phpBB • Creating Communities Worldwide

[karlsemple]

there is an official fix now


open functions_post.php and find

Code: Select all

$message = addslashes($message);

After add

Code: Select all

$message = str_replace('"', '\"', $message);

Please note the above fix is the one which should be used as this is the one taken from the cvs of the next release. It is only slightly different, but different all the same, so anyone else you may want to make sure you have this one

[snkhan]

Thank you karlsemple, that worked wonderully!

[The Mekon]

Many thanks karlsemple for the official fix. Thanks also to arnaud.lb for the work-around that kept us going in the meanwhile.

[The Mekon]

Many thanks karlsemple for the official fix. Thanks also to arnaud.lb for the work-around that kept us going in the meantime.

[asinshesq]

Now that everyone knows what to do to get named quotes working with html turned on, allow me to sugggest that you all turn your html off unless you have a really compelling reason for needing it on. Allowing html is inherently less secure so you shouldn't be enabling it unless you really really need it. (karlsemple, do you agree with what I am saying here?)

[The Mekon]

Allowing html is inherently less secure so you shouldn't be enabling it unless you really really need it

Can someone please explain why (in very simple English, please!)?

[hennie]

I got this error when I go to the outbox and then edit!

Warning: preg_replace(): Empty regular expression in /home/marian/domains/3d-kaartjes.nl/public_html/forum/privmsg.php on line 1473

Warning: Cannot modify header information - headers already sent by (output started at /home/marian/domains/3d-kaartjes.nl/public_html/forum/privmsg.php:1473) in /home/marian/domains/3d-kaartjes.nl/public_html/forum/includes/page_header.php on line 486

Warning: Cannot modify header information - headers already sent by (output started at /home/marian/domains/3d-kaartjes.nl/public_html/forum/privmsg.php:1473) in /home/marian/domains/3d-kaartjes.nl/public_html/forum/includes/page_header.php on line 488

Warning: Cannot modify header information - headers already sent by (output started at /home/marian/domains/3d-kaartjes.nl/public_html/forum/privmsg.php:1473) in /home/marian/domains/3d-kaartjes.nl/public_html/forum/includes/page_header.php on line 489

[asinshesq]

Allowing html is inherently less secure so you shouldn't be enabling it unless you really really need it

Can someone please explain why (in very simple English, please!)?

Well, I can only explain in plain english because I don't know enough to go any deeper

I gather that if you enable html, it is possible for a hacker to hide a script of some sort in the html he posts that has the potential to take over your server and do bad things. I hope others more knowledgeable than I will speak to this, but it is clear in post after post from the phpbb developers and support staff that the advice is not to enable html unless you really really need it.

I would imagine that enabling some html tags may be safer than enabling others; for example, I would guess that if you just enable <b>, <u> and <i> there's probably not much danger. But as I said, I really don't know much about this and even my guess that those tags are safer may be wrong.

[The Mekon]

Ha! In my ignorance, I had been assuming that turning off HTML would prevent any form of formatting. I had totally forgotten (or, more likely, it hadn't clicked!) that BBCode takes its place and works fine without HTML

Thanks asinshesq for using the right words to light up my lamp!

[asinshesq]

Ha! In my ignorance, I had been assuming that turning off HTML would prevent any form of formatting. I had totally forgotten (or, more likely, it hadn't clicked!) that BBCode takes its place and works fine without HTML..

Right, phpbb forums look nicely formatted without any html (because of the magic of bbcode). In fact, the entire point of bbcode is to give users a way to format their posts that does NOT create a security risk.

[AmbiWeb]

Well,

I tried the "official fix" and things got even worse. As a result of that fix I got several errors during posting and now many topic_replies values are out of sync in the topics table.

http://img134.imageshack.us/my.php?image=error0wj.png

Now I put $message = addslashes($message); in place again and deactivaded HTML. And now I look for a way to resync all the topic_replies.

Is there an Admin Mod to do this which works already with 2.0.20 or do I have to build something my own?

[MrNevets]

All worked for me thanks all for the help!

[asinshesq]

...I tried the "official fix" and things got even worse....Now I put $message = addslashes($message); in place again and deactivaded HTML....

Perhaps you misread the official fix. It does not have you delete that line...you are supposed to add the new line after the old one (nothing gets deleted). If you replaced the old one with the new one, that would explain why things didn't work for you.

...And now I look for a way to resync all the topic_replies...

Search for a resync mod and you will find several mods that do this.

[AmbiWeb]

Ok, i misread it ;( My fault... fast and wrong...

[asinshesq]

Ok, i misread it ;( My fault... fast and wrong...

It happens

...And now I look for a way to resync all the topic_replies...

If you go to phpbbhacks.com and search there for resync, you will find a couple of mods that will resync the coutns you were worried about.