vb.org Archive - View Single Post

phenomenon · #**1785** 09-17-2003, 08:25 PM

I need quick clarification that I'm not going to have security issues later -- I PM'd tigga a few days ago, but have never heard back, and I'm a bit concerned in the meantime:

I set up an if statement to have multiple 'news' pages. Basically I have a home page that reads from the News forum, then I have game pages that act as portals as well -- they read not only from their own news sections, but their own polls sections, and their own $custom templates. I did all this using and slightly altering the 'if' statement code posted earlier in this thread -- basically updated it to include swapping out custom templates for other custom templates in the if using evals. That code all works fine.

What wasn't working was setting up the $threadbits (the 'latest topics') to read from ONLY ONE SPECIFIC FORUM
on the game - pages. So to be utterly clear: My HOME page reads ALL latest threads (depending on the users perms as set in $iforumperms). The sub-game home page should read ONLY from a single public gaming forum.

There are posts in this thread on how to do this (using AND forumid!=XX in specific places in the permissions code) to exclude forums from ALL threadbits, no matter what home page or sub-home page is being used. However, in order to accomplish what I want to do, which is exclude all forums except the one I want on specific sub-home pages (my game pages), I had to copy and paste the threadbits code into my if statement, then from that specific $threadbits code I had to remove the $iforumperms:

PHP Code:


			
 WHERE open<>10 $iforumperms ORDER BY lastpost DESC LIMIT $maxlatethreads");

and replace it with AND forumid=2 like this:

PHP Code:


			
WHERE open<>10 AND forumid=2 ORDER BY lastpost DESC LIMIT $maxlatethreads");

Ok, THIS WORKED FINE -- the sub game home page seems to only read posts from that forum who's id = 2, and from nowhere else. The News page still reads from $iforumperms and shows whatever the user is allowed to see based on their group or settings.

My question is: Is this going to cause a security problem in the future that anyone can think of?

http://beast.markofthebeast.net home page
http://beast.markofthebeast.net?action=swg game page

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01201 seconds Memory Usage 1,769KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_php (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: