthis,$inthis)
{
    while (1==1)
    {
        $inthis str_ireplace($replacethis,$withthis,$inthis);
        if(stristr($inthis$replacethis) === FALSE)
        {
            RETURN $inthis;
        }
    }
    RETURN $inthis;
PHP Code:
 // remove any SQL-commands
    $sqlcomm[] = 'create';
    $sqlcomm[] = 'database';
    $sqlcomm[] = 'table';
    $sqlcomm[] = 'insert';
    $sqlcomm[] = 'update';
    $sqlcomm[] = 'rename';
    $sqlcomm[] = 'replace';
    $sqlcomm[] = 'select';
    $sqlcomm[] = 'handler';
    $sqlcomm[] = 'delete';
    $sqlcomm[] = 'truncate';
    $sqlcomm[] = 'drop';
    $sqlcomm[] = 'where';
    $sqlcomm[] = 'or';
    $sqlcomm[] = 'and';
    $sqlcomm[] = 'values';
    $sqlcomm[] = 'set';
    $sqlcomm[] = 'password';
    $sqlcomm[] = 'salt';
    $sqlcomm[] = 'concat';
    $sqlcomm[] = 'schema';
    $value recursive_str_ireplace($sqlcomm''$value); 
Some recent threads have started to appear complaining of errors appearing, this new code is also the source of those new problems; the new recursive_str_ireplace loop to replace these parts of the comment field.... and any other field being filtered by the ibp_cleansql function.

Hippy 03-01-2012 08:32 PM
thanks .. do this https://vborg.vbsupport.ru/showpost....3&postcount=13
and pull the new code added out..
this will do the job.. but does not work on all servers..

stangger5 is going to work this out ..
I think code it to the way vb does it ..
but this is not set in stone ATM.. just a twinkle in the sky

rpgamersnet 03-02-2012 01:11 AM
Quote:
Originally Posted by Hippy (Post 2305160)
thanks .. do this https://vborg.vbsupport.ru/showpost....3&postcount=13
and pull the new code added out..
this will do the job.. but does not work on all servers..

stangger5 is going to work this out ..
I think code it to the way vb does it ..
but this is not set in stone ATM.. just a twinkle in the sky
Yep I already made the change he noted :) If I knew more about the inner workings of VB I'd offer to try to be of more help, but I have never messed with mods much myself. Look forward to any fixes that might arise :)

Thanks to everyone for helping out! Great community this mod has. :D

Hippy 03-02-2012 01:30 AM
stannger5 can explain more about it but this is what I use since the other will kill wanted stuff...


All times are GMT. The time now is 08:59 PM.
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01722 seconds
  • Memory Usage 1,766KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (5)bbcode_php_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete