[Mr Blunt]

Thanks guys!!
Searching brought me here and great info!!


While I agree, adding username and/or adding a filename twice in a database is senseless for most cases .... let me explain my case and maybe some people can share their thoughts with me??


My hack's main purpose is to keep a history of file downloads.
Most importantly, my goal is to keep info that might get deleted by vB.
It logs username, userid, fileid, filename, dateline, ipaddress, and alt_ip for every download.

Example:
Private file gets leaked.
Author or a Moderator gets pissed and deletes post/file.
Result is the admin's don't have a filename or fileid anymore to research from to track down the file leaker.

Meanwhile:
The leaker gets banned, or better yet, deleted for some other reason. Now the admin's don't even have a username or userid to associate past downloads with.

Question 1) Does this sound like a good reason to save the filename and username?

So today someone ran into the Irish Syndrome, LOL.
Single Quote in username caused DB error.
After hearing that, I figure the filename error is right around the corner.

Sidenote A:
If your wondering about the rawurldecode, it's in response to a bugfix.
http://www.vbulletin.com/forum/bugs35.php?bugid=691

Sidenote B:
If your wondering about !$_GET['stc'], that is to hopefully prevent non-thumbnails from being logged .... like normal pictures in showthread .... because I find it's useless to track those since they load every thread read (when not yet cached on users pc).

Question 2) Am I SAFELY coding around username and filename correctly? This is an 'attachment_complete' hook I'm wishing to use.

PHP Code:

if (!$_GET['stc'])
{
if ($vbulletin->userinfo['userid'])
{
$whodl_username = get_magic_quotes_gpc() ? $vbulletin->userinfo['username'] : addslashes($vbulletin->userinfo['username']);
}
$whodl_filename = is_browser('ie') ? rawurldecode($attachmentinfo['filename']) : $attachmentinfo['filename'];
$blunts_whodl_write = array(
'userid'    => $vbulletin->userinfo['userid'],
'username' => $vbulletin->userinfo['userid'] ? $whodl_username : '',
'filename' => get_magic_quotes_gpc() ? $whodl_filename : addslashes($whodl_filename),
'fileid'    => $vbulletin->input->clean_gpc('r', 'attachmentid', TYPE_UINT),
'ipaddress' => $vbulletin->options['logip'] ? IPADDRESS : '',
'alt_ip'    => $vbulletin->options['logip'] ? ALT_IP : '',
'dateline' => TIMENOW
);
if ($blunts_whodl_write['fileid'])
{
$db->query_write("
INSERT INTO " . TABLE_PREFIX . "blunts_whodownloaded_ip
(
    userid,
    username,
    filename,
    fileid,
    ipaddress,
    alt_ip,
    dateline
)
VALUES
(
    '" . $blunts_whodl_write['userid'] . "',
    '" . $blunts_whodl_write['username'] . "',
    '" . $blunts_whodl_write['filename'] . "',
    '" . $blunts_whodl_write['fileid'] . "',
    '" . $blunts_whodl_write['ipaddress'] . "',
    '" . $blunts_whodl_write['alt_ip'] . "',
    '" . $blunts_whodl_write['dateline'] . "'
)
");
}
} 


Question 3) How will these things affect international users and their character systems??

Question 4) Are IP's OK as is or do they TOO need to be handled special and if so how?


OHHH, PS .... important info I suppose I should mention.

All 4 variables (username, filename, ipaddress, alt_ip) are all being saved to DB as VARCHAR's (I mean that's the data type I declare for those columns in my DB create).



EDITED (automerged) TO ADD.....
OK, I think I just figured out that vbulletin gets rid of get_magic_quotes_gpc inside class_core.php


So is this closer to what I need?
Just always addslashes no matter what?
Here's my modified top (the variables to be inserted):

PHP Code:

if (!$_GET['stc'])
{
$whodl_filename = is_browser('ie') ? rawurldecode($attachmentinfo['filename']) : $attachmentinfo['filename'];
$blunts_whodl_write = array(
'userid'    => $vbulletin->userinfo['userid'],
'username' => $vbulletin->userinfo['userid'] ? addslashes($vbulletin->userinfo['username']) : '',
'filename' => addslashes($whodl_filename),
'fileid'    => $vbulletin->input->clean_gpc('r', 'attachmentid', TYPE_UINT),
'ipaddress' => $vbulletin->options['logip'] ? IPADDRESS : '',
'alt_ip'    => $vbulletin->options['logip'] ? ALT_IP : '',
'dateline' => TIMENOW
); 


.......and then my db_write to insert them stayed the same.

I did make an O'reilly user and this last edit appears to be working so far.
I downloaded a couple files and phpmyadmin is reporting that exact name in the database for my downloads. How come there's no slashes being shown to me when inspecting phpmyadmin? I mean the name is there, and it didn't kick an error this time SO OBVIOUSLY the addslashes "did something to get the data in there" ... I guess I just don't understand where the slashes went, LOL.