Alternate fix to injection code in comments

So, in another thread it was mentioned that the current fix may get the job done, its also filtering out good data. There must be some proper solution to handle incoming comment data securely. I thought I would start a discussion in regards to finding an alternate fix to the problem then the one currently available.

The problem: Users input data into comments that is executed and causes trouble.

Solution ideas: Escape incoming data so that it cannot execute? Allow only alphanumeric comment data and write the SQL statements so that they cannot be broken out?

I will be the first to admit I am not a professional coder, although I do write a lot of code myself. I haven't taken a long look at how the comments are currently handled, but plan to. Lets pool some ideas and help MrZeroPage come up with a more solid fix!

[Mark.B]

But the code Stangger has posted is NOT what changed in 2.7.2.

[Hippy]

stangger5 knows this mod better than anyone here.. so trust what he says ...
he has tested this out for the last few days...

[stangger5]

Quote:

Originally Posted by Mark.B

But the code Stangger has posted is NOT what changed in 2.7.2.

MrZ changed this:
2.7.1

PHP Code:

$ibforums->input['s_id'] = ibp_cleansql($ibforums->input['s_id']); 


to this:
2.7.2

PHP Code:

$ibforums->input['s_id'] = intval(ibp_cleansql($ibforums->input['s_id'])); 


I have this:

PHP Code:

$ibforums->input['s_id'] = intval($ibforums->input['s_id']); 


MrZ`s code is tring to clean the int data .
I`m no guru like MrZ...

--------------- Added [DATE]1330558171[/DATE] at [TIME]1330558171[/TIME] ---------------

To get this thread back on track,,here is a very good read for the ones wanting to learn some of the vBulletin Input Cleaner..

Using the vBulletin Input Cleaner

[rpgamersnet]

I guess my question was just if the other part that was added is needed, the looping replace function that removes SQL words from comments (but also removes good data). It is near the bottom of the 2.7.2 arcade.php ... needed or just playing it safe?

[stangger5]

I think,,its playing it safe...Which is not a bad thing these days...

I`m looking into using the vBulletin Input Cleaner instead of the ibp_cleansql..

[Hippy]

Quote:

Originally Posted by rpgamersnet

I guess my question was just if the other part that was added is needed, the looping replace function that removes SQL words from comments (but also removes good data). It is near the bottom of the 2.7.2 arcade.php ... needed or just playing it safe?

what good data is it removing ?

[rpgamersnet]

Quote:

Originally Posted by Hippy

what good data is it removing ?

If you refer to this post: https://vborg.vbsupport.ru/showpost....91&postcount=5

The code I am asking about is the loop that removes all the SQL keywords from the comments. Most I'm sure won't come across in normal comments, but filtering out parts like "or" and "and" are going to catch and mess up standard comments, as given in the example on that post.

"I got the high score!" becomes "I got the high sce!"

"Got a great hand on the last round!" -> "Got a great h on the last round"

Some basic words will get filtered as well, not just the bad SQL data, which is why I suggested that maybe this fix is not the best solution. Code I am questioning is quoted here:

PHP Code:

function recursive_str_ireplace($replacethis,$withthis,$inthis)
{
    while (1==1)
    {
        $inthis = str_ireplace($replacethis,$withthis,$inthis);
        if(stristr($inthis, $replacethis) === FALSE)
        {
            RETURN $inthis;
        }
    }
    RETURN $inthis;
} 


PHP Code:

 // remove any SQL-commands
    $sqlcomm[] = 'create';
    $sqlcomm[] = 'database';
    $sqlcomm[] = 'table';
    $sqlcomm[] = 'insert';
    $sqlcomm[] = 'update';
    $sqlcomm[] = 'rename';
    $sqlcomm[] = 'replace';
    $sqlcomm[] = 'select';
    $sqlcomm[] = 'handler';
    $sqlcomm[] = 'delete';
    $sqlcomm[] = 'truncate';
    $sqlcomm[] = 'drop';
    $sqlcomm[] = 'where';
    $sqlcomm[] = 'or';
    $sqlcomm[] = 'and';
    $sqlcomm[] = 'values';
    $sqlcomm[] = 'set';
    $sqlcomm[] = 'password';
    $sqlcomm[] = 'salt';
    $sqlcomm[] = 'concat';
    $sqlcomm[] = 'schema';
    $value = recursive_str_ireplace($sqlcomm, '', $value); 


Some recent threads have started to appear complaining of errors appearing, this new code is also the source of those new problems; the new recursive_str_ireplace loop to replace these parts of the comment field.... and any other field being filtered by the ibp_cleansql function.

[Hippy]

thanks .. do this https://vborg.vbsupport.ru/showpost....3&postcount=13
and pull the new code added out..
this will do the job.. but does not work on all servers..

stangger5 is going to work this out ..
I think code it to the way vb does it ..
but this is not set in stone ATM.. just a twinkle in the sky

[rpgamersnet]

Quote:

Originally Posted by Hippy

thanks .. do this https://vborg.vbsupport.ru/showpost....3&postcount=13
and pull the new code added out..
this will do the job.. but does not work on all servers..

stangger5 is going to work this out ..
I think code it to the way vb does it ..
but this is not set in stone ATM.. just a twinkle in the sky

Yep I already made the change he noted If I knew more about the inner workings of VB I'd offer to try to be of more help, but I have never messed with mods much myself. Look forward to any fixes that might arise

Thanks to everyone for helping out! Great community this mod has.

[Hippy]

stannger5 can explain more about it but this is what I use since the other will kill wanted stuff...