vb.org Archive - View Single Post

boggseric · #18 03-23-2012, 12:48 AM

Quote:

Originally Posted by VBDev

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for

PHP Code:


			
// remove any SQL-commands

Add below :

PHP Code:


			
$sqlcomm = array();

Then search for :

PHP Code:


			
$value = recursive_str_ireplace($sqlcomm, '', $value);

Comment it out :

PHP Code:


			
// $value = recursive_str_ireplace($sqlcomm, '', $value);

Add after :

PHP Code:


			
    foreach ($sqlcomm AS $key => $needle)

    {

        $value = str_ireplace($needle, '', $value);

    }

That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

I made these changes but now there error moved down one line.

Fatal error: Call to undefined function: str_ireplace() in /home/ls2com/public_html/forums/arcade.php on line 5601

2.7.2 does it now required PHP5?

my code in arcade.php

Code:

// remove any SQL-commands
	$sqlcomm = array();
	$sqlcomm[] = 'create';
	$sqlcomm[] = 'database';
	$sqlcomm[] = 'table';
	$sqlcomm[] = 'insert';
	$sqlcomm[] = 'update';
	$sqlcomm[] = 'rename';
	$sqlcomm[] = 'replace';
	$sqlcomm[] = 'select';
	$sqlcomm[] = 'handler';
	$sqlcomm[] = 'delete';
	$sqlcomm[] = 'truncate';
	$sqlcomm[] = 'drop';
	$sqlcomm[] = 'where';
	$sqlcomm[] = 'or';
	$sqlcomm[] = 'and';
	$sqlcomm[] = 'values';
	$sqlcomm[] = 'set';
	$sqlcomm[] = 'password';
	$sqlcomm[] = 'salt';
	$sqlcomm[] = 'concat';
	$sqlcomm[] = 'schema';
	// $value = recursive_str_ireplace($sqlcomm, '', $value);
	foreach ($sqlcomm AS $key => $needle) 
    { 
        $value = str_ireplace($needle, '', $value); 
    }

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01686 seconds Memory Usage 1,783KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_code (5)bbcode_php (1)bbcode_quote (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: