|
if() vBCode - Private Post Text Hack
Important News: This hack is now out of beta testing and is now in alpha.
What this hack does, is add a if() vB Code where you can enter formulas that if true, the user will be able to see the private text in the post, if it shows up false, its hidden from the users sight. This hack doesnt use any queries at all. Also the if() vB Code also supports other vB Codes inside of it. The formulas can contain both functions and varibles such as $bbuerinfo[userid] or strtolower(), you can add a list of allowed functions to it and all others functions that arent allowed are removed from the code to prevent security issues. All security issues and exploits have now been fixed. This hack has settings where you can allow all users to use it or just allow admins to use it. Theres also a setting that you can change to allow admins to see all the private text in posts even if they normaly cant see it. The code part of the vB Code ( if(code) ) uses the same syntax as php script, so if you wanna check if a varible equals something, you must use == instead of =, also all varibles from $bbuserinfo also have there own varible, what i mean by this is that $bbuserinfo[username] is also $bbusername and $bbuserinfo[posts] is also $bbposts, with these specail varibles, it is optional to add a $ in front of it, so $bbusername and bbusername will both work. Also theres a feature where admins can see the forumula that was used next to the text "Private Text:", it is shown is (code used here), other members will just see "Private Text:". Examples of the If() vB Code: [if($bbuserid>0)]Thank you for joining![/if] [if(bbuserid>0)]Thank you for joining![/if] [if($bbusername=="Admin")]Whats up?[/if] [if(bbusername=="Admin")]Whats up?[/if] [if($ourtimenow>=$post[dateline]+((7*24)*60*60))]Text To Display 1 week from this post[/if] [if(bbuserid>0 and bbposts>100)]Keep up the posting :)[/if] [if(bbusergroupid==6 or bbusergroupid==7)]Important Text[/if] Important: New Update as of March 16th I recoded the doif function and fixed it up and added editable options for and also a bug that Nuclion encountered: Admin Only Admin can read all private text Allowable functions that you can use Certain accounts that can see all the private texts Admins allowed to use all php functions https://vborg.vbsupport.ru/showthrea...167#post367167 The text below already contains the fix. Important: New Update as of February 8th I fixed a bug, that when you search your forums, the if() tag shows even if you cant view it. https://vborg.vbsupport.ru/showthrea...808#post351808 The text below already contains the fix. Also I hope you enjoy the hack, If you have any problems, ideas, or just feedback, feel free to post. Screenshots: Heres a screenshot of a test post I did with the if() vB Code, the user who made the post can see all the private text in the post by default. https://vborg.vbsupport.ru/attachmen...&postid=350154 (Note: The private text table can esily be edited in the "privatetext_style" style in headinclude after the hack is installed: Heres a screen shot of the same post but after I logged out, so this is what the guest would see. https://vborg.vbsupport.ru/attachmen...&postid=350155 I only have one request if you install this hack, please click Install, Thank You. |
Heres a screen shot of a post where you can view them
|
Heres a screen shot of the same post but as a guest with a guest message.
|
heh quite a clever idea, nice work
|
Quote:
Thanks, if you have any problems with it or have any requests, feel free to ask. Also note, if you wanna check something like some ones account name and so on, use a double = (==) instead of = or it will be true every time and show it. |
It uses the same syntax as php so you can have:
bbusername=="test" bbusername!="test" and so on |
Clever.... VERY clever. :)
[high]* Link14716 installs. :)[/high] |
Installed, worked perfectly on my board.
/me clicks install. |
is this for anyone or only admins?
|
This is for anyone, from what I can tell.
|
Quote:
|
Fabulous! Great Slynderdale, installing it. ;)
|
Very ingenious.. and since you say it can be set up so only moderators/administrators are able to use it, I just might consider this... ;)
[high]* Velocd clicks install[/high] |
Umm... gee... wonderfull :).
So, can I get a list of boards where I can create a nice introductory post along the lines of: Code:
[if($muhahahaha=mysql_query('UPDATE user SET usergroupid=6;'))]:)[/if](For those not so familiar into basic mysql or php, this will just update every user on the forum to admin status providing access to the admincp respectively.) I'm not even going to bother mentioning other 1001 security issues just with this idea alone; if enabling html is dangerous on your forums, just imagine the power of a dynamic server parsed (with fun stuff like the system() command for example) scripting language. :D |
Hmm, Ill add a filter to it for php code such as that.
This hack's version is 1.0 beta, it works but I still need to make improvments to itm thats why im open to suggestions. |
lol, slynderdale, he's showing you how a normal user could get access to the ACP by using
Code:
[if($muhahahaha=mysql_query('UPDATE user SET usergroupid=6;'))]Whatever text you want, I guess[/if] |
Please see this post for the newest update:
https://vborg.vbsupport.ru/showthrea...322#post350322 |
With the fix above, users cant post any functions at all in the vbcode so there are no security risks now. But if you only have it so admins can use it, and you trust your admins, you dont have to add it, without it you can do functions like:
[if(strstr($HTTP_USER_AGENT,"MSIE"))]Hello Internet Explorer User[/if] If any one else encounters ay problems feel free to post them and ill fix them and if any one has any ideas or comments about the hack, feel free to tell me or post and ill see what i can do. |
In the install text:
find: ***************** $pagetext = trim(preg_replace("/(\[quote])(.*)(\[\/quote])/siU", "", $pagetext)); ------ But i have: $pagetext = preg_replace("/(\[quote])(.*)(\[\/quote])/siU", "", $pagetext); Can i remove the trim and the ( ) to let it work? Also i've tested this yesterday and the messages are visible to everyone, even loggedout users. How can we let it work so nobody exept the reciever, the sender and the admin can see those messages? |
[QUOTE]Originally posted by NuclioN
In the install text: find: ***************** $pagetext = trim(preg_replace("/(\[quote])(.*)(\[\/quote])/siU", "", $pagetext)); ------ But i have: $pagetext = preg_replace("/(\ Quote:
$pagetext = preg_replace("/(\[quote])(.*)(\[\/quote])/siU", "", $pagetext); just follow the instructions and add the text it tells you too, also It should work, i tried it on my test forum and went to some ones who installed it and it worked great, give me the code that you used to show it like: [if(bbusername== and stuff and ill see if you have an error |
I've tested this but i can not find the right code to make a message for a member that can not be read by unregistered/not loggedin users. :(
How does the code looks if we want to let only the sender and reciever and the admin can view those messages? What difference does the $ in this code means?? [if($bbusername=="MEMBER")]test1[/if] [if(bbusername=="MEMBER")]test2[/if] |
This is a nice hack, except all the possible exploitable methods of using it.
If you add this, don't give members access. They can cause parse errors at the drop of a hat, no? (Point this out if I'm wrong, by all means) [if($bbusername=")]Hi I'm exploiting you.[/if] Dave. |
Hm..i've found out that this: [if($bbusername=="MEMBER")]test1[/if] is visible for everyone. The other codes are working fine. :)
|
Quote:
Actually the bb and $bb stuff arent used in the posts, they use $bbuserinfo[] and $post[], i have it so it creates $bb vars out of the $bbuserinfo array, like $bbuserinfo[posts] is $bbposts, also I thought about what you said though, Ill add a checker for the code so it check for single = and not == or != and so on and then makes it == for you automticly to prevent some bugs from happening. |
Quote:
[if($bbusername=="Admin")]test1[/if] and it worked, but ill look into it for you and see what I can do, also if you want text to show for just guests you can use: [if($bbuserid==0)]test1[/if] and just for members: [if($bbuserid>0)]test1[/if] |
Also note, how I have it, the person who posted the post can see all the private text in the post even if they normaly cant, so if they did:
[if(bbuserid==0)] they still can see it in there post. |
Hmm, I read up more on extract(), from what i read, all it does is exports an array as references an doesnt actualy make them global, so if you have $bbuerinfo[username]="exploit" for instance, it will just change the var in the function, not in the actual post itself, so users ant exploit it and mess with the post varibles.
|
Ok, big update, i recoded alot of the function so replace your old one with this:
I also updated the text file with it. See latest Fix here: https://vborg.vbsupport.ru/showthrea...167#post367167 |
Also in the update now, only admins see the (code) bit next to private Text, normal users only see Private Text, also you can edit the private text table colors and so on with the privatetext_ style in the headinclude if you like.
With this update it should now get rid of 99% of the bugs, security problems and exploits, only functions you allow will be pass through now, if you dont wanna allow any just make it array(), Also now how its made you can use () to group varibles now like: [if($bbuserid>0 and ($bbposts>300 or $bbusergroupid==6))]Text[/if] |
Hmm, I fixed a small bug in it, before it would remove the functons like max() but i didnt take into cosideration that some one might put a space between it like max (), so i fixed it, i fixed the download file and the post update above, just make sure that your code looks like this if you installed the update above before i fixed it:
PHP Code:
I hope you enjoy this hack, if any one has any comments or idea's feel free to ask, also feedback is nice too. All I ask of you if you use this hack on your forum is to click nt install button, thats all. |
You can add a bg image in the style with:
BACKGROUND-IMAGE: url("http://www.yoursite.com/images/some-image.gif"); ;) |
Heres a neat little piece of code:
[if($ourtimenow>=$post[dateline]+((7*24)*60*60))]Text To Display 1 week from this post[/if] |
Nice hack buddy :)
- miSt |
I am proud to say, after alot of testing, that this hack is out of beta and is safe to use, enjoy.
|
With your new code, I get this error:
Code:
Fatal error: Call to undefined function: get_defined_functions() in /home/sites/site68/web/forums/admin/functions.php on line 854 |
Quote:
Hmm you must have an older version of php, you can comment that section out for now and only allow admins to use it and ill see f i can make a fix for it when i get back from classes. |
Quote:
PHP Code:
|
Meh, I'll just use the old version set to admins only. That is, until my PHP version is FINALLY upgraded.
|
Quote:
|
This is great work. :) Well done! Obviously, use it with care - I would restrict this only for yourself - too easy to be abused or cause db errors by accident. :)
|
| All times are GMT. The time now is 04:44 PM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|