vb.org Archive
Page 1 of 4 1 23 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   trying to make php code work for profile (https://vborg.vbsupport.ru/showthread.php?t=92762)

Gio~Logist 07-24-2005 01:25 AM
trying to make php code work for profile
 
How would i make it so that the settings in this code

PHP Code:
            $webpage['text'] = stripslashes($row['text']);
            
            //Check text-formatting settings
            $settingvbcode iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1''1''0');
            $settinghtml iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1''1''0');
            if($settinghtml == AND $settingvbcode == 0) {
                $settingvbcode 1;
            }
            
            if($vboptions['webpagesmilies'] == and $row['usesmilies'] == 1) {
                $settingsmilies 1; } else { $settingsmilies 0; }
            
            if($settingvbcode == 1) {
                $webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml1$settingsmilies$settingvbcode);
            }
            if($settinghtml == 1) {
                //Remove scripts!!!
                $webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si"""$webpage['text']);
                //Don't hide anything!
                $webpage['text'] = str_replace("<!--""&lt;!--"$webpage['text']);
                //Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!)
                if($settinghtml == && !empty($vboptions['allowedhtmltags'])) {
                    $webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);
                }
            }
            
            //Javascript will not be allowed
            $webpage['text'] = ereg_replace("~<script[^>]*>.+</script[^>]*>~isU"""$webpage['text']); 
            
            $webpage['hits'] = $row['hits'];
            $webpage['bgcolor'] = $row['bgcolor'];
            $webpage['bordersize'] = $row['bordersize'];
            $webpage['bordercolor'] = $row['bordercolor'];
            $webpage['fontface'] = $row['fontface'];
            $webpage['fontsize'] = $row['fontsize'];
            $webpage['fontcolor'] = $row['fontcolor'];



work for the text in profile fields?

Gio~Logist 07-25-2005 07:46 PM
PHP Code:
   $webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si"""$webpage['text']); 
                //Don't hide anything! 
                $webpage['text'] = str_replace("<!--""&lt;!--"$webpage['text']); 
i believe that alone filters out malicious codes



this code is the one that does pretty much everythign

PHP Code:
            //Check text-formatting settings 
            $settingvbcode iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1''1''0'); 
            $settinghtml iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1''1''0'); 
            if($settinghtml == AND $settingvbcode == 0) { 
                $settingvbcode 1
            } 
             
            if($vboptions['webpagesmilies'] == and $row['usesmilies'] == 1) { 
                $settingsmilies 1; } else { $settingsmilies 0; } 
             
            if($settingvbcode == 1) { 
                $webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml1$settingsmilies$settingvbcode); 
            } 
            if($settinghtml == 1) { 
                //Remove scripts!!! 
                $webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si"""$webpage['text']); 
                //Don't hide anything! 
                $webpage['text'] = str_replace("<!--""&lt;!--"$webpage['text']); 
                //Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!) 
                if($settinghtml == && !empty($vboptions['allowedhtmltags'])) { 
                    $webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']); 
                } 
            } 

Chris M 07-25-2005 07:58 PM
Essentially, the following is what is the most secure:

PHP Code:
 if(!(empty($vboptions['allowedhtmltags']))) { 
$webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']); 
But I do not recommend, under any circumstances, enabling HTML anywhere...

Satan

Gio~Logist 07-25-2005 08:05 PM
a code hellsatan has come up with

PHP Code:
if(!(empty($vboptions['allowedhtmltags']))) {  
  
 $post['fieldx'] = strip_tags($post['fieldx'], $vboptions['allowedhtmltags']);  
  
 } 
now if only we can find out where $post[fieldx] is parsed

here's some php i found in member.php

PHP Code:
// *********************
// CUSTOM PROFILE FIELDS
$profilefields $DB_site->query("
    SELECT profilefieldid, required, title, type, data, def, height
    FROM " TABLE_PREFIX "profilefield
    WHERE form = 0 OR 6 OR 7  OR 8" iif(!can_moderate(), "
        AND hidden = 0") . "
    ORDER BY displayorder
");


$search = array(
    '#(\r\n|\n|\r)#',
    '#(<br />){3,}#'// Replace 3 or more <br /> with two <br />
);
$replace = array(
    '<br />',
    '<br /><br />',
);

while ($profilefield $DB_site->fetch_array($profilefields))
{
    exec_switch_bg();
    $profilefieldname "field$profilefield[profilefieldid]";
    if ($profilefield['type'] == 'checkbox' OR $profilefield['type'] == 'select_multiple')
    {
        $data unserialize($profilefield['data']);
        foreach ($data AS $key => $val)
        {
            if ($userinfo["$profilefieldname"] & pow(2$key))
            {
                $profilefield['value'] .= iif($profilefield['value'], ', ') . $val;
            }
        }
    }
    else if ($profilefield['type'] == 'textarea')
    {
        $profilefield['value'] = preg_replace($search$replacetrim($userinfo["$profilefieldname"]));
    }
    else
    {
        $profilefield['value'] = $userinfo["$profilefieldname"];
    }
    if ($profilefield['value'] != '')
    {
        $show['extrainfo'] = true;
    }
    eval('$customfields .= "' fetch_template('memberinfo_customfields') . '";');

}
// END CUSTOM PROFILE FIELDS
// ************************* 
is this where the $post[fieldx] isparsed?

sabret00the 07-25-2005 09:04 PM
this
PHP Code:
$profilefields $DB_site->query("
    SELECT profilefieldid, required, title, type, data, def, height
    FROM " TABLE_PREFIX "profilefield
    WHERE form = 0 OR 6 OR 7  OR 8" iif(!can_moderate(), "
        AND hidden = 0") . "
    ORDER BY displayorder
"); 
should be
PHP Code:
$profilefields $DB_site->query("
    SELECT *
    FROM " TABLE_PREFIX "userfield
"); 

Gio~Logist 07-25-2005 09:13 PM
thank you for your input, however, read the thread.... wer'e trying to use the code we put together and/or limits for html in webpage, to work for $post[fieldx]

sabret00the 07-25-2005 09:59 PM
Quote:
Originally Posted by gio~logist
now if only we can find out where $post[fieldx] is parsed
what do you mean by 'parsed'? to my knowledge $post fieldx isn't anywhere within your script as you've described?

basically describe what you mean by parsed.

and having read the thread back, what i originally posted more than stands but alas that's just me.

you select the field then you echo it out, it's that simple.

Gio~Logist 07-25-2005 10:02 PM
hellsatan told me to put

PHP Code:
 if(!(empty($vboptions['allowedhtmltags']))) {   
   
 $post['fieldx'] = strip_tags($post['fieldx'], $vboptions['allowedhtmltags']);   
   
 } 
wherever $post[fieldx] is parsed. he himielf said that he doesnt know where its parsed or even if it is.

however, if theres a way that you know of to allow htlm and/or limit html the same way the webpage does, itll be helpful

there are several codes that have been posted that can be used for this

sabret00the 07-25-2005 10:08 PM
what happened when you input html into the database via the usercp does it appear in the database as you submitted it via your usercp?

Gio~Logist 07-25-2005 10:10 PM
<b> will appear as <b> and every code will jsut appear as is but it wont work


All times are GMT. The time now is 09:27 PM.
Page 1 of 4 1 23 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01235 seconds
  • Memory Usage 1,824KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (9)bbcode_php_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete