vb.org Archive
Page 5 of 8 « First 34 5 67 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Community Lounge (https://vborg.vbsupport.ru/forumdisplay.php?f=13)
-   -   security seems not a main priority in vb hacks (https://vborg.vbsupport.ru/showthread.php?t=73307)

aussiev8 12-28-2004 11:47 AM
an installer isn't needed..
thats a totally different thread (put it in modification requests)

this thread is about security, i think we should stick to the topic.
would the advanced coders be willing to help do security tests on the mods as they're released? or maybe create a new group that'll beta test/security check new mods?

within a few years if this isn't contained now, the board will be one security issue after another, if jelsoft are reading this, i believe it is in your best interests to tackle this problem head on and without hesitiation!

my 2 cents

red_baron2000 12-28-2004 11:54 AM
all this won't happens if jelsoft take in considiration users needs and requests!! limiting the new release to the minimum is not not a solution either..for this we users need those hacks to fit our needs..even if they are full of bugs and security holes!! somehow we do not have choice either..way to go jelsoft!!!

Dean C 12-28-2004 12:03 PM
Well according to Scott in a recent post at vB.com it'll be impossible to input malicious user input in future vB versions, so fear not :)

aussiev8 12-29-2004 12:26 AM
thats never the case, what about basic get functions that can be made to act differently, i can always post different variables.

Erwin 12-29-2004 01:20 AM
Quote:
Originally Posted by AN-net
the globalize feature will not protect from sql injections i believe but will correctly evaluate a field such as text, numbers, or strs. i do not think it checks for sql injection. there 2 functions that can prevent sql injection:) these 2 are addslashes() for text or strs which adds slashes to single qutoes or regular quotes thus blocking most forms of sql injection. second is intval() which makes sure a field that is susposed to be a number is a number. if it is not it will return false and return 0 thus nullifying any possible text put in a number field;)
You can use globalize with this:

STR_NOHTML

Those 2 functions you posted are built-in as part of the intrinsic vB globalize function.

Erwin 12-29-2004 01:33 AM
Quote:
Originally Posted by Brad.loo
Your are right, globalize is a nice little function. Heres a little overview of everything it dose.

Use INT and globalize will run this on the $var

PHP Code:
intval($var); 
If you use STR

PHP Code:
trim($var); 
If you use STR_NOHTML

PHP Code:
htmlspecialchars_uni(trim($var)); 
You can also use FILE, which takes $_FILES['$var'] and makes it $array['$var']
Nice summary of the things globalize can do. :)

Add-on authors should utilize the built-in security vBulletin offers a lot more, rather than writing their own security checks.

Revan 12-29-2004 09:24 AM
Yeah I just went over every file in my new RPG version that didn't have globalize() already, and used it.

A side note about globalize():
If you want to run globalize() on an array, you have to skip using the "=>" stuff.
It would then be smart to run the functions quoted above on the variables as they are submitted into $DB_site->query() :)


Quote:
Originally Posted by Erwin
You can use globalize with this:

STR_NOHTML

Those 2 functions you posted are built-in as part of the intrinsic vB globalize function.
You sayin that by using the htmlspecialchars_uni(trim()) there's no need for addslashes()?

Paul M 12-29-2004 11:26 AM
Quote:
Originally Posted by Erwin
Add-on authors should utilize the built-in security vBulletin offers a lot more, rather than writing their own security checks.
Where are they all documented then ?

aussiev8 12-29-2004 11:59 PM
i'd like to know as well, i've done some searches but wound up empty

Wayne Luke 12-30-2004 12:22 AM
At this time the API isn't documented. It will be documented for the next release, however the usage of the inherent security features of vBulletin will change significantly so most hacks will need to be reworked anyway. We plan on providing full API documentation when the system is in a state to document.

As it is now, you need to go through the include folder and review the functions there to see what they do. Not optimal but that is what there is. Before the 3.0 release we concentrated on the Admin Control Panel Documentation because it would serve the most customers. When it came time to document the API enough significant changes were proposed and/or implemented that it was decided to postpone it.


All times are GMT. The time now is 04:36 PM.
Page 5 of 8 « First 34 5 67 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01160 seconds
  • Memory Usage 1,745KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_php_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete