vb.org Archive - trying to make php code work for profile

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)

- - trying to make php code work for profile (https://vborg.vbsupport.ru/showthread.php?t=92762)

PHP Code:


		
			
      //Display edit

        $sql = mysql_query("SELECT * FROM user_webpage WHERE userid = ".GBUSERID."");

        while($row = mysql_fetch_assoc($sql)) {

PHP Code:


		
			
   //Continue displaying what was found

        while($row = mysql_fetch_assoc($sql)) {

PHP Code:


		
			
            $webpage['name'] = stripslashes($row['name']);

            if($row['lastupdate'] =="") {

                $webpage['lastupdate'] = $vbphrase['wg_never'];

            } else {

                $webpage['lastupdate'] = date("".$vboptions['dateformat']." ".$vboptions['timeformat']."", $row['lastupdate']);

            }

            $webpage['description'] = stripslashes($row['description']);



            $webpage['text'] = stripslashes($row['text']);

PHP Code:


		
			
            //Check text-formatting settings

            $settingvbcode = iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1', '1', '0');

            $settinghtml = iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1', '1', '0');

            if($settinghtml == 0 AND $settingvbcode == 0) {

                $settingvbcode = 1;

            }

            

            if($vboptions['webpagesmilies'] == 1 and $row['usesmilies'] == 1) {

                $settingsmilies = 1; } else { $settingsmilies = 0; }

            

            if($settingvbcode == 1) {

                $webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml, 1, $settingsmilies, $settingvbcode);

            }

            if($settinghtml == 1) {

                //Remove scripts!!!

                $webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']);

                //Don't hide anything!

                $webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']);

                //Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!)

                if($settinghtml == 1 && !empty($vboptions['allowedhtmltags'])) {

                    $webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);

                }

            }

            

            //Javascript will not be allowed

            $webpage['text'] = ereg_replace("~<script[^>]*>.+</script[^>]*>~isU", "", $webpage['text']); 

            

            $webpage['hits'] = $row['hits'];

            $webpage['bgcolor'] = $row['bgcolor'];

            $webpage['bordersize'] = $row['bordersize'];

            $webpage['bordercolor'] = $row['bordercolor'];

            $webpage['fontface'] = $row['fontface'];

            $webpage['fontsize'] = $row['fontsize'];

            $webpage['fontcolor'] = $row['fontcolor'];

it's the top one, am i to assume you're not using vB?

actually i am, that was in member.php...... im not sure if the code needs to be changed here or in profile.php (perhaps profile fields are filtered while they are submitted), but thats where u come in i guess...

i have no idea what a profile field has to do with any of the $webpage/$row query?

regarding that stuff, that's in no member.php i've ever seen i suggest you vBulletinize it.

regarding the profile fields if you add the query to the page then whatever sanitizing is happening is evaded.

$webpage/$row query has nothign to do with profile fields

$webpage/$row query = a hack that i have installed (webpage and guestbook)

the webpage and guestbook hack follows its own html rules in which you can edit via admincp

i am trying to make it so that THE PROFILE FIELDS FOLLOW THE SAME RULES

or so that PROFILE FIELDS ARE ALLOWED TO USE HTML ACCEPT FOR MALICIOUS CODES SUCH AS <SCRIPT>

then why not just due the $webpage[text] rows and replace $webpage[text] with $whatever[fieldx]?

$whatever[fieldx] that means id have to do this code in member.php for as many fields as i want to allow html for or will [fieldx] be abole to be used for any field?

AND HOW WOULD I DO THIS?

[HIGH]TRIED SOMETHING DIFF[/HIGH]

Ok so far i have tried the following in order to allow and limit html

I have tried editing functions_user.php and doing the following edit

In ./functions_user.php

FIND

PHP Code:


		
			
$userfields .= ", $varname = '" . addslashes(htmlspecialchars_uni($$varname)) . "'";

REPLACE WITH

PHP Code:


		
			
// MOD :: ALLOW HTML IN PROFILEFIELDS

// OLD CODE

// $userfields .= ", $varname = '" . addslashes(htmlspecialchars_uni($$varname)) . "'";

// NEW CODE

$userfields .= ", $varname = '" . addslashes($$varname) . "'";

// END OF MOD

And then after that.... before this code in member.php

PHP Code:


		
			
eval('$customfields .= "' . fetch_template('memberinfo_customfields') . '";');

I tried adding this:

PHP Code:


		
			
            $userinfo['$profilefieldname'] = strip_tags($userinfo['$profilefieldname'], "<b><i><u>");  



                 $profilefieldname = strip_tags($profilefieldname, "<b><i><u>");  

            

            $userinfo['value'] = strip_tags($userinfo['value'], "<b><i><u>"); 

 

            $post['$profilefieldname'] = strip_tags($post['$profilefieldname'], "<b><i><u>");  



            $profilefield['value'] = strip_tags($profilefield['value'], "<b><i><u>");

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (8)bbcode_php_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (8)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01718 seconds Memory Usage 1,781KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (8)bbcode_php_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (8)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: