vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   input TYPE_STR , is it safe enough in this case ? (https://vborg.vbsupport.ru/showthread.php?t=253426)

abualjori 11-09-2010 11:43 PM
input TYPE_STR , is it safe enough in this case ?
 
Hey !


I made a custom profile field , and datamanger was part of the process.


so , here is what I did.

PHP Code:
$vbulletin->input->clean_gpc('p','my_field',TYPE_STR); 
then I used datamangers to set the info

PHP Code:

$test =& datamanager_init('User'$vbulletinERRTYPE_STANDARD); 
$test->set_existing($vbulletin->userinfo); 
$test->set('my_field'$vbulletin->GPC['my_field']); 
$test->save(); 


This mod uses bbcode so I need double quotes here,(I missed up every thing when I used TYPE_NOHTML) :p


does this looks safe enough to be used in my live forums ? and do I have to escape strings etc , or datamanger would take care of it.



Thank you.:)

sheppardzwc 11-10-2010 10:33 AM
The vBulletin input cleaner will escape anything that would normally be harmful to the boards. So yes, that would work fine.

kh99 11-10-2010 11:43 AM
It looks to me like clean_gpc with TYPE_STR just trims blanks off the ends and removes null characters. So if you don't want to allow html in that field you may need to do something else.

I guess you could try entering some html and see what happens.

vbenhancer 11-10-2010 12:47 PM
TYPE_NOHTML will do your job...

kh99 11-10-2010 02:12 PM
Quote:
Originally Posted by vbenhancer (Post 2120205)
TYPE_NOHTML will do your job...
...except that the OP says that TYPE_NOHTML messed things up. Looking at includes/class_core.php it looks like cleaning a TYPE_NOHTML value does this:

PHP Code:
str_replace(
    // replace special html characters
    array('<''>''"'),
    array('&lt;''&gt;''&quot;'),
    preg_replace(
        // translates all non-unicode entities
        '/&(?!' . ($entities '#[0-9]+|shy' '(#[0-9]+|[a-z]+)') . ';)/si',
        '&amp;',
        $text
    )
); 
so maybe you could leave it as TYPE_STR but clean it yourself using the above code, and take out the part that replaces the quotes.

abualjori 11-11-2010 02:29 PM
Hi !

with a little test.

vbulletin seems to parse bbcode with quotes.



[color="Red"]test[/color]



or even without them.

[color=Red]test[/color]



so I made the same function that kh99 provided but, with stripping every single html char so it replaced it with nothing.




Thank you so much everyone for your input.:up:


All times are GMT. The time now is 08:52 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02205 seconds
  • Memory Usage 1,727KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_php_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (6)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete