The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#11
|
|||
|
|||
Quote:
Thank you. Ok the Addon in the appendix |
#12
|
||||
|
||||
If it's an SQL injection problem, then it's probably these lines in EM2008.php:
Code:
$sql = "INSERT INTO " . TABLE_PREFIX . "rth_em08_bets (user_id,em_game_number,bet_result,bet_home,bet_visitor) VALUES (".$vbulletin->userinfo['userid'].",".$game.",".$result['bet_result'].",".$result['home'].",".$result['visitor'].")"; At the very least, I'd do ... Code:
$game = $db->escape_string($game); $result['bet_result'] = $db->escape_string($result['bet_result']); $result['home'] = $db->escape_string($result['home']); $result['visitor'] = $db->escape_string($result['visitor']); -- hugh |
#13
|
|||
|
|||
Quote:
--------------- Added [DATE]1201713109[/DATE] at [TIME]1201713109[/TIME] --------------- One has me further to place called these obviously also a problem to explain... Quote:
Quote:
One wrote me: "Das are not no stringers, and/or should be. = > intval() or other method over to guarantee that it more integer sind" |
#14
|
||||
|
||||
Yes, I just pointed out the obvious one. There is other work needs doing to proeprly sanitize your inputs.
Basically any user input you use in a query should be cleaned properly - that is, make sure it's been through the vbulletin GPC cleaner, and unless you have specific reasons not to, use escape_string. And of course NEVER use $_GET, $_POST or $_REQUEST directly. Always run all input through the vbulletin GPC cleaner. Suggest you read this excellent article: https://vborg.vbsupport.ru/showthread.php?t=154411 -- hugh |
#15
|
|||
|
|||
Thank you @all.
The Thread can Closed! |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|