vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Efficient Way to Log (https://vborg.vbsupport.ru/showthread.php?t=315291)

KGodel 11-07-2014 03:11 AM
Efficient Way to Log
 
Hey all.

So, I recently added a simple system to my gaming clan forums where staff could grant points to users who attend events. There are several different input methods, which shouldn't be an issue since they write to the database the same way. I am looking to add logging to the system, but I know that this can lead to a very large database. What is the best way to store a log? Database, file editing, etc. I am sure I could run a task to prune them after a certain length of time to keep size down, but yea, best way to log actions?

Dave 11-07-2014 07:38 AM
You could use the adminlog table to log the actions and prune those logged entries every now and then. Take a look at the adminlog table and you'll see that it's very easy to use it.

KGodel 11-09-2014 06:02 PM
Okay, a security question. So I need to log a list of userIDs when what is passed through the script is a list of usernames the staff member types in, and those users are given points. Since the array is passed through cleaning via GPC, is it safe to use that list to check values against to get a list of userIDs, or is there a better way that will leave me less vulnerable to injection?

Dave 11-09-2014 06:20 PM
Depends on what type of array you define in the GPC function. Regardless, I would always use the escape_string function over user input values and check if numbers are really numbers with a function such as ctype_digit.

kh99 11-09-2014 06:43 PM
Yeah, I agree with what Dave said. If you clean it with TYPE_INT or something so that you know it's a number, then you can safely use it in an sql string. But if it's a string you should always use db->escape_string() to include it in sql (no matter what TYPE_ you used to clean it), not only to avoid a security problem but also because if the string contains any special characters (like a quote) then it would cause an error if you haven't escaped it.

KGodel 11-09-2014 09:11 PM
All good tips, thanks guys. Is there any function within VB I can use that can get a UserID based on a username without needing the query the database at all? That would be the ideal, but if not I'll just have to double clean the array. Here is what I have:

PHP Code:
    $vbulletin->input->clean_array_gpc('p', array(
        'points'         => TYPE_UNIT,
        'users'          => TYPE_STR
        )); 
PHP Code:
    $ausers $db->escape_string($vbulletin->GPC['users']);
    $addusers explode(";",$ausers); 
So addusers is an array. Obviously I'll have to turn it into a list before I can use it in the manner I want (basically query the database to get the ID of anyone whose username is in this list of names). If it's safe after these cleaning methods then I'll be a bit more confident.

kh99 11-09-2014 09:32 PM
I don't know offhand if there's a function to get the id form the username. I don't remember seeing one. But if there is I'm sure it would just do a query like "select userid from user where username = 'something' ". If you so something like
Code:
"SELECT userid FROM ".TABLE_PREFIX."user WHERE username='".$vbulletin->db->escape_string(trim($username))."'"
Then I think you'll be fine without any additional cleaning.

KGodel 11-09-2014 10:55 PM
Would it take more time to get each userID individually like that or check for all userIDs for any username in the list at once?

kh99 11-09-2014 11:25 PM
Yes, you could get them all in one query. That is obviously better for efficiency, although if it's something that's only going to happen occasionally with a few names in the list it probably doesn't matter a whole lot.

Edit: so I guess I'm saying you're right, if I were doing it I probably would go with one query, but I think doing it with separate queries isn't bad.

nerbert 11-10-2014 01:35 AM
I don't remember where I got this stuff but here's some vBulletin code to SELECT based on username

PHP Code:
    $vbulletin->input->clean_array_gpc('r', array(
        'username' => TYPE_STR,
        'password' => TYPE_STR
    ));

    $username strip_blank_ascii($vbulletin->GPC['username'], ' ');
    // See VBM-635: &#xxx; should be converted to windows-1252 extended char. This may not happen if a browser submits the form. But from API or user manually input, it does.
    // See also vB_DataManager_User::verify_username()
    $username preg_replace(
        '/&#([0-9]+);/ie',
        "convert_unicode_char_to_charset('\\1', vB_Template_Runtime::fetchStyleVar('charset'))",
        $username
    );

    $user $vbulletin->db->query_first("
        SELECT *
        FROM " TABLE_PREFIX "user
        WHERE username = '" $vbulletin->db->escape_string(htmlspecialchars_uni($username)) . "'
    "); 


All times are GMT. The time now is 02:23 PM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01000 seconds
  • Memory Usage 1,745KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (3)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete