vb.org Archive
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   ibProArcade Archive (https://vborg.vbsupport.ru/forumdisplay.php?f=174)
-   -   stristr error (https://vborg.vbsupport.ru/showthread.php?t=279382)

gsmlover4u 03-09-2012 05:35 AM
Quote:
Originally Posted by VBDev (Post 2307204)
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        $value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
there is nothing in arcade.php

VBDev 03-09-2012 11:36 AM
Quote:
Originally Posted by stangger5 (Post 2307705)
The security issue was s_id was allowed to be a string when it was supposed to be a int, that is what allowed the exploit.
Comments should be ok because of the way strings are put in the database.
Yeah, hence what I said he over corrected...

IMO, IBProArcade really needs a cleanup of the code one day...

Quote:
Originally Posted by gsmlover4u (Post 2307762)
there is nothing in arcade.php
If you haven't installed 2.7.2 there indeed is nothing.

gsmlover4u 03-09-2012 11:50 AM
i installed 2.7.2+

https://vborg.vbsupport.ru/showthrea...01554&page=442

Hippy 03-09-2012 08:41 PM
Quote:
Originally Posted by gsmlover4u (Post 2307851)
confused

gsmlover4u 03-10-2012 03:16 AM
why you confused sir

stangger5 03-10-2012 03:53 AM
Quote:
Originally Posted by gsmlover4u (Post 2307851)
Quote:
Originally Posted by gsmlover4u (Post 2307762)
there is nothing in arcade.php
Quote:
Originally Posted by gsmlover4u (Post 2308164)
why you confused sir
You said,,,you installed 2.7.2+ and the code below isnt in the arcade.php file..

PHP Code:
// remove any SQL-commands 
Look on line 5575 in the arcade.php file..

boggseric 03-23-2012 12:48 AM
Quote:
Originally Posted by VBDev (Post 2307204)
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        $value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
I made these changes but now there error moved down one line.

Fatal error: Call to undefined function: str_ireplace() in /home/ls2com/public_html/forums/arcade.php on line 5601


2.7.2 does it now required PHP5?

my code in arcade.php
Code:
// remove any SQL-commands
        $sqlcomm = array();
        $sqlcomm[] = 'create';
        $sqlcomm[] = 'database';
        $sqlcomm[] = 'table';
        $sqlcomm[] = 'insert';
        $sqlcomm[] = 'update';
        $sqlcomm[] = 'rename';
        $sqlcomm[] = 'replace';
        $sqlcomm[] = 'select';
        $sqlcomm[] = 'handler';
        $sqlcomm[] = 'delete';
        $sqlcomm[] = 'truncate';
        $sqlcomm[] = 'drop';
        $sqlcomm[] = 'where';
        $sqlcomm[] = 'or';
        $sqlcomm[] = 'and';
        $sqlcomm[] = 'values';
        $sqlcomm[] = 'set';
        $sqlcomm[] = 'password';
        $sqlcomm[] = 'salt';
        $sqlcomm[] = 'concat';
        $sqlcomm[] = 'schema';
        // $value = recursive_str_ireplace($sqlcomm, '', $value);
        foreach ($sqlcomm AS $key => $needle)
    {
        $value = str_ireplace($needle, '', $value);
    }

hohleweg 03-24-2012 04:03 PM
Hey
Quote:
function ibp_cleansql($value)
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
//check if this function exists
if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes( $value );
}

// remove any SQL-commands
$sqlcomm = array();
$sqlcomm[] = 'create';
$sqlcomm[] = 'database';
$sqlcomm[] = 'table';
$sqlcomm[] = 'insert';
$sqlcomm[] = 'update';
$sqlcomm[] = 'rename';
$sqlcomm[] = 'replace';
$sqlcomm[] = 'select';
$sqlcomm[] = 'handler';
$sqlcomm[] = 'delete';
$sqlcomm[] = 'truncate';
$sqlcomm[] = 'drop';
$sqlcomm[] = 'where';
$sqlcomm[] = 'or';
$sqlcomm[] = 'and';
$sqlcomm[] = 'values';
$sqlcomm[] = 'set';
$sqlcomm[] = 'password';
$sqlcomm[] = 'salt';
$sqlcomm[] = 'concat';
$sqlcomm[] = 'schema';
//$value = recursive_str_ireplace($sqlcomm, '', $value);
foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}
return $value;
}
with this code it work fine!
Greetings Jo

silpher 03-29-2012 10:23 PM
Quote:
Originally Posted by VBDev (Post 2307204)
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        $value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
Thanks, that worked for me :D

CristianoDiaz 04-14-2012 05:11 PM
Quote:
Originally Posted by VBDev (Post 2307204)
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        $value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
Thank you! This fixed the problem for me, it's been driving me nuts.


All times are GMT. The time now is 03:22 PM.
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01388 seconds
  • Memory Usage 1,792KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (21)bbcode_php_printable
  • (11)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete