Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 11-09-2010, 11:43 PM
abualjori abualjori is offline
 
Join Date: Feb 2010
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default input TYPE_STR , is it safe enough in this case ?

Hey !


I made a custom profile field , and datamanger was part of the process.


so , here is what I did.

PHP Code:
$vbulletin->input->clean_gpc('p','my_field',TYPE_STR); 
then I used datamangers to set the info

PHP Code:

$test 
=& datamanager_init('User'$vbulletinERRTYPE_STANDARD); 
$test->set_existing($vbulletin->userinfo); 
$test->set('my_field'$vbulletin->GPC['my_field']); 
$test->save(); 


This mod uses bbcode so I need double quotes here,(I missed up every thing when I used TYPE_NOHTML)


does this looks safe enough to be used in my live forums ? and do I have to escape strings etc , or datamanger would take care of it.



Thank you.
Reply With Quote
  #2  
Old 11-10-2010, 10:33 AM
sheppardzwc sheppardzwc is offline
 
Join Date: Dec 2008
Location: South Carolina
Posts: 104
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The vBulletin input cleaner will escape anything that would normally be harmful to the boards. So yes, that would work fine.
Reply With Quote
  #3  
Old 11-10-2010, 11:43 AM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It looks to me like clean_gpc with TYPE_STR just trims blanks off the ends and removes null characters. So if you don't want to allow html in that field you may need to do something else.

I guess you could try entering some html and see what happens.
Reply With Quote
  #4  
Old 11-10-2010, 12:47 PM
vbenhancer's Avatar
vbenhancer vbenhancer is offline
 
Join Date: Dec 2009
Location: Qu?bec city, Canada
Posts: 740
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

TYPE_NOHTML will do your job...
Reply With Quote
  #5  
Old 11-10-2010, 02:12 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by vbenhancer View Post
TYPE_NOHTML will do your job...
...except that the OP says that TYPE_NOHTML messed things up. Looking at includes/class_core.php it looks like cleaning a TYPE_NOHTML value does this:

PHP Code:
str_replace(
    
// replace special html characters
    
array('<''>''"'),
    array(
'&lt;''&gt;''&quot;'),
    
preg_replace(
        
// translates all non-unicode entities
        
'/&(?!' . ($entities '#[0-9]+|shy' '(#[0-9]+|[a-z]+)') . ';)/si',
        
'&amp;',
        
$text
    
)
); 
so maybe you could leave it as TYPE_STR but clean it yourself using the above code, and take out the part that replaces the quotes.
Reply With Quote
  #6  
Old 11-11-2010, 02:29 PM
abualjori abualjori is offline
 
Join Date: Feb 2010
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi !

with a little test.

vbulletin seems to parse bbcode with quotes.



[color="Red"]test[/color]



or even without them.

[color=Red]test[/color]



so I made the same function that kh99 provided but, with stripping every single html char so it replaced it with nothing.




Thank you so much everyone for your input.:up:
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:18 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07338 seconds
  • Memory Usage 2,214KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete