trying to make php code work for profile

[sabret00the]

nope

[Gio~Logist]

PHP Code:

      //Display edit
        $sql = mysql_query("SELECT * FROM user_webpage WHERE userid = ".GBUSERID."");
        while($row = mysql_fetch_assoc($sql)) { 


or

PHP Code:

   //Continue displaying what was found
        while($row = mysql_fetch_assoc($sql)) { 


or

PHP Code:

            $webpage['name'] = stripslashes($row['name']);
            if($row['lastupdate'] =="") {
                $webpage['lastupdate'] = $vbphrase['wg_never'];
            } else {
                $webpage['lastupdate'] = date("".$vboptions['dateformat']." ".$vboptions['timeformat']."", $row['lastupdate']);
            }
            $webpage['description'] = stripslashes($row['description']);

            $webpage['text'] = stripslashes($row['text']); 


or

PHP Code:

            //Check text-formatting settings
            $settingvbcode = iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1', '1', '0');
            $settinghtml = iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1', '1', '0');
            if($settinghtml == 0 AND $settingvbcode == 0) {
                $settingvbcode = 1;
            }
            
            if($vboptions['webpagesmilies'] == 1 and $row['usesmilies'] == 1) {
                $settingsmilies = 1; } else { $settingsmilies = 0; }
            
            if($settingvbcode == 1) {
                $webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml, 1, $settingsmilies, $settingvbcode);
            }
            if($settinghtml == 1) {
                //Remove scripts!!!
                $webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']);
                //Don't hide anything!
                $webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']);
                //Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!)
                if($settinghtml == 1 && !empty($vboptions['allowedhtmltags'])) {
                    $webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);
                }
            }
            
            //Javascript will not be allowed
            $webpage['text'] = ereg_replace("~<script[^>]*>.+</script[^>]*>~isU", "", $webpage['text']); 
            
            $webpage['hits'] = $row['hits'];
            $webpage['bgcolor'] = $row['bgcolor'];
            $webpage['bordersize'] = $row['bordersize'];
            $webpage['bordercolor'] = $row['bordercolor'];
            $webpage['fontface'] = $row['fontface'];
            $webpage['fontsize'] = $row['fontsize'];
            $webpage['fontcolor'] = $row['fontcolor']; 


[sabret00the]

it's the top one, am i to assume you're not using vB?

[Gio~Logist]

actually i am, that was in member.php...... im not sure if the code needs to be changed here or in profile.php (perhaps profile fields are filtered while they are submitted), but thats where u come in i guess...

[sabret00the]

i have no idea what a profile field has to do with any of the $webpage/$row query?

regarding that stuff, that's in no member.php i've ever seen i suggest you vBulletinize it.

regarding the profile fields if you add the query to the page then whatever sanitizing is happening is evaded.

[Gio~Logist]

$webpage/$row query has nothign to do with profile fields

$webpage/$row query = a hack that i have installed (webpage and guestbook)

the webpage and guestbook hack follows its own html rules in which you can edit via admincp

i am trying to make it so that THE PROFILE FIELDS FOLLOW THE SAME RULES

or so that PROFILE FIELDS ARE ALLOWED TO USE HTML ACCEPT FOR MALICIOUS CODES SUCH AS <SCRIPT>

[sabret00the]

then why not just due the $webpage[text] rows and replace $webpage[text] with $whatever[fieldx]?

[Gio~Logist]

$whatever[fieldx] that means id have to do this code in member.php for as many fields as i want to allow html for or will [fieldx] be abole to be used for any field?

AND HOW WOULD I DO THIS?


[HIGH]TRIED SOMETHING DIFF[/HIGH]

Ok so far i have tried the following in order to allow and limit html

I have tried editing functions_user.php and doing the following edit


In ./functions_user.php

FIND

PHP Code:

$userfields .= ", $varname = '" . addslashes(htmlspecialchars_uni($$varname)) . "'"; 


REPLACE WITH

PHP Code:

// MOD :: ALLOW HTML IN PROFILEFIELDS
// OLD CODE
// $userfields .= ", $varname = '" . addslashes(htmlspecialchars_uni($$varname)) . "'";
// NEW CODE
$userfields .= ", $varname = '" . addslashes($$varname) . "'";
// END OF MOD 


And then after that.... before this code in member.php

PHP Code:

eval('$customfields .= "' . fetch_template('memberinfo_customfields') . '";'); 


I tried adding this:

PHP Code:

            $userinfo['$profilefieldname'] = strip_tags($userinfo['$profilefieldname'], "<b><i><u>");  

                 $profilefieldname = strip_tags($profilefieldname, "<b><i><u>");  
            
            $userinfo['value'] = strip_tags($userinfo['value'], "<b><i><u>"); 
 
            $post['$profilefieldname'] = strip_tags($post['$profilefieldname'], "<b><i><u>");  

            $profilefield['value'] = strip_tags($profilefield['value'], "<b><i><u>");