Banner Rotator (Definitive Mod)

Hi you there. I was looking for a really nice Banner Rotator Mod, but i couldn't find one that had what i need. So i decided to code one. Finished it right now and i'll share with you.

So, what does this hack do?
- This mod allows you to add lots of forum banners.
- The banners will be automatically randomized everytime you reload your forums.

How can i work with it?
- It's all controlable through AdminCP.
- NOT NEEDED ftp access to upload banners.
- You CAN upload banners (jpg, gif & png) through AdminCP.
- You can set a description for individual banners.
- You can edit the description easily and individually.
- You can delete the banners through AdminCP (this function delete the banner from the ftp)
- You can activate/deactivate you banners.
- Deactivated banners remains in the ftp, but will not be shown on forum home.

How can i install? (Time to install: 1 minute if you are fast enough )
- Upload all the files contained in the "upload" folder inside the zip to your forum root directory and CHMOD 77 the folder "/image/banners"
- Install product-brotator.
- Go to your AdminCP > Style Manager > YOUR SKIN > Edit HEADER template and find:

Code:

<img src="$stylevar[titleimage]" border="0" alt="$vboptions[bbtitle]" />

Replace with:

Code:

<center>$banner</center>

You can change banner width and height editing the plugin called "Banner Rotator Generator" and changing the values:

Code:

width=879 height=160

for your own values.

I really hope you enjoy this hack and, please, if you find any kind of bug, report it to me as soon as possible.
And if you have any suggestions, post here.

Thanks you all!

[Turbosport]

There is a security hole in this guys:

You can inject SQL as the $_POST variables here and further down in the script.

Code:

	$db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$_POST[balt]', '$_POST[bact]')");

I have called the VB function to make the variables SQL safe.

[andrefedalto]

Quote:

Originally Posted by redspider

can this work with flash banners?

yes, you must edit brotator.php in /admincp/ and look for GIF and follow the sequence and add SWF
then edit the plugin and make it show swf, i'm not used to swf, but i'm pretty sure it doesnt shows up with <img> code

[andrefedalto]

Quote:

Originally Posted by inspiration100

installed this and works a treat, but when a banner is clicked it puts my board url before the url of the banners site url....e.g http://www.site1.com/http://www.site2.com.

Any help appreciated.

i think you are filling the add-banner form site like this: "www.site.com" instead of "http://www.site.com"

try using http:// before to see if works fine

[andrefedalto]

Quote:

Originally Posted by DarKNull

PHP Code:

<!-- logo -->
<a name="top"></a>
<div id="vbwrapper">
<div id="logostrip"><center><div style="background: url($stylevar[imgdir_misc]/desihotty3eb.gif) no-repeat;width:100%;height: 158px"></div></div>
<div id="submenu"><a href="search.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_search.gif" alt="desi" /></a><a href="memberlist.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_members.gif" alt="desi" /></a><a href="calendar.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_calendar.gif" alt="desi" /></a><a href="faq.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_faq.gif" alt="desi" /></a></div></center>
<div id="vbwrapper2">
<div id="vbwrapper3">
<div id="bordertop"><div id="bordertopleft"><img src="$stylevar[imgdir_misc]/border_top_l.gif" alt="desi" /></div><div id="bordertopright"><img src="$stylevar[imgdir_misc]/border_top_r.gif" alt="desi" /></div></div>
<div id="vbwrapper4">
$spacer_open
<!-- content table -->

$_phpinclude_output 


I have installed this hack but now how do i replace the $banner code please help

what is the filename of your current banner?

[andrefedalto]

Quote:

Originally Posted by Turbosport

There is a security hole in this guys:

You can inject SQL as the $_POST variables here and further down in the script.

Code:

	$db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$_POST[balt]', '$_POST[bact]')");

I have called the VB function to make the variables SQL safe.

this part of the script is only accessible by the forum administrators, so why would an admin inject sql codes?

[inspiration100]

andrefedalto, du'h silly me thnx man

[Turbosport]

Quote:

Originally Posted by andrefedalto

this part of the script is only accessible by the forum administrators, so why would an admin inject sql codes?

As a fellow coder I am not knocking the hack, in fact I really like it and it was exactly what I was looking for!

But its important that we as a community look out for and fix any security flaw we find, no matter how insignificant.

My admins are fully trusted, I run hourly snapshots of my database, so I like you probably have nothing to worry about, however there are others out there who are less fortunate. Maybe they have opened it up to thier Moderators and on a busy site this could end up being a few people.

The other worry is that someone will come along and reuse the code somewhere less secure not fully understanding the security issues.


An Admin on my site caused an SQL error by placing an apostrophy in the description field i.e. Dave's picture.

On examination it was a classic SQL injection hole.

I did a quick fix to stop this happening, but I intend to rewrite it to use one of the core VB functions for coverting strings to SQL safe, that way when VB find any other injection type issues and fix them the fix will be reflected in this hack.

Anyway if your interested here is my quick fix:

Code:

	$factv = addslashes(htmlspecialchars($_POST["bact"], ENT_QUOTES));
	$fdesc = addslashes(htmlspecialchars($_POST["balt"], ENT_QUOTES));

then the query:

Code:

	$db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$fdesc', '$factv')");

I changed the other query further down using the same method.



I also added a little check before the query, for the odd occasion that theres an error in uploading the file:

Code:

	move_uploaded_file($ftemp, $dir.$fname);


if (file_exists($_SERVER['DOCUMENT_ROOT']."C:/SITES/TSWEB/BBS/images/banners/"."$fname")){

	$db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$fdesc', '$factv')");
	print_cp_message($vbphrase['brotator_add_success'], "banner_rotator.php?do=add", "1");
}
else {	print_stop_message('brotator_uploaderror');}
endif;

[andrefedalto]

thanks turbo, i'll update the hack asap and i'll also add the check if file uploaded, just have to put the absolute path string, otherwise everyone would change it...

[92GreenGT]

Warning: move_uploaded_file(): open_basedir restriction in effect. File(/home/ftfhostc/fullthrottleforums.com/images/banners/Banner3.jpg) is not within the allowed path(s): (/dh/web/phpmyadmin:/tmp:/usr/local/tmp:/dh/solidclient:/usr/local/lib/php:/home/ftfhostc:/home/.beaver/ftfhostc) in /admincp/banner_rotator.php on line 56

Ok, I get the error also. I went and changed the two files and took the /forum off all the places it was in the original files. Why wont this work? If you go to http://www.fullthrottleforums.com/im...rs/Banner2.jpg it works, so how would I need to modify the two files for it to show the correct path? Thanks

[JsnakeJ]

Try chmodding the banners directory to 0777