Invision View Profile v1.1.2 Rejection

This forum is now closed as part of retiring phpBB2.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
Post Reply
Disturbed One
Registered User
Posts: 129
Joined: Sun Apr 03, 2005 12:31 am

Invision View Profile v1.1.2 Rejection

Post by Disturbed One » Sun Apr 24, 2005 12:27 am

My MOD got denied for this reason:
On virgin phpBB's, profiles can be viewed by setting u equal to the user_id of the person whose profile your trying to view (http://www.phpbb.com/phpBB/profile.php? ... e&u=157695) or by setting it equal to their username (http://www.phpbb.com/phpBB/profile.php? ... TerraFrost).
The latter results in an error when this MOD is installed. The problem lies in get_forum_most_active function that this MOD adds in functions.php.

When fixing this problem, you should also make this (from the afore mentioned function):

Code: Select all

   if ( intval($user) == 0 )
   {
      $user = trim(htmlspecialchars($user));
      $user = substr(str_replace("\\'", "'", $user), 0, 25);
      $user = str_replace("'", "\\'", $user);
   }
instead read more like this:

Code: Select all

   if ( intval($user) == 0 )
   {
      $user = phpbb_clean_username($user);
   }
The reason is that was actually one of the changes in the phpBB 2.0.10 to 2.0.11 Changes (ie. phpbb_clean_username was added to replace code segments like that; it had a few stuff added to it, as well).


I tried this, and the problem is not fixed. I do not know enough about php to find the source of this problem. Anybody have ideas?

I already talked to TerraFrost, and he pointed me to make a topic here.

Thank you.

Swizec
Former Team Member
Posts: 1701
Joined: Mon Mar 10, 2003 9:42 pm
Location: Slovenia
Contact:

Post by Swizec » Sun Apr 24, 2005 12:58 am

don't do intval, you can't just create an itneger from a username, instead do something more like:

Code: Select all

if ( strval( $user ) == '0' ) 
   { 
      $user = phpbb_clean_username($user); 
   }
thats the best solution I got

markus_petrux
Former Team Member
Posts: 1887
Joined: Wed Apr 23, 2003 7:11 am
Location: Girona, Catalunya (Spain)
Contact:

Re: Invision View Profile v1.1.2 Rejection

Post by markus_petrux » Sun Apr 24, 2005 1:13 am

Code: Select all

   if ( intval($user) == 0 )
   {
      $user = phpbb_clean_username($user);
   }
This is partially correct.

Correct: to use intval to check if $user contains a user_id (numeric) or a username (kind of alphanum).

Correct: Use of phpbb_clean_username() to clean the $username (security issue).

Incorrect: It is incomplete, heh. phpbb_clean_username still returns a string. However, you need the user_id (numeric) to build the viewprofile link. So, you have to read the user_table to get the user_id when intval($user) returns 0.

Code: Select all

if ( intval($user) == 0 )
{
	$user = phpbb_clean_username($user);

	// ok, now we have $user we can safely use to build a query.
	$sql = "SELECT user_id FROM " . USER_TABLE . " WHERE username = '$user'";
	if( !($result = $db->sql_query($sql)) )
	{
		message_die(GENERAL_ERROR, 'Could not query categories list', '', __LINE__, __FILE__, $sql);
	}
	$row = $db->sql_fetchrow($result);
	$user = $row['user_id'];
}
EasyMOD Standards | MOD Template Actions | MODs in Development Rules
Useful information for MOD Authors | MOD Queue Stats | Search MODs
Write SQL/DDL portable to all SQL servers supported by phpBB!
Get EasyMOD 0.3.0! | Suport al phpBB en Català!
8)

Disturbed One
Registered User
Posts: 129
Joined: Sun Apr 03, 2005 12:31 am

Post by Disturbed One » Sun Apr 24, 2005 8:48 pm

hmmm. I'm still getting that error. Maybe it's located somewhere else?

Disturbed One
Registered User
Posts: 129
Joined: Sun Apr 03, 2005 12:31 am

Post by Disturbed One » Fri Apr 29, 2005 11:26 pm

bump

reddog
Registered User
Posts: 32
Joined: Wed Jul 21, 2004 3:51 pm
Location: France ^^
Contact:

Post by reddog » Sat Apr 30, 2005 8:05 am

Hi,

I use your MOD in my preMOD SubDog Board, and I have modified your code so that all functions correctly. Try the following modifications:

in functions.php:

Code: Select all

#
#-----[ OPEN ]-------------------------------------------------
#
includes/functions.php
#
#-----[ FIND ]-------------------------------------------------
#
?>
#
#-----[ BEFORE, ADD ]------------------------------------------
#
//-- mod : invision profile ----------------------------------------------------
//-- add
function get_forum_most_active($user)
{
	global $db, $userdata;

	// Check username
	if (intval($user) == 0)
	{
		$user = phpbb_clean_username($user);
	}
	else
	{
		$user = intval($user);
	}
	
	$sql_forum = "SELECT forum_id, forum_name 
		FROM " . FORUMS_TABLE . "
		ORDER BY forum_id";
	if ( !($result = $db->sql_query($sql_forum)) )
	{
		message_die(GENERAL_ERROR, 'Could not obtain forums list', '', __LINE__, __FILE__, $sql_forum);
	}

	$most_active_id = array();
	while ( $line = $db->sql_fetchrow($result) ) 
	{
		$most_active_id[] = $line['forum_id'];
		$most_active_name[$line['forum_id']] = $line['forum_name']; 
	}
	$db->sql_freeresult($result);

	$count_most_active_id = count($most_active_id);

	$most_active_posts = 0;
	$num_result = 0;

	foreach ( $most_active_id as $i )
	{
		$is_auth = auth(AUTH_VIEW, $i, $userdata);
		if ( $is_auth['auth_view'] == 1 )
		{
			$sql_most = "SELECT *
				FROM " . POSTS_TABLE . " 
				WHERE forum_id = $i AND ";
			$sql_most .= ( ( is_integer($user) ) ? "poster_id = $user" : "post_username = '" .  $user . "'" ) . " AND poster_id <> " . ANONYMOUS;
			if ( !($result = $db->sql_query($sql_most)) )
			{
				message_die(GENERAL_ERROR, 'Tried obtaining data for a non-existent user', '', __LINE__, __FILE__, $sql_most);
			}

			if ( $db->sql_numrows($result) > $most_active_posts )
			{
				$most_active_posts = $db->sql_numrows($result);
				$most_active_foren_id = $i;
				$most_active_forum_name = $most_active_name[$i];
			}
		}
	}

	return array('forum_id' => $most_active_foren_id, 'forum_name' => $most_active_forum_name, 'posts' => $most_active_posts);
}
//-- fin mod : invision profile ------------------------------------------------
in usercp_viewprofile.php:

Code: Select all

# 
#-----[ FIND ]------------------------------------------ 
#
$template->pparse('body');
# 
#-----[ BEFORE, ADD ]------------------------------------------ 
#
//-- mod : invision profile ----------------------------------------------------
//-- add
if ( $profiledata['user_id'] )
{
	$user_id = $userdata['user_id'];
	$view_user_id = $profiledata['user_id'];
	$groups = array();

	$sql = "SELECT g.group_id, g.group_name, g.group_description, g.group_type 
		FROM " . USER_GROUP_TABLE . " l, " . GROUPS_TABLE . " g 
		WHERE l.user_pending = 0 
			AND g.group_single_user = 0 
			AND l.user_id = " . $view_user_id . " 
			AND g.group_id = l.group_id 
		ORDER BY g.group_name, g.group_id";
	if ( !($result = $db->sql_query($sql)) )
	{
		message_die(GENERAL_ERROR, 'Could not read groups', '', __LINE__, __FILE__, $sql);
	}
		
	while ($group = $db->sql_fetchrow($result))
	{
		$groups[] = $group;
	}
	$db->sql_freeresult($result);

	$template->assign_vars(array(
		'L_USERGROUPS' => $lang['Usergroups'],
	));

	if (count($groups) > 0)
	{  
		$template->assign_block_vars('switch_groups_on', array());  

		for ($i=0; $i < count($groups); $i++)
		{
			$is_ok = false;

			// groupe invisible ?
			if ( ($groups[$i]['group_type'] != GROUP_HIDDEN) || ($userdata['user_level'] == ADMIN) )
			{
				$is_ok=true;
			}
			else
			{
				$group_id = $groups[$i]['group_id'];
			
				$sql = "SELECT * FROM " . USER_GROUP_TABLE . " 
					WHERE group_id = " . $group_id . " 
						AND user_id = " . $user_id . " 
						AND user_pending = 0";
				if ( !($result = $db->sql_query($sql)) )
				{
					message_die(GENERAL_ERROR, 'Couldn\'t obtain viewer group list', '', __LINE__, __FILE__, $sql);
				}
				$is_ok = ( $group = $db->sql_fetchrow($result) );
			} // end if ($view_list[$i]['group_type'] == GROUP_HIDDEN)

			// groupe visible : afficher
			if ($is_ok)
			{
				$u_group_name = append_sid("groupcp.php?g=".$groups[$i]['group_id']);
				$l_group_name = $groups[$i]['group_name'];
				$l_group_desc = $groups[$i]['group_description'];
				$template->assign_block_vars('groups',array(
					'U_GROUP_NAME' => $u_group_name,
					'L_GROUP_NAME' => $l_group_name,
					'L_GROUP_DESC' => $l_group_desc,
				));
			}  // end if ($is_ok)
		}  // end for ($i=0; $i < count($groups); $i++)
	}  // end if (count($groups) > 0)
}
//-- fin mod : invision profile ------------------------------------------------
and still in usercp_viewprofile.php (part of your code):

Code: Select all

#
#-----[ OPEN ]------------------------------------------------
#
includes/usercp_viewprofile.php
#
#-----[ FIND ]------------------------------------------------
#
$user_most_active = get_forum_most_active($HTTP_GET_VARS[POST_USERS_URL]);
$user_most_active_forum_url = append_sid('viewforum.' . $phpEx . '?f=' . urlencode($user_most_active['forum_id']));
$user_most_active_forum_name = $user_most_active['forum_name'];
$user_most_active_posts = $user_most_active['posts'];
#
#-----[ REPLACE WITH ]------------------------------------------
#
if ( $profiledata['user_id'] )
{
	$user_most_active = get_forum_most_active($profiledata['user_id']);
	$user_most_active_forum_url = append_sid('viewforum.' . $phpEx . '?f=' . urlencode($user_most_active['forum_id']));
	$user_most_active_forum_name = $user_most_active['forum_name'];
	$user_most_active_posts = $user_most_active['posts'];
}
You can test these modifications on my Board (premOD SubDog):

profile by number ID
profile by name

On the other hand, I encountered a problem on certain configurations. The number of SQL queries goes up to 40-50 on the profile. I did not find the reason yet.

Bye ;)

reddog

Disturbed One
Registered User
Posts: 129
Joined: Sun Apr 03, 2005 12:31 am

Post by Disturbed One » Sat Apr 30, 2005 2:02 pm

I only did the last one, and it works fine :wink: Thanks. You will be included in my credits.

reddog
Registered User
Posts: 32
Joined: Wed Jul 21, 2004 3:51 pm
Location: France ^^
Contact:

Post by reddog » Sat Apr 30, 2005 2:46 pm

The last one only ? Not in functions.php ? And it works, strange...
Disturbed One wrote: You will be included in my credits

Thanks ;)

Disturbed One
Registered User
Posts: 129
Joined: Sun Apr 03, 2005 12:31 am

Post by Disturbed One » Sat Apr 30, 2005 2:51 pm

I thought it was too much of code changes, so I only tried last one, and it works. No, I need to thank you :wink:

Post Reply

Return to “[2.0.x] MOD Writers Discussion”