Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 10-05-2013, 05:50 AM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Best Option for Escaping Double Quotes

I've created a text area in vBulletin Options for the re-release of the AME (Auto Media Embedding) modification. In this field, admins will be able to add lines of code to their SHOWTHREAD template's <body> or <head> tags. I did this for support of media embedding that requires only one instantiation per page of a code type (e.g. JavaScript code for Pinterest widgets) and to save people the need for template edits.

Everything works as expected, but I'm unsure on one thing. Since code is placed into this vB Options field, double quotes need to be escaped. I'm trying to make this as pain free for admins as possible, so I used addslashes() to automatically escape the code.

PHP Code:
$find '</body>';
$optioncode $vbulletin->options['automediaembed_extras_body'];
$replace addslashes($optioncode);
$vbulletin->templatecache['SHOWTHREAD'] = str_replace($find$replace $find$vbulletin->templatecache['SHOWTHREAD']); 
I figure I don't actually need to put automediaembed_extras_body in it's own variable, but I did so for neatness sake, as I hadn't actually settled on where to put the output when I started the plugin.

What I'd like to know is if addslashes() is the best escape option here. Is it vulnerable to SQL injections, like I've been reading, in this context? I also had success with mysql_real_escape_string(), but will that fail to escape some special characters that need to be escaped?
Reply With Quote
  #2  
Old 10-05-2013, 10:03 AM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Edit: Sorry, my previous answer would be for vb4. You're right of course, a vb3 template is in a double quoted string so I think you'd want to escape double quotes, and also escape the dollar sign if you don't want them to be able to insert variables. Also, if you don't escape backslashes they will be able to insert characters using sequences like \n for newline, and if they want a literal backslash they'd need to use \\. I'm guessing that's not what you'd want for inserting html but you might want it for javascript, so I think you just have to make a choice of whether or not to escape backslashes.

You can use addcslashes() to list the characters you want to escape, so I think you'd want either $replace = addcslashes($optioncode, '"$\\'); or $replace = addcslashes($optioncode, '"$");

Escaping double quotes avoids a problem where they could insert arbitrary php code, but I don't see any risk with SQL injections because you're not using the text in a query.

ETA: Now that I think about it more I think you *would* want to include backslash in the escaped characters, because even if you want to use a \n (for example) in a javascript string, you'd want to include a literal backslash and not have php interpret the \n.
Reply With Quote
Благодарность от:
Digital Jedi
  #3  
Old 10-05-2013, 02:35 PM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks! I had not heard of addcslashes(). That seems more apropos in this case. Yeah, if the double quotes aren't escaped it will turn up the dreaded unexpected T_STRING error.

Also yes, I think this would be primarily used for JavaScript blocks, and possibly CSS in rare cases. So '"$\'" makes sense. Is there any instance where I'd want to prevent the insertion of newline?
Reply With Quote
  #4  
Old 10-05-2013, 02:48 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Digital Jedi View Post
Also yes, I think this would be primarily used for JavaScript blocks, and possibly CSS in rare cases. So '"$\'" makes sense. Is there any instance where I'd want to prevent the insertion of newline?
Not that I can think of, it's just a matter of what would be more convenient. But like I added above, I can't think of any reason that you'd want to allow a newline character to be inserted, so I think it might be better to escape backslashes so that it's easier to use the backslash character in javascript.

BTW, someone asked about this in the past so I've thought about it, but I don't have experience with it so this is all kind of theoretical.
Reply With Quote
  #5  
Old 10-05-2013, 03:03 PM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'll test run some scenarios and see if I can think of any issues that will come up. Thanks again.
Reply With Quote
  #6  
Old 10-18-2013, 04:15 PM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

For whatever reason, and I can't tell you why (though probably forgetfulness) I went with mysql_escap_string() and, naturally, ran into errors with users running, I'm assuming, vB 3 on PHP 5.5. mysql_escape_string() is deprecated at this point.

I'm switching to addcslashes($LikeIWasToldToo) and ran into discussions on PDO::quote(). While people are saying it's not a replacement for mysql_escape_string(), the manual is saying you should use it instead. I'm wondering if it's applicable or beneficial here.


In any event, this is what I'm going with:
PHP Code:
$find '</head>';
$optioncode $vbulletin->options['automediaembed_extras_head'];
$replace addcslashes($optioncode'$"');
$vbulletin->templatecache['SHOWTHREAD'] = str_replace($find$replace $find$vbulletin->templatecache['SHOWTHREAD']); 
I take it, I shouldn't run into PHP version issues with this?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:14 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04608 seconds
  • Memory Usage 2,230KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (1)post_thanks_box_bit
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete