stristr error

I'm getting a very similar error as was mentioned in this thread

I upgraded to ibProArcade v2.7.2+ yesterday and I'm getting this error at the top of the index page of the arcade.

Quote:

Warning: stristr() [function.stristr]: needle is not a string or an integer in [path]/arcade.php on line 5550

The arcade is functional and when I go to play the game, that error is gone. When I go to submit a high score, I see the same error, but on two consecutive lines. My high score is able to submit properly and there doesn't seem to be any noticeable issue... other than the glaring error at the top of the page.

[gsmlover4u]

Quote:

Originally Posted by VBDev

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for

PHP Code:

// remove any SQL-commands 


Add below :

PHP Code:

$sqlcomm = array(); 


Then search for :

PHP Code:

$value = recursive_str_ireplace($sqlcomm, '', $value); 


Comment it out :

PHP Code:

// $value = recursive_str_ireplace($sqlcomm, '', $value); 


Add after :

PHP Code:

    foreach ($sqlcomm AS $key => $needle)
    {
        $value = str_ireplace($needle, '', $value);
    } 


That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

there is nothing in arcade.php

[VBDev]

Quote:

Originally Posted by stangger5

The security issue was s_id was allowed to be a string when it was supposed to be a int, that is what allowed the exploit.
Comments should be ok because of the way strings are put in the database.

Yeah, hence what I said he over corrected...

IMO, IBProArcade really needs a cleanup of the code one day...

Quote:

Originally Posted by gsmlover4u

there is nothing in arcade.php

If you haven't installed 2.7.2 there indeed is nothing.

[gsmlover4u]

i installed 2.7.2+

https://vborg.vbsupport.ru/showthrea...01554&page=442

[Hippy]

Quote:

Originally Posted by gsmlover4u

i installed 2.7.2+

https://vborg.vbsupport.ru/showthrea...01554&page=442

confused

[gsmlover4u]

why you confused sir

[stangger5]

Quote:

Originally Posted by gsmlover4u

i installed 2.7.2+

https://vborg.vbsupport.ru/showthrea...01554&page=442

Quote:

Originally Posted by gsmlover4u

there is nothing in arcade.php

Quote:

Originally Posted by gsmlover4u

why you confused sir

You said,,,you installed 2.7.2+ and the code below isnt in the arcade.php file..

PHP Code:

// remove any SQL-commands 


Look on line 5575 in the arcade.php file..

[boggseric]

Quote:

Originally Posted by VBDev

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for

PHP Code:

// remove any SQL-commands 


Add below :

PHP Code:

$sqlcomm = array(); 


Then search for :

PHP Code:

$value = recursive_str_ireplace($sqlcomm, '', $value); 


Comment it out :

PHP Code:

// $value = recursive_str_ireplace($sqlcomm, '', $value); 


Add after :

PHP Code:

    foreach ($sqlcomm AS $key => $needle)
    {
        $value = str_ireplace($needle, '', $value);
    } 


That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

I made these changes but now there error moved down one line.

Fatal error: Call to undefined function: str_ireplace() in /home/ls2com/public_html/forums/arcade.php on line 5601


2.7.2 does it now required PHP5?

my code in arcade.php

Code:

// remove any SQL-commands
	$sqlcomm = array();
	$sqlcomm[] = 'create';
	$sqlcomm[] = 'database';
	$sqlcomm[] = 'table';
	$sqlcomm[] = 'insert';
	$sqlcomm[] = 'update';
	$sqlcomm[] = 'rename';
	$sqlcomm[] = 'replace';
	$sqlcomm[] = 'select';
	$sqlcomm[] = 'handler';
	$sqlcomm[] = 'delete';
	$sqlcomm[] = 'truncate';
	$sqlcomm[] = 'drop';
	$sqlcomm[] = 'where';
	$sqlcomm[] = 'or';
	$sqlcomm[] = 'and';
	$sqlcomm[] = 'values';
	$sqlcomm[] = 'set';
	$sqlcomm[] = 'password';
	$sqlcomm[] = 'salt';
	$sqlcomm[] = 'concat';
	$sqlcomm[] = 'schema';
	// $value = recursive_str_ireplace($sqlcomm, '', $value);
	foreach ($sqlcomm AS $key => $needle) 
    { 
        $value = str_ireplace($needle, '', $value); 
    }

[hohleweg]

Hey

Quote:

function ibp_cleansql($value)
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
//check if this function exists
if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes( $value );
}

// remove any SQL-commands
$sqlcomm = array();
$sqlcomm[] = 'create';
$sqlcomm[] = 'database';
$sqlcomm[] = 'table';
$sqlcomm[] = 'insert';
$sqlcomm[] = 'update';
$sqlcomm[] = 'rename';
$sqlcomm[] = 'replace';
$sqlcomm[] = 'select';
$sqlcomm[] = 'handler';
$sqlcomm[] = 'delete';
$sqlcomm[] = 'truncate';
$sqlcomm[] = 'drop';
$sqlcomm[] = 'where';
$sqlcomm[] = 'or';
$sqlcomm[] = 'and';
$sqlcomm[] = 'values';
$sqlcomm[] = 'set';
$sqlcomm[] = 'password';
$sqlcomm[] = 'salt';
$sqlcomm[] = 'concat';
$sqlcomm[] = 'schema';
//$value = recursive_str_ireplace($sqlcomm, '', $value);
foreach ($sqlcomm AS $key => $needle)
{
$value = str_ireplace($needle, '', $value);
}
return $value;
}

with this code it work fine!
Greetings Jo

[silpher]

Quote:

Originally Posted by VBDev

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for

PHP Code:

// remove any SQL-commands 


Add below :

PHP Code:

$sqlcomm = array(); 


Then search for :

PHP Code:

$value = recursive_str_ireplace($sqlcomm, '', $value); 


Comment it out :

PHP Code:

// $value = recursive_str_ireplace($sqlcomm, '', $value); 


Add after :

PHP Code:

    foreach ($sqlcomm AS $key => $needle)
    {
        $value = str_ireplace($needle, '', $value);
    } 


That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

Thanks, that worked for me

[CristianoDiaz]

Quote:

Originally Posted by VBDev

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for

PHP Code:

// remove any SQL-commands 


Add below :

PHP Code:

$sqlcomm = array(); 


Then search for :

PHP Code:

$value = recursive_str_ireplace($sqlcomm, '', $value); 


Comment it out :

PHP Code:

// $value = recursive_str_ireplace($sqlcomm, '', $value); 


Add after :

PHP Code:

    foreach ($sqlcomm AS $key => $needle)
    {
        $value = str_ireplace($needle, '', $value);
    } 


That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...

Thank you! This fixed the problem for me, it's been driving me nuts.