Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 09-21-2014, 05:13 PM
007's Avatar
007 007 is offline
 
Join Date: Jan 2003
Location: United States
Posts: 872
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Apostrophe and special characters in validfields?

What is wrong with this code I'm using?

Code:
$this->validfields['customfield'] = array(TYPE_STR, REQ_NO);
I am having issues with text that contains an apostrophe. This is being used in a few locations including threaddata_start and threadfpdata_start.

I've also put the following code under edit_post_update_start

Code:
$vbulletin->input->clean_gpc('p', 'customfield', TYPE_STR); 
$edit['customfield'] =& $vbulletin->GPC['customfield'];
Still, I get database errors when submitting text with apostrophes in this custom field.

Thoughts?
Reply With Quote
  #2  
Old 09-21-2014, 05:53 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The clean_gpc function of vbulletin only checks for the type of the variable. (String, integer, etc.)
Now you are vulnerable to SQL injection, you need to escape your string with something like $db->escape_string($var);
Reply With Quote
  #3  
Old 09-21-2014, 06:44 PM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by 007 View Post
What is wrong with this code I'm using?

Code:
$this->validfields['customfield'] = array(TYPE_STR, REQ_NO);
I am having issues with text that contains an apostrophe. This is being used in a few locations including threaddata_start and threadfpdata_start.

I've also put the following code under edit_post_update_start

Code:
$vbulletin->input->clean_gpc('p', 'customfield', TYPE_STR); 
$edit['customfield'] =& $vbulletin->GPC['customfield'];
Still, I get database errors when submitting text with apostrophes in this custom field.

Thoughts?
There is not enough code here to see what you are doing. The array "$edit" is not saved to the database directly, it is processed through the datamanager. $edit['customfield'] will not be stored by the datamanager without additional code so the datamanager can process it. At least, I believe this to be so. I will check it out when I get a chance.
Reply With Quote
  #4  
Old 09-22-2014, 03:51 AM
007's Avatar
007 007 is offline
 
Join Date: Jan 2003
Location: United States
Posts: 872
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for the tip Dave. I'm not using this code in a life environment yet since I'm still testing it. I'll make sure to escape it properly before going live.

tbworld, part of the problem is the code seems to be unfinished. I'm not sure where else I need to use a hook and what code to put there in order to achieve this.
Reply With Quote
  #5  
Old 09-22-2014, 04:28 AM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by 007 View Post
tbworld, part of the problem is the code seems to be unfinished. I'm not sure where else I need to use a hook and what code to put there in order to achieve this.
Unfortunately, I am unsure what you are trying to achieve? Is there another part of this post somewhere?
Reply With Quote
  #6  
Old 09-22-2014, 04:58 AM
007's Avatar
007 007 is offline
 
Join Date: Jan 2003
Location: United States
Posts: 872
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Oh, sorry. I'm adding an extra text field to threads for my own internal use and I want to be able to use apostrophes in it. I thought it would be simple (and it probably is), but I'm a little rusty and aren't sure how to achieve this with hooks.
Reply With Quote
  #7  
Old 09-22-2014, 05:05 AM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Is this a display field or an input field and what template / form is this to be positioned in? If an input field what values would this field hold?

I forgot what I learned last week, so your not alone.
Reply With Quote
  #8  
Old 09-22-2014, 05:12 AM
007's Avatar
007 007 is offline
 
Join Date: Jan 2003
Location: United States
Posts: 872
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It'll appear in the SHOWTHREAD template. It would hold custom text of varying characters. Just an extra field I'm creating for SEO purposes in some meta tags.

Thanks in advance for any ideas!
Reply With Quote
  #9  
Old 09-22-2014, 05:17 AM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Is it just a display field. No input required from the user?
Reply With Quote
  #10  
Old 09-22-2014, 05:26 AM
007's Avatar
007 007 is offline
 
Join Date: Jan 2003
Location: United States
Posts: 872
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'll be the only one editing it and users won't even see it. I plan to add some conditions in the appropriate editor templates so others can't see it. It's just a display field that will show up when viewing the source of the page, but not even on the visible page itself.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:54 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.15799 seconds
  • Memory Usage 2,252KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_code
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete