Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > Premium Archives > ibProArcade Archive
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
stristr error Details »»
stristr error
Version: , by Mases Mases is offline
Developer Last Online: Aug 2014 Show Printable Version Email this Page

Version: Unknown Rating:
Released: 03-01-2012 Last Update: Never Installs: 0
 
No support by the author.

I'm getting a very similar error as was mentioned in this thread

I upgraded to ibProArcade v2.7.2+ yesterday and I'm getting this error at the top of the index page of the arcade.

Quote:
Warning: stristr() [function.stristr]: needle is not a string or an integer in [path]/arcade.php on line 5550
The arcade is functional and when I go to play the game, that error is gone. When I go to submit a high score, I see the same error, but on two consecutive lines. My high score is able to submit properly and there doesn't seem to be any noticeable issue... other than the glaring error at the top of the page.

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #2  
Old 03-02-2012, 07:31 AM
Bluefin221 Bluefin221 is offline
 
Join Date: Jul 2008
Location: Scotland
Posts: 290
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Just updated and also have this error.
Reply With Quote
  #3  
Old 03-02-2012, 09:58 PM
Hippy's Avatar
Hippy Hippy is offline
 
Join Date: Dec 2001
Location: USA, New Jersey
Posts: 2,392
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

<a href="https://vborg.vbsupport.ru/showpost.php?p=2304863&postcount=13" target="_blank">https://vborg.vbsupport.ru/showp...3&postcount=13</a>
Reply With Quote
  #4  
Old 03-04-2012, 04:38 AM
Mases Mases is offline
 
Join Date: Jan 2008
Posts: 22
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@Hippy

I tried those changes and it did not effect this error. The error points to line 5550...

I've looked at the arcade.php file and line 5550 comes up as....

PHP Code:
$inthis str_ireplace($replacethis,$withthis,$inthis); 
The full context of this section is...

PHP Code:
function recursive_str_ireplace($replacethis,$withthis,$inthis)
{
    while (
1==1)
    {
        
$inthis str_ireplace($replacethis,$withthis,$inthis);
        if(
stristr($inthis$replacethis) === FALSE)
        {
            RETURN 
$inthis;
        }
    }
    RETURN 
$inthis;


Any help would be appreciated.
Reply With Quote
  #5  
Old 03-04-2012, 05:14 AM
Hippy's Avatar
Hippy Hippy is offline
 
Join Date: Dec 2001
Location: USA, New Jersey
Posts: 2,392
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

compare v2.7.1 and 2.7.2 and remove or comment out that code and the link above
stangger5 posted what will work in replace of till Mrz figures out the issue
it fixes the security issue

I updated 20+ arcade and 1/4 of them don't like this code..
it's a server issue I am guessing
Reply With Quote
  #6  
Old 03-07-2012, 05:56 PM
VBDev's Avatar
VBDev VBDev is offline
 
Join Date: Jan 2004
Location: France
Posts: 2,570
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        
$value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
Reply With Quote
2 благодарности(ей) от:
Hippy, stangger5
  #7  
Old 03-08-2012, 12:25 AM
stangger5's Avatar
stangger5 stangger5 is offline
 
Join Date: Jan 2005
Location: Online
Posts: 1,130
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I didnt upgrade to 2.7.2 for just two edits..

My one edit to the arcade.php file and the mod_arcade.php..

So my arcade doesnt have any of the:
PHP Code:
// remove any SQL-commands 
code..

Thanks for the code update VBDev !! :up:
Reply With Quote
  #8  
Old 03-08-2012, 03:42 AM
Hippy's Avatar
Hippy Hippy is offline
 
Join Date: Dec 2001
Location: USA, New Jersey
Posts: 2,392
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by VBDev View Post
I have used stangger5 fix but was getting the reported issue with stristr on a customer forum.

I did the below edit, code will do the same and is simpler.

In arcade.php search for the ibp_cleansql function, search for
PHP Code:
// remove any SQL-commands 
Add below :
PHP Code:
$sqlcomm = array(); 
Then search for :
PHP Code:
$value recursive_str_ireplace($sqlcomm''$value); 
Comment it out :
PHP Code:
// $value = recursive_str_ireplace($sqlcomm, '', $value); 
Add after :
PHP Code:
    foreach ($sqlcomm AS $key => $needle)
    {
        
$value str_ireplace($needle''$value);
    } 
That does the same but is fairly simpler...

Though I must admit that Mrz fixed the 2.7.1 security issue rather uglily...
That bit of code could remove actual correct content ...
so it should like this ?
Code:
function ibp_cleansql($value) 
{ 
	if( get_magic_quotes_gpc() ) 
	{ 
		$value = stripslashes( $value ); 
	} 
	//check if this function exists 
	if( function_exists( "mysql_real_escape_string" ) ) 
	{ 
		$value = mysql_real_escape_string( $value ); 
	} 
	//for PHP version < 4.3.0 use addslashes 
	else 
	{ 
		$value = addslashes( $value ); 
	}

	// remove any SQL-commands
	$sqlcomm = array();  
	$sqlcomm[] = 'create';
	$sqlcomm[] = 'database';
	$sqlcomm[] = 'table';
	$sqlcomm[] = 'insert';
	$sqlcomm[] = 'update';
	$sqlcomm[] = 'rename';
	$sqlcomm[] = 'replace';
	$sqlcomm[] = 'select';
	$sqlcomm[] = 'handler';
	$sqlcomm[] = 'delete';
	$sqlcomm[] = 'truncate';
	$sqlcomm[] = 'drop';
	$sqlcomm[] = 'where';
	$sqlcomm[] = 'or';
	$sqlcomm[] = 'and';
	$sqlcomm[] = 'values';
	$sqlcomm[] = 'set';
	$sqlcomm[] = 'password';
	$sqlcomm[] = 'salt';
	$sqlcomm[] = 'concat';
	$sqlcomm[] = 'schema';
	//$value = recursive_str_ireplace($sqlcomm, '', $value);
    foreach ($sqlcomm AS $key => $needle)
    {
        $value = str_ireplace($needle, '', $value);
    }
	return $value; 
}
I been using stangger5's edit and works on every update I did..
I am just wondering at this moment.. thanks
Attached Files
File Type: (21.4 KB, 277 views)
Reply With Quote
Благодарность от:
dlewisr
  #9  
Old 03-08-2012, 09:53 AM
VBDev's Avatar
VBDev VBDev is offline
 
Join Date: Jan 2004
Location: France
Posts: 2,570
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yep.

Dunno why but I didn't had that error on my install but a customer had the issue.

Anyways I don't know the root cause of this function but honestly that shouldn't be done like that... It removes potential words from comments for example... That sucks

--------------- Added [DATE]1331204033[/DATE] at [TIME]1331204033[/TIME] ---------------

Quote:
Originally Posted by stangger5 View Post
I didnt upgrade to 2.7.2 for just two edits..

My one edit to the arcade.php file and the mod_arcade.php..

So my arcade doesnt have any of the:
PHP Code:
// remove any SQL-commands 
code..

Thanks for the code update VBDev !! :up:
But if I do understand those fixed a security issue but I guess you fixed it manually
Reply With Quote
  #10  
Old 03-09-2012, 01:11 AM
stangger5's Avatar
stangger5 stangger5 is offline
 
Join Date: Jan 2005
Location: Online
Posts: 1,130
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The security issue was s_id,, which allowed it to be a string when it was supposed to be a int,, that is what allowed the exploit.
Comments should be ok because of the way strings are put in the database..
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:51 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05409 seconds
  • Memory Usage 2,362KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_code
  • (14)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (3)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (9)postbit
  • (1)postbit_attachment
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_attachment
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete