vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   ibProArcade Archive (https://vborg.vbsupport.ru/forumdisplay.php?f=174)
-   -   stristr error (https://vborg.vbsupport.ru/showthread.php?t=279382)

Mases 03-01-2012 07:24 AM
stristr error
 
I'm getting a very similar error as was mentioned in this thread

I upgraded to ibProArcade v2.7.2+ yesterday and I'm getting this error at the top of the index page of the arcade.

Quote:
Warning: stristr() [function.stristr]: needle is not a string or an integer in [path]/arcade.php on line 5550
The arcade is functional and when I go to play the game, that error is gone. When I go to submit a high score, I see the same error, but on two consecutive lines. My high score is able to submit properly and there doesn't seem to be any noticeable issue... other than the glaring error at the top of the page.

Bluefin221 03-02-2012 07:31 AM
Just updated and also have this error.

Hippy 03-02-2012 09:58 PM
<a href="https://vborg.vbsupport.ru/showpost.php?p=2304863&postcount=13" target="_blank">https://vborg.vbsupport.ru/showp...3&postcount=13</a>

Mases 03-04-2012 04:38 AM
@Hippy

I tried those changes and it did not effect this error. The error points to line 5550...

I've looked at the arcade.php file and line 5550 comes up as....

PHP Code:
$inthis str_ireplace($replacethis,$withthis,$inthis); 
The full context of this section is...

PHP Code:
function recursive_str_ireplace($replacethis,$withthis,$inthis)
{
    while (1==1)
    {
        $inthis str_ireplace($replacethis,$withthis,$inthis);
        if(stristr($inthis$replacethis) === FALSE)
        {
            RETURN $inthis;
        }
    }
    RETURN $inthis;


Any help would be appreciated.

Hippy 03-04-2012 05:14 AM
compare v2.7.1 and 2.7.2 and remove or comment out that code and the link above
stangger5 posted what will work in replace of till Mrz figures out the issue
it fixes the security issue

I updated 20+ arcade and 1/4 of them don't like this code..
it's a server issue I am guessing

VBDev 03-07-2012 05:56 PM
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        $value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

stangger5 03-08-2012 12:25 AM
I didnt upgrade to 2.7.2 for just two edits..

My one edit to the arcade.php file and the mod_arcade.php..

So my arcade doesnt have any of the:
PHP Code:
// remove any SQL-commands 
code..

Thanks for the code update VBDev !! :up:

Hippy 03-08-2012 03:42 AM
1 Attachment(s)
Quote:
Originally Posted by VBDev (Post 2307204)
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        $value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
so it should like this ?
Code:
function ibp_cleansql($value)
{
        if( get_magic_quotes_gpc() )
        {
                $value = stripslashes( $value );
        }
        //check if this function exists
        if( function_exists( "mysql_real_escape_string" ) )
        {
                $value = mysql_real_escape_string( $value );
        }
        //for PHP version < 4.3.0 use addslashes
        else
        {
                $value = addslashes( $value );
        }

        // remove any SQL-commands
        $sqlcomm = array(); 
        $sqlcomm[] = 'create';
        $sqlcomm[] = 'database';
        $sqlcomm[] = 'table';
        $sqlcomm[] = 'insert';
        $sqlcomm[] = 'update';
        $sqlcomm[] = 'rename';
        $sqlcomm[] = 'replace';
        $sqlcomm[] = 'select';
        $sqlcomm[] = 'handler';
        $sqlcomm[] = 'delete';
        $sqlcomm[] = 'truncate';
        $sqlcomm[] = 'drop';
        $sqlcomm[] = 'where';
        $sqlcomm[] = 'or';
        $sqlcomm[] = 'and';
        $sqlcomm[] = 'values';
        $sqlcomm[] = 'set';
        $sqlcomm[] = 'password';
        $sqlcomm[] = 'salt';
        $sqlcomm[] = 'concat';
        $sqlcomm[] = 'schema';
        //$value = recursive_str_ireplace($sqlcomm, '', $value);
    foreach ($sqlcomm AS $key => $needle)
    {
        $value = str_ireplace($needle, '', $value);
    }
        return $value;
}
I been using stangger5's edit and works on every update I did..
I am just wondering at this moment.. thanks

VBDev 03-08-2012 09:53 AM
Yep.

Dunno why but I didn't had that error on my install but a customer had the issue.

Anyways I don't know the root cause of this function but honestly that shouldn't be done like that... It removes potential words from comments for example... That sucks :p

--------------- Added [DATE]1331204033[/DATE] at [TIME]1331204033[/TIME] ---------------

Quote:
Originally Posted by stangger5 (Post 2307284)
I didnt upgrade to 2.7.2 for just two edits..

My one edit to the arcade.php file and the mod_arcade.php..

So my arcade doesnt have any of the:
PHP Code:
// remove any SQL-commands 
code..

Thanks for the code update VBDev !! :up:
But if I do understand those fixed a security issue but I guess you fixed it manually ;)

stangger5 03-09-2012 01:11 AM
The security issue was s_id,, which allowed it to be a string when it was supposed to be a int,, that is what allowed the exploit.
Comments should be ok because of the way strings are put in the database..

gsmlover4u 03-09-2012 05:35 AM
Quote:
Originally Posted by VBDev (Post 2307204)
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        $value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
there is nothing in arcade.php

VBDev 03-09-2012 11:36 AM
Quote:
Originally Posted by stangger5 (Post 2307705)
The security issue was s_id was allowed to be a string when it was supposed to be a int, that is what allowed the exploit.
Comments should be ok because of the way strings are put in the database.
Yeah, hence what I said he over corrected...

IMO, IBProArcade really needs a cleanup of the code one day...

Quote:
Originally Posted by gsmlover4u (Post 2307762)
there is nothing in arcade.php
If you haven't installed 2.7.2 there indeed is nothing.

gsmlover4u 03-09-2012 11:50 AM
i installed 2.7.2+

https://vborg.vbsupport.ru/showthrea...01554&page=442

Hippy 03-09-2012 08:41 PM
Quote:
Originally Posted by gsmlover4u (Post 2307851)
confused

gsmlover4u 03-10-2012 03:16 AM
why you confused sir

stangger5 03-10-2012 03:53 AM
Quote:
Originally Posted by gsmlover4u (Post 2307851)
Quote:
Originally Posted by gsmlover4u (Post 2307762)
there is nothing in arcade.php
Quote:
Originally Posted by gsmlover4u (Post 2308164)
why you confused sir
You said,,,you installed 2.7.2+ and the code below isnt in the arcade.php file..

PHP Code:
// remove any SQL-commands 
Look on line 5575 in the arcade.php file..

boggseric 03-23-2012 12:48 AM
Quote:
Originally Posted by VBDev (Post 2307204)
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        $value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
I made these changes but now there error moved down one line.

Fatal error: Call to undefined function: str_ireplace() in /home/ls2com/public_html/forums/arcade.php on line 5601


2.7.2 does it now required PHP5?

my code in arcade.php
Code:
// remove any SQL-commands
        $sqlcomm = array();
        $sqlcomm[] = 'create';
        $sqlcomm[] = 'database';
        $sqlcomm[] = 'table';
        $sqlcomm[] = 'insert';
        $sqlcomm[] = 'update';
        $sqlcomm[] = 'rename';
        $sqlcomm[] = 'replace';
        $sqlcomm[] = 'select';
        $sqlcomm[] = 'handler';
        $sqlcomm[] = 'delete';
        $sqlcomm[] = 'truncate';
        $sqlcomm[] = 'drop';
        $sqlcomm[] = 'where';
        $sqlcomm[] = 'or';
        $sqlcomm[] = 'and';
        $sqlcomm[] = 'values';
        $sqlcomm[] = 'set';
        $sqlcomm[] = 'password';
        $sqlcomm[] = 'salt';
        $sqlcomm[] = 'concat';
        $sqlcomm[] = 'schema';
        // $value = recursive_str_ireplace($sqlcomm, '', $value);
        foreach ($sqlcomm AS $key => $needle)
    {
        $value = str_ireplace($needle, '', $value);
    }

hohleweg 03-24-2012 04:03 PM
Hey
Quote:
function ibp_cleansql($value)
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
//check if this function exists
if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes( $value );
}

// remove any SQL-commands
$sqlcomm = array();
$sqlcomm[] = 'create';
$sqlcomm[] = 'database';
$sqlcomm[] = 'table';
$sqlcomm[] = 'insert';
$sqlcomm[] = 'update';
$sqlcomm[] = 'rename';
$sqlcomm[] = 'replace';
$sqlcomm[] = 'select';
$sqlcomm[] = 'handler';
$sqlcomm[] = 'delete';
$sqlcomm[] = 'truncate';
$sqlcomm[] = 'drop';
$sqlcomm[] = 'where';
$sqlcomm[] = 'or';
$sqlcomm[] = 'and';
$sqlcomm[] = 'values';
$sqlcomm[] = 'set';
$sqlcomm[] = 'password';
$sqlcomm[] = 'salt';
$sqlcomm[] = 'concat';
$sqlcomm[] = 'schema';
//$value = recursive_str_ireplace($sqlcomm, '', $value);
foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}
return $value;
}
with this code it work fine!
Greetings Jo

silpher 03-29-2012 10:23 PM
Quote:
Originally Posted by VBDev (Post 2307204)
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        $value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
Thanks, that worked for me :D

CristianoDiaz 04-14-2012 05:11 PM
Quote:
Originally Posted by VBDev (Post 2307204)
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        $value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
Thank you! This fixed the problem for me, it's been driving me nuts.

doubleclick 04-19-2012 11:36 PM
Hey guys -

Is it possible for stangger5 and Hippy to get "joint custody" of this script since Mr Z is too busy? Having to sift through multiple threads with lengthy discussions about which code to use, what edits are best and why 2.7.1 is the version to use and not 2.72 (???!!!???) gets pretty confusing for us non-coders.

For a long time now, this script is has been officially dormant with new versions few and far between, while fixes (or not) abound in the forums. I understand the original author has expanded his family and his outside comimtments, and I'm not trying to criticize him in the least. Without him, this wouldn't be here in the first place.

That said, stangger5 and Hippy have been doing most of the heaving lifting on this script for some time now, and it seems it would be to everyone's benefit to give them equal access to the official releases along with Mr. Z to make this an equal partnership. The code could get back on track to be the awesome script it could be, instead of limping along and propped up with forum post file edits. They both have demonstrated a commitment to the script, and on their own sites have expanded its capabilities. Let's give 'em a chance to take this script to new heights instead of limiting their talents to covering it with bandaids.

Do I hear an "amen?"

Hippy 04-20-2012 08:55 PM
in my sig youll find a link to the post I made with everything youll needl I did the reading and sifting for you all..

If anyone stangger5 is the man..
when it come to this arcade..
but i will be here helping all the same to keep this arcade alive

dlewisr 04-24-2012 08:31 PM
Quote:
Originally Posted by Hippy (Post 2307340)
so it should like this ?
Code:
function ibp_cleansql($value)
{
        if( get_magic_quotes_gpc() )
        {
                $value = stripslashes( $value );
        }
        //check if this function exists
        if( function_exists( "mysql_real_escape_string" ) )
        {
                $value = mysql_real_escape_string( $value );
        }
        //for PHP version < 4.3.0 use addslashes
        else
        {
                $value = addslashes( $value );
        }

        // remove any SQL-commands
        $sqlcomm = array(); 
        $sqlcomm[] = 'create';
        $sqlcomm[] = 'database';
        $sqlcomm[] = 'table';
        $sqlcomm[] = 'insert';
        $sqlcomm[] = 'update';
        $sqlcomm[] = 'rename';
        $sqlcomm[] = 'replace';
        $sqlcomm[] = 'select';
        $sqlcomm[] = 'handler';
        $sqlcomm[] = 'delete';
        $sqlcomm[] = 'truncate';
        $sqlcomm[] = 'drop';
        $sqlcomm[] = 'where';
        $sqlcomm[] = 'or';
        $sqlcomm[] = 'and';
        $sqlcomm[] = 'values';
        $sqlcomm[] = 'set';
        $sqlcomm[] = 'password';
        $sqlcomm[] = 'salt';
        $sqlcomm[] = 'concat';
        $sqlcomm[] = 'schema';
        //$value = recursive_str_ireplace($sqlcomm, '', $value);
    foreach ($sqlcomm AS $key => $needle)
    {
        $value = str_ireplace($needle, '', $value);
    }
        return $value;
}
I been using stangger5's edit and works on every update I did..
I am just wondering at this moment.. thanks
This worked for me. Cheers for that Hippy

boggseric 05-04-2012 01:11 AM
Quote:
Originally Posted by boggseric (Post 2312326)
I made these changes but now there error moved down one line.

Fatal error: Call to undefined function: str_ireplace() in /home/ls2com/public_html/forums/arcade.php on line 5601


2.7.2 does it now required PHP5?

my code in arcade.php
Code:
// remove any SQL-commands
        $sqlcomm = array();
        $sqlcomm[] = 'create';
        $sqlcomm[] = 'database';
        $sqlcomm[] = 'table';
        $sqlcomm[] = 'insert';
        $sqlcomm[] = 'update';
        $sqlcomm[] = 'rename';
        $sqlcomm[] = 'replace';
        $sqlcomm[] = 'select';
        $sqlcomm[] = 'handler';
        $sqlcomm[] = 'delete';
        $sqlcomm[] = 'truncate';
        $sqlcomm[] = 'drop';
        $sqlcomm[] = 'where';
        $sqlcomm[] = 'or';
        $sqlcomm[] = 'and';
        $sqlcomm[] = 'values';
        $sqlcomm[] = 'set';
        $sqlcomm[] = 'password';
        $sqlcomm[] = 'salt';
        $sqlcomm[] = 'concat';
        $sqlcomm[] = 'schema';
        // $value = recursive_str_ireplace($sqlcomm, '', $value);
        foreach ($sqlcomm AS $key => $needle)
    {
        $value = str_ireplace($needle, '', $value);
    }

In case anyone cares, the new version of Arcade DOES require PHP5, str_ireplace is not available in PHP4.

Hippy 05-04-2012 03:09 AM
Quote:
Originally Posted by boggseric (Post 2326017)
In case anyone cares, the new version of Arcade DOES require PHP5, str_ireplace is not available in PHP4.
try this ... relace your root arcade file with this one

https://vborg.vbsupport.ru/attachmen...6&d=1335142146

Raptor 05-10-2012 04:45 PM
Quote:
Originally Posted by Hippy (Post 2326046)
try this ... relace your root arcade file with this one

https://vborg.vbsupport.ru/attachmen...6&d=1335142146
here is where the confusion creeps in again

do we all use the arcade.php you linked to here or do we do the edits that the rest of the thread talks about as the 2 are completely different

Hippy 05-10-2012 11:11 PM
I did the eidtes in the attached file to make it easy for everyone

Heldenverband 09-02-2013 03:43 PM
Hi,

in the forum it works fine. But in the VB admin section (main settings) these errors displayed :

Code:
Deprecated: Assigning the return value of new by reference is deprecated in /usr/www/xxxx/arcade.php on line 897

Deprecated: Assigning the return value of new by reference is deprecated in /usr/www/users/xxx/arcade.php on line 5386
Any Idea ?

--------------- Added [DATE]1378141057[/DATE] at [TIME]1378141057[/TIME] ---------------

Solved.

modify of arcade.php in admincp folder.

Hippy 09-02-2013 04:10 PM
<a href="https://vborg.vbsupport.ru/showthread.php?p=2328579" target="_blank">https://vborg.vbsupport.ru/showthread.php?p=2328579</a>

I also have one posted here with the edits


All times are GMT. The time now is 05:51 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01491 seconds
  • Memory Usage 1,896KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (5)bbcode_code_printable
  • (35)bbcode_php_printable
  • (18)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (29)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete