Efficient Way to Log

[KGodel]

Hey all.

So, I recently added a simple system to my gaming clan forums where staff could grant points to users who attend events. There are several different input methods, which shouldn't be an issue since they write to the database the same way. I am looking to add logging to the system, but I know that this can lead to a very large database. What is the best way to store a log? Database, file editing, etc. I am sure I could run a task to prune them after a certain length of time to keep size down, but yea, best way to log actions?

[Dave]

You could use the adminlog table to log the actions and prune those logged entries every now and then. Take a look at the adminlog table and you'll see that it's very easy to use it.

[KGodel]

Okay, a security question. So I need to log a list of userIDs when what is passed through the script is a list of usernames the staff member types in, and those users are given points. Since the array is passed through cleaning via GPC, is it safe to use that list to check values against to get a list of userIDs, or is there a better way that will leave me less vulnerable to injection?

[Dave]

Depends on what type of array you define in the GPC function. Regardless, I would always use the escape_string function over user input values and check if numbers are really numbers with a function such as ctype_digit.

[kh99]

Yeah, I agree with what Dave said. If you clean it with TYPE_INT or something so that you know it's a number, then you can safely use it in an sql string. But if it's a string you should always use db->escape_string() to include it in sql (no matter what TYPE_ you used to clean it), not only to avoid a security problem but also because if the string contains any special characters (like a quote) then it would cause an error if you haven't escaped it.

[KGodel]

All good tips, thanks guys. Is there any function within VB I can use that can get a UserID based on a username without needing the query the database at all? That would be the ideal, but if not I'll just have to double clean the array. Here is what I have:

PHP Code:

    $vbulletin->input->clean_array_gpc('p', array(
        'points'         => TYPE_UNIT,
        'users'          => TYPE_STR
        )); 


PHP Code:

    $ausers = $db->escape_string($vbulletin->GPC['users']);
    $addusers = explode(";",$ausers); 


So addusers is an array. Obviously I'll have to turn it into a list before I can use it in the manner I want (basically query the database to get the ID of anyone whose username is in this list of names). If it's safe after these cleaning methods then I'll be a bit more confident.

[kh99]

I don't know offhand if there's a function to get the id form the username. I don't remember seeing one. But if there is I'm sure it would just do a query like "select userid from user where username = 'something' ". If you so something like

Code:

"SELECT userid FROM ".TABLE_PREFIX."user WHERE username='".$vbulletin->db->escape_string(trim($username))."'"

Then I think you'll be fine without any additional cleaning.

[KGodel]

Would it take more time to get each userID individually like that or check for all userIDs for any username in the list at once?

[kh99]

Yes, you could get them all in one query. That is obviously better for efficiency, although if it's something that's only going to happen occasionally with a few names in the list it probably doesn't matter a whole lot.

Edit: so I guess I'm saying you're right, if I were doing it I probably would go with one query, but I think doing it with separate queries isn't bad.

[nerbert]

I don't remember where I got this stuff but here's some vBulletin code to SELECT based on username

PHP Code:

    $vbulletin->input->clean_array_gpc('r', array(
        'username' => TYPE_STR,
        'password' => TYPE_STR
    ));

    $username = strip_blank_ascii($vbulletin->GPC['username'], ' ');
    // See VBM-635: &#xxx; should be converted to windows-1252 extended char. This may not happen if a browser submits the form. But from API or user manually input, it does.
    // See also vB_DataManager_User::verify_username()
    $username = preg_replace(
        '/&#([0-9]+);/ie',
        "convert_unicode_char_to_charset('\\1', vB_Template_Runtime::fetchStyleVar('charset'))",
        $username
    );

    $user = $vbulletin->db->query_first("
        SELECT *
        FROM " . TABLE_PREFIX . "user
        WHERE username = '" . $vbulletin->db->escape_string(htmlspecialchars_uni($username)) . "'
    ");