security seems not a main priority in vb hacks

[aussiev8]

an installer isn't needed..
thats a totally different thread (put it in modification requests)

this thread is about security, i think we should stick to the topic.
would the advanced coders be willing to help do security tests on the mods as they're released? or maybe create a new group that'll beta test/security check new mods?

within a few years if this isn't contained now, the board will be one security issue after another, if jelsoft are reading this, i believe it is in your best interests to tackle this problem head on and without hesitiation!

my 2 cents

[red_baron2000]

all this won't happens if jelsoft take in considiration users needs and requests!! limiting the new release to the minimum is not not a solution either..for this we users need those hacks to fit our needs..even if they are full of bugs and security holes!! somehow we do not have choice either..way to go jelsoft!!!

[Dean C]

Well according to Scott in a recent post at vB.com it'll be impossible to input malicious user input in future vB versions, so fear not

[aussiev8]

thats never the case, what about basic get functions that can be made to act differently, i can always post different variables.

[Erwin]

Quote:

Originally Posted by AN-net

the globalize feature will not protect from sql injections i believe but will correctly evaluate a field such as text, numbers, or strs. i do not think it checks for sql injection. there 2 functions that can prevent sql injection these 2 are addslashes() for text or strs which adds slashes to single qutoes or regular quotes thus blocking most forms of sql injection. second is intval() which makes sure a field that is susposed to be a number is a number. if it is not it will return false and return 0 thus nullifying any possible text put in a number field

You can use globalize with this:

STR_NOHTML

Those 2 functions you posted are built-in as part of the intrinsic vB globalize function.

[Erwin]

Quote:

Originally Posted by Brad.loo

Your are right, globalize is a nice little function. Heres a little overview of everything it dose.

Use INT and globalize will run this on the $var

PHP Code:

intval($var); 


If you use STR

PHP Code:

trim($var); 


If you use STR_NOHTML

PHP Code:

htmlspecialchars_uni(trim($var)); 


You can also use FILE, which takes $_FILES['$var'] and makes it $array['$var']

Nice summary of the things globalize can do.

Add-on authors should utilize the built-in security vBulletin offers a lot more, rather than writing their own security checks.

[Revan]

Yeah I just went over every file in my new RPG version that didn't have globalize() already, and used it.

A side note about globalize():
If you want to run globalize() on an array, you have to skip using the "=>" stuff.
It would then be smart to run the functions quoted above on the variables as they are submitted into $DB_site->query()

Quote:

Originally Posted by Erwin

You can use globalize with this:

STR_NOHTML

Those 2 functions you posted are built-in as part of the intrinsic vB globalize function.

You sayin that by using the htmlspecialchars_uni(trim()) there's no need for addslashes()?

[Paul M]

Quote:

Originally Posted by Erwin

Add-on authors should utilize the built-in security vBulletin offers a lot more, rather than writing their own security checks.

Where are they all documented then ?

[aussiev8]

i'd like to know as well, i've done some searches but wound up empty

[Wayne Luke]

At this time the API isn't documented. It will be documented for the next release, however the usage of the inherent security features of vBulletin will change significantly so most hacks will need to be reworked anyway. We plan on providing full API documentation when the system is in a state to document.

As it is now, you need to go through the include folder and review the functions there to see what they do. Not optimal but that is what there is. Before the 3.0 release we concentrated on the Admin Control Panel Documentation because it would serve the most customers. When it came time to document the API enough significant changes were proposed and/or implemented that it was decided to postpone it.