if() vBCode - Private Post Text Hack

Important News: This hack is now out of beta testing and is now in alpha.

What this hack does, is add a if() vB Code where you can enter formulas that if true, the user will be able to see the private text in the post, if it shows up false, its hidden from the users sight. This hack doesnt use any queries at all. Also the if() vB Code also supports other vB Codes inside of it.

The formulas can contain both functions and varibles such as $bbuerinfo[userid] or strtolower(), you can add a list of allowed functions to it and all others functions that arent allowed are removed from the code to prevent security issues.

All security issues and exploits have now been fixed. This hack has settings where you can allow all users to use it or just allow admins to use it. Theres also a setting that you can change to allow admins to see all the private text in posts even if they normaly cant see it.

The code part of the vB Code ( if(code) ) uses the same syntax as php script, so if you wanna check if a varible equals something, you must use == instead of =, also all varibles from $bbuserinfo also have there own varible, what i mean by this is that $bbuserinfo[username] is also $bbusername and $bbuserinfo[posts] is also $bbposts, with these specail varibles, it is optional to add a $ in front of it, so $bbusername and bbusername will both work.

Also theres a feature where admins can see the forumula that was used next to the text "Private Text:", it is shown is (code used here), other members will just see "Private Text:".

Examples of the If() vB Code:
[if($bbuserid>0)]Thank you for joining![/if]
[if(bbuserid>0)]Thank you for joining![/if]

[if($bbusername=="Admin")]Whats up?[/if]
[if(bbusername=="Admin")]Whats up?[/if]

[if($ourtimenow>=$post[dateline]+((7*24)*60*60))]Text To Display 1 week from this post[/if]

[if(bbuserid>0 and bbposts>100)]Keep up the posting [/if]

[if(bbusergroupid==6 or bbusergroupid==7)]Important Text[/if]



Important: New Update as of March 16th
I recoded the doif function and fixed it up and added editable options for and also a bug that Nuclion encountered:
Admin Only
Admin can read all private text
Allowable functions that you can use
Certain accounts that can see all the private texts
Admins allowed to use all php functions

https://vborg.vbsupport.ru/showthrea...167#post367167
The text below already contains the fix.

Important: New Update as of February 8th
I fixed a bug, that when you search your forums, the if() tag shows even if you cant view it.

https://vborg.vbsupport.ru/showthrea...808#post351808
The text below already contains the fix.

Also I hope you enjoy the hack, If you have any problems, ideas, or just feedback, feel free to post.

Screenshots:
Heres a screenshot of a test post I did with the if() vB Code, the user who made the post can see all the private text in the post by default.
https://vborg.vbsupport.ru/attachmen...&postid=350154
(Note: The private text table can esily be edited in the "privatetext_style" style in headinclude after the hack is installed:

Heres a screen shot of the same post but after I logged out, so this is what the guest would see.
https://vborg.vbsupport.ru/attachmen...&postid=350155

I only have one request if you install this hack, please click Install, Thank You.

[NuclioN]

I've tested this but i can not find the right code to make a message for a member that can not be read by unregistered/not loggedin users.

How does the code looks if we want to let only the sender and reciever and the admin can view those messages?

What difference does the $ in this code means??

[if($bbusername=="MEMBER")]test1[/if]
[if(bbusername=="MEMBER")]test2[/if]

[Davey]

This is a nice hack, except all the possible exploitable methods of using it.
If you add this, don't give members access.
They can cause parse errors at the drop of a hat, no? (Point this out if I'm wrong, by all means)
[if($bbusername=")]Hi I'm exploiting you.[/if]

Dave.

[NuclioN]

Hm..i've found out that this: [if($bbusername=="MEMBER")]test1[/if] is visible for everyone. The other codes are working fine.

[Slynderdale]

Quote:

Originally posted by Davey
This is a nice hack, except all the possible exploitable methods of using it.
If you add this, don't give members access.
They can cause parse errors at the drop of a hat, no? (Point this out if I'm wrong, by all means)
[if($bbusername=")]Hi I'm exploiting you.[/if]

Dave.

Actually the bb and $bb stuff arent used in the posts, they use $bbuserinfo[] and $post[], i have it so it creates $bb vars out of the $bbuserinfo array, like $bbuserinfo[posts] is $bbposts, also I thought about what you said though, Ill add a checker for the code so it check for single = and not == or != and so on and then makes it == for you automticly to prevent some bugs from happening.

[Slynderdale]

Quote:

Originally posted by NuclioN
I've tested this but i can not find the right code to make a message for a member that can not be read by unregistered/not loggedin users.

How does the code looks if we want to let only the sender and reciever and the admin can view those messages?

What difference does the $ in this code means??

[if($bbusername=="MEMBER")]test1[/if]
[if(bbusername=="MEMBER")]test2[/if]

Theres no different between them, i added a way so it works even if you dont add a $. And I tried:

[if($bbusername=="Admin")]test1[/if] and it worked, but ill look into it for you and see what I can do, also if you want text to show for just guests you can use:

[if($bbuserid==0)]test1[/if]

and just for members:

[if($bbuserid>0)]test1[/if]

[Slynderdale]

Also note, how I have it, the person who posted the post can see all the private text in the post even if they normaly cant, so if they did:
[if(bbuserid==0)]

they still can see it in there post.

[Slynderdale]

Hmm, I read up more on extract(), from what i read, all it does is exports an array as references an doesnt actualy make them global, so if you have $bbuerinfo[username]="exploit" for instance, it will just change the var in the function, not in the actual post itself, so users ant exploit it and mess with the post varibles.

[Slynderdale]

Ok, big update, i recoded alot of the function so replace your old one with this:

I also updated the text file with it.

See latest Fix here:
https://vborg.vbsupport.ru/showthrea...167#post367167

[Slynderdale]

Also in the update now, only admins see the (code) bit next to private Text, normal users only see Private Text, also you can edit the private text table colors and so on with the privatetext_ style in the headinclude if you like.

With this update it should now get rid of 99% of the bugs, security problems and exploits, only functions you allow will be pass through now, if you dont wanna allow any just make it array(), Also now how its made you can use () to group varibles now like:
[if($bbuserid>0 and ($bbposts>300 or $bbusergroupid==6))]Text[/if]

[Slynderdale]

Hmm, I fixed a small bug in it, before it would remove the functons like max() but i didnt take into cosideration that some one might put a space between it like max (), so i fixed it, i fixed the download file and the post update above, just make sure that your code looks like this if you installed the update above before i fixed it:

PHP Code:

    foreach ($allfuncs['internal'] as $name) {
      if (!in_array($name,$allowed_functions)) {
        $search_array[] = "/($name)(.*)(\()(.*)(\))/siU";
        $replace_array[] = "\\\4";
      }
    }
    foreach ($allfuncs['user'] as $name) {
      if (!in_array($name,$allowed_functions)) {
        $search_array[] = "/($name)(.*)(\()(.*)(\))/siU";
        $replace_array[] = "\\\4";
      }
    } 


I hope you enjoy this hack, if any one has any comments or idea's feel free to ask, also feedback is nice too. All I ask of you if you use this hack on your forum is to click nt install button, thats all.