Mystery file

[Lionel]

I am trying to create my very first hack which is adding a description with attachment. Since nothing gets updated at posting time, I tried to do a view source to see if the value was parsed.... And guess what? The view source does not show the existence of attachment!!!! Where is that file??? Even here at vb.org, I cannot view the source of attachment that I just uploaded while in newthread.php

I can only see the line about valid extensions, then right after, the line for "manage attachments". The in between remains a mystery.

[Link14716]

I'm pretty sure it is done by JavaScript.

[Lionel]

I managed to locate it in newattachment.php. Now it's a matter of inserting that description into the newly created field in attachment table.

[akanevsky]

Quote:

I'm pretty sure it is done by JavaScript.

It is so.
If you turn off javascript, you won't be able to see anything in the place of that screenshot. Therefore, the best place to create the option that would enable users to enter attachment descriptions is the upload screen .

What you would need is:
A template change;
A new button (update description information)
A php file modification that would update the attachment record

Pretty easy.

[Lionel]

I called the textarea field :

name="caption" value="$attach[caption]"

and in functions_newpost.php, I did:

Quote:

// now update the attachments .. if we have any visible OR not, otherwise the hourly cleanup will wipe them out

if ($totalattachments)



$caption = '';
{


$DB_site->query("

UPDATE " . TABLE_PREFIX . "attachment

SET postid = $post[postid], posthash = '', caption = $attach[caption]

WHERE posthash = '" . addslashes($post['posthash']) . "'

AND userid = $bbuserinfo[userid]

");

That gives me a database error

[akanevsky]

Of course it does. This is really improper use of MySQL... And I really think that before writing your applications, you should read the tutorial and security tips.

However, I appreciate you trying to be creative, so there you go:
1. In MySQL queries, always enclose values into single quotes ('). That is how the script knows, where the string starts and where it ends.
2. In MySQL queries, when there is user input that cannot be validated, always use addslashes function.

Therefore, the correct query would be:

Code:

$DB_site->query("

UPDATE " . TABLE_PREFIX . "attachment

SET postid = $post[postid], posthash = '', caption = '" . addslashes($attach[caption]) . "'

WHERE posthash = '" . addslashes($post['posthash']) . "'

AND userid = $bbuserinfo[userid]

");

Note: I used double quotes (") to escape from the string and to be able to use the addslashes function Good luck with the rest.

[Lionel]

Ok, that got rid of the database error, but it did not go anywhere. Table attachment.caption did not get updated.

Maybe I should do it:
caption = '" . addslashes($_POST[caption])

[akanevsky]

Yes. I do not know what is the HTML name of you control, but if it is "caption", then yes More correct way would be $_POST['caption'] though

Also (but don't worry about it, you can add it when you develop the hack), you should globalize the caption variable through vbulletin's globalize array, then you can just access it as $caption

[Lionel]

I give up. It does not insert anywhere in attachment table.

Thanks for your help. Right now, If you go on my homepage you will see that I am able to put a description under image. Problem with current method, it uses $post[caption] and inserts value in post. So if there are more than image in post, it inserts same description for all.

[akanevsky]

Maybe you should use something like $attachment[caption] ? :P

Iight, you are editing the completely wrong query, so trace back all the changes. If you want, I can write that hack...