Originally Posted by Jackal von ?RF (Post 1138635)

At my forums there have been two cases when a user edited all of his messages to remove them from the forums (in one case he had over a thousand messages and it took him two days to edit them). What I've done to them is ban them (removing their right to edit their own posts) and restored all the messages from a backup (takes a couple of hours when writing some SQL scripts manually).

It would be nice if this mod offered the possibility to mass-undo all edits which a user made within a specific time frame. The same way as the prune tools in vB's Admin CP work. It should show all individual edits (before and after editing), when it was done, who edited it, and there should be a checkbox for selecting the edits which should be undone.

Originally Posted by Jackal von ?RF (Post 1138635)

It would also be nice for the program to send a PM to the admins/moderators when a user edits many of his old messages in a short time. It should be configurable so, that editing even one old message (for example older than 30 days) would send a PM. Then the moderators could quickly stop the user from editing all of his messages away.

Originally Posted by Jackal von ?RF (Post 1138635)

Anyways, thanks for your work. Your script looks promising. I'll try it soon. I first thought about creating a similar script myself, but luckily you had already done the job. :) (I might even offer some help in adding these features I requested, if I really like your script and I have the time.)

EDIT 1:
I looked quickly through your code (v1.2.1) and noticed the query in \includes\cron\edithistory.php. Wouldn't it look much nicer if it was written like this?
Or does this have to do with the incompatibility between MySQL 4.0 and 4.1 as mentioned here? In that case how about writing it without the "AS" keyword like this? Also there should be a comment which would tell about the incompatibility and why the SQL had to be written in an ugly way. (In any case format the SQL to have less tabs; indentation of one tab instead of eight.)

Originally Posted by Jackal von ?RF (Post 1138635)

EDIT 2:
Does the field edithistory.postid have an index at all? I noticed quite many queries use it in the WHERE condition, but I didn't find anywhere an index for it to be created. This might create full scans of the edithistory table...

Originally Posted by Jackal von ?RF (Post 1138635)

Also, I noticed the following line of code. Since reason is a text field, the value assigned to it should be quoted in the SQL query. It would be a good habbit to always quote the values, even if you know that they are numeric.

Originally Posted by Jackal von ?RF (Post 1138635)

Also, I noticed from my DB dump of vB3.5.x (first install was 2.3.5 or older) that the editlog.reason field is defined as `reason` varchar(200) NOT NULL default '' but in your code you have the oldreason and newreason fields defined as varchar(255). Could somebody with a clean vB3.6.x install check that what the size should be?

Originally Posted by Jackal von ?RF (Post 1138635)

EDIT 3:
As somebody already mentioned, there's no need for the cron job to run more often that once a day or week (I think it's now by default once an hour). It's rare that posts get physically deleted, so most of the time the cron job would do nothing. I hope you have checked that it uses indexes correctly and runs quickly. I'm just a bit worried because checking every postid might take some time for a big board... My board has some 300K posts and also boards with millions of posts exist. It would be better to remove those rows from edithistory when a post gets physically deleted, and not in a cron job.


PS: I think you should tick the boxes "Additional files" and "Is in Beta stage" for this mod. Also I recommend you to write more comments in your code (I didn't notice any).

Originally Posted by Surviver (Post 1139093)

This would add 1-2 Querys if you edit a post ... (And not nany user would use ist)

Originally Posted by Surviver (Post 1139093)

Why is the size important? ;)

Originally Posted by Jackal von ?RF (Post 1139579)

Another way would be have search functions in the Admin CP, with which it would be possible to search for suspicious mass edits of old messages. For example in the same place where the controls for mass undoing the edits would be. Or some other way to view all edits which the users have done (just like there is the Moderator Log to see all moderation actions). The biggest problem might be, that how a large number of edits could be visualized informatively and effectively in a small space.

The feature of sending automatic PMs is not very important (and might not even be the optimal solution to the problem), so don't worry about implementing it yet. Maybe I'll make a custom tool for analyzing the edit actions. In any case I'll first need to experiment a bit to find a good way to visualize the edits, after I've had the edit history in use for some time and gathered real usage data.

I'll keep you informed if I get some good ideas.


Well, since they are VARCHAR fields, I suppose it doesn't take any more space from the database than a VARCHAR(200) would take. So it's not really a problem. Just a matter of style and consistency.

Originally Posted by Jackal von ?RF (Post 1153946)

This has not yet been fixed in v1.2.2. Also, the value needs to be escaped. If only single quotes are added to the query, it will make the database vulnerable to SQL injection attack:
I also found that the rest of your the code is vulnerable to SQL injection attacks. You must ALWAYS escape EVERY parameter that is put to an SQL query:

I've attached a version of edithistory.php where the above security holes have been fixed.

All users of PEH 1.2.2 (and below) are STRONGLY RECOMMENDED to apply this patch, or disable PEH.


PS: I noticed that there are more detailed instructions for installing PEH at http://www.my-vb.org/board/showthread.php?t=236 (fortunately I can read German, I'm worried about everybody else ;)). Could you also make the English instructions more detailed? Also, please include the instructions as a text file to the ZIP file, so that it would not be necessary to read this thread for the instructions.

Originally Posted by Jackal von ?RF (Post 1153946)

This has not yet been fixed in v1.2.2. Also, the value needs to be escaped. If only single quotes are added to the query, it will make the database vulnerable to SQL injection attack:
I also found that the rest of your the code is vulnerable to SQL injection attacks. You must ALWAYS escape EVERY parameter that is put to an SQL query:

I've attached a version of edithistory.php where the above security holes have been fixed.

All users of PEH 1.2.2 (and below) are STRONGLY RECOMMENDED to apply this patch, or disable PEH.


PS: I noticed that there are more detailed instructions for installing PEH at http://www.my-vb.org/board/showthread.php?t=236 (fortunately I can read German, I'm worried about everybody else ;)). Could you also make the English instructions more detailed? Also, please include the instructions as a text file to the ZIP file, so that it would not be necessary to read this thread for the instructions.

Originally Posted by Pottsy (Post 1156848)

I tried to update it to 1.2.3 (upload all new files and import xml with "allow overwrite") and got:

Database error in vBulletin 3.6.4:

Invalid SQL:
ALTER TABLE edithistory CHANGE reason oldreason varchar(200);

MySQL Error : Unknown column 'reason' in 'edithistory'
Error Number : 1054
Date : Friday, January 12th 2007 @ 09:50:17 AM
Script : xxxxxxplugin.php?do=productimport
Referrer : xxxxxxx?do=productadd
IP Address : xx.xx.xx.xx
Username : xxxxx
Classname : vb_database



EDIT: Got it working by running query

ALTER TABLE edithistory CHANGE oldreason reason varchar(255);

and then doing the import again.

Originally Posted by TrIn@dOr (Post 1156918)

Very nice, perhaps u can add in the explanations that by default NO usergroup can view the historys!! :P