vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Is it safe to add new columns to vbulletin users table? (https://vborg.vbsupport.ru/showthread.php?t=301554)

SwalyAaron 08-24-2013 07:43 AM
Is it safe to add new columns to vbulletin users table?
 
I have a script that isn't related to vbulletin at all, it adds information in a seperate database.

Today I was thinking what if I add some of the information I submit to this database to the vbulletin users_table to keep track of things?

Basically this is what I'm doing

Someone uses the paypal IPN I've setup, information is submitted to a DB name "payments", one of the columns is "price" so I was thinking if I can do this

$totalpayed += $price;

and add $totalpayed to the vbulletin DB so I can display it in say Usercp later on, or add it to the vbulletin user array for other manipulations.

Can this be done or is it too risky?

Simon Lloyd 08-24-2013 09:53 AM
you'd have no issues adding a column and writing the values, however when you get the values via a query you have to make sure that any queries are cleaned or escaped as needed.

SwalyAaron 08-24-2013 11:24 AM
Quote:
Originally Posted by Simon Lloyd (Post 2440702)
you'd have no issues adding a column and writing the values, however when you get the values via a query you have to make sure that any queries are cleaned or escaped as needed.
Is there a specific way Vbulletin runs its queries to make them safer? if so do you by chance know the syntax?

Simon Lloyd 08-24-2013 12:12 PM
Im no whizz at database queries at all, however i do know that when you get a string in a query you have to escape that at the end of the query.

If you are to write from another program to vbulletin i believe you have to clean the input variable. Here's an example of where a variable is cleaned:
PHP Code:
$vbulletin->input->clean_gpc('r''postid'TYPE_INT);
    $postid $vbulletin->GPC['postid']; 
and then can be used like this
PHP Code:
$vbulletin->db->query_write("UPDATE " TABLE_PREFIX "post SET mycolumnid = 0 WHERE postid = $postid");
    } 
That may be more confusing to you than help, hopefully KH99 (aka Kevin) will visit visit thread and help you out, i can only manage the simple stuff with db queries :)

SwalyAaron 08-24-2013 12:53 PM
Quote:
Originally Posted by Simon Lloyd (Post 2440716)
Im no whizz at database queries at all, however i do know that when you get a string in a query you have to escape that at the end of the query.

If you are to write from another program to vbulletin i believe you have to clean the input variable. Here's an example of where a variable is cleaned:
PHP Code:
$vbulletin->input->clean_gpc('r''postid'TYPE_INT);
    $postid $vbulletin->GPC['postid']; 
and then can be used like this
PHP Code:
$vbulletin->db->query_write("UPDATE " TABLE_PREFIX "post SET mycolumnid = 0 WHERE postid = $postid");
    } 
That may be more confusing to you than help, hopefully KH99 (aka Kevin) will visit visit thread and help you out, i can only manage the simple stuff with db queries :)
I'm decent with queries but mostly mysql_query's which are deprecated so no use there and PDO which I'll probably use

I was asking and wondering if vbulletin set up custom functions for there queries looks like they did but yeah I'd still like more input from KH99 thank you by the way

Simon Lloyd 08-24-2013 01:09 PM
if you're decent with mysql queries you should have no problem, you'll know how to prevent things being left open to sql injection (which is what the CLEAN and $db_escape_string does (i believe) :)

BirdOPrey5 08-25-2013 12:35 AM
$vbulletin->input->clean_gpc will force an integer for TYPE_INT but it doesn't truly clean a string for TYPE_STR, it just makes sure it is a string.

All strings must be escaped before being saved to the database.

Code:

$vbulletin->db->query_write("QUERY HERE");
To write to the database. Make sure you do global $vbulletin; first.


All times are GMT. The time now is 05:00 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01230 seconds
  • Memory Usage 1,733KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (4)bbcode_php_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (7)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete