Thread: Miscellaneous Hacks - Live Topic
View Single Post
  #469  
Old 02-11-2009, 03:02 PM
Coders Shack Coders Shack is offline
 
Join Date: Apr 2007
Location: Culver City, CA
Posts: 807
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by buro9 View Post
I have a couple of questions.

One relates to the packed/minified javascript. I want to remove the notice that tells people it's a live topic... or re-format it... it's ugly.

So I'm guessing it's written by the javascript, so I would like to see the unpacked JavaScript to adjust it. OR have the additional notice templated in the vBulletin template system.

Next up is security. I got a few errors through:
PHP Code:
Database error in vBulletin 3.8.1:

Invalid SQL:

                                        SELECT COUNT(*) AS count
                                        FROM vb_post AS post
                                        WHERE
                                                (threadid 14030
                                                AND visible 1
                                                AND dateline 1234287978.:
                                                AND userid != 217)
                                                OR (threadid 14030
                                                AND visible 1
                                                AND lastedit 1234286762);

MySQL Error   You have an error in your SQL syntaxcheck the manual that corresponds to your MySQL server version for the right syntax to use near ':
                                                AND userid != 217)
                                                OR (threadid = 14030
                                                AND visible = 1
                                ' at line 6 
Now where did that come from?

Checking the php source it seems that you just take the POST'd value and put it straight into the MySql script. Is that correct? If so... BIG ++++ING SECURITY HOLE. Because you've just allowed SQL injection.

Could you confirm whether you really are taking $_POST['value'] and using it directly in the SQL, because you REALLY REALLY need to change that before something very bad happens.
1.06b will be using GPC,

also if you want to change the text for the notice its a phrase, just go to the phrase manager and search by name "livetopic". I will also be managing all the styling by CSS in 1.06b so you can make it look however you want it to.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01252 seconds
  • Memory Usage 1,798KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete