Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 08-24-2013, 07:43 AM
SwalyAaron SwalyAaron is offline
 
Join Date: Jan 2013
Posts: 86
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Is it safe to add new columns to vbulletin users table?

I have a script that isn't related to vbulletin at all, it adds information in a seperate database.

Today I was thinking what if I add some of the information I submit to this database to the vbulletin users_table to keep track of things?

Basically this is what I'm doing

Someone uses the paypal IPN I've setup, information is submitted to a DB name "payments", one of the columns is "price" so I was thinking if I can do this

$totalpayed += $price;

and add $totalpayed to the vbulletin DB so I can display it in say Usercp later on, or add it to the vbulletin user array for other manipulations.

Can this be done or is it too risky?
Reply With Quote
  #2  
Old 08-24-2013, 09:53 AM
Simon Lloyd's Avatar
Simon Lloyd Simon Lloyd is offline
 
Join Date: Aug 2008
Location: Manchester
Posts: 3,481
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

you'd have no issues adding a column and writing the values, however when you get the values via a query you have to make sure that any queries are cleaned or escaped as needed.
Reply With Quote
  #3  
Old 08-24-2013, 11:24 AM
SwalyAaron SwalyAaron is offline
 
Join Date: Jan 2013
Posts: 86
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Simon Lloyd View Post
you'd have no issues adding a column and writing the values, however when you get the values via a query you have to make sure that any queries are cleaned or escaped as needed.
Is there a specific way Vbulletin runs its queries to make them safer? if so do you by chance know the syntax?
Reply With Quote
  #4  
Old 08-24-2013, 12:12 PM
Simon Lloyd's Avatar
Simon Lloyd Simon Lloyd is offline
 
Join Date: Aug 2008
Location: Manchester
Posts: 3,481
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Im no whizz at database queries at all, however i do know that when you get a string in a query you have to escape that at the end of the query.

If you are to write from another program to vbulletin i believe you have to clean the input variable. Here's an example of where a variable is cleaned:
PHP Code:
$vbulletin->input->clean_gpc('r''postid'TYPE_INT);
    
$postid $vbulletin->GPC['postid']; 
and then can be used like this
PHP Code:
$vbulletin->db->query_write("UPDATE " TABLE_PREFIX "post SET mycolumnid = 0 WHERE postid = $postid");
    } 
That may be more confusing to you than help, hopefully KH99 (aka Kevin) will visit visit thread and help you out, i can only manage the simple stuff with db queries
Reply With Quote
  #5  
Old 08-24-2013, 12:53 PM
SwalyAaron SwalyAaron is offline
 
Join Date: Jan 2013
Posts: 86
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Simon Lloyd View Post
Im no whizz at database queries at all, however i do know that when you get a string in a query you have to escape that at the end of the query.

If you are to write from another program to vbulletin i believe you have to clean the input variable. Here's an example of where a variable is cleaned:
PHP Code:
$vbulletin->input->clean_gpc('r''postid'TYPE_INT);
    
$postid $vbulletin->GPC['postid']; 
and then can be used like this
PHP Code:
$vbulletin->db->query_write("UPDATE " TABLE_PREFIX "post SET mycolumnid = 0 WHERE postid = $postid");
    } 
That may be more confusing to you than help, hopefully KH99 (aka Kevin) will visit visit thread and help you out, i can only manage the simple stuff with db queries
I'm decent with queries but mostly mysql_query's which are deprecated so no use there and PDO which I'll probably use

I was asking and wondering if vbulletin set up custom functions for there queries looks like they did but yeah I'd still like more input from KH99 thank you by the way
Reply With Quote
  #6  
Old 08-24-2013, 01:09 PM
Simon Lloyd's Avatar
Simon Lloyd Simon Lloyd is offline
 
Join Date: Aug 2008
Location: Manchester
Posts: 3,481
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

if you're decent with mysql queries you should have no problem, you'll know how to prevent things being left open to sql injection (which is what the CLEAN and $db_escape_string does (i believe)
Reply With Quote
  #7  
Old 08-25-2013, 12:35 AM
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
Senior Member
 
Join Date: Jun 2008
Location: New York
Posts: 10,610
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

$vbulletin->input->clean_gpc will force an integer for TYPE_INT but it doesn't truly clean a string for TYPE_STR, it just makes sure it is a string.

All strings must be escaped before being saved to the database.

Code:
$vbulletin->db->query_write("QUERY HERE");
To write to the database. Make sure you do global $vbulletin; first.
Reply With Quote
Благодарность от:
tbworld
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:51 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04239 seconds
  • Memory Usage 2,234KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (4)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (1)post_thanks_box_bit
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete