mpv validation questions

Discussion forum for MOD Writers regarding MOD Development.
Locked
pixel001
Registered User
Posts: 100
Joined: Thu Aug 23, 2007 11:38 am

mpv validation questions

Post by pixel001 »

hi guys, i've got a few mpv validation questions for a mod that isnt released yet

1) include_once()

seems not to pass mpv. why?

Code: Select all

include_once('dataaccessor.php');
2) stripslashes()

i used Stripslashes on an xml. this generated a Fail condition in mpv.

bbDKP_dev2/plugins/ctrt/root/includes/acp/ctrt/aliases/import.php: Using stripslashes() at line 92:

Code: Select all

$xml = $this->parser->validateXML(stripslashes($_POST['xml']));
i read that request_var is always mandatory but in this case i would be posting an xml.

3) IN_PHPBB
why should 'IN_PHPBB' always be set ?

[ WARNING ] bbDKP_dev2/root/updatebbdkp/update_ctrt.php: A define for IN_PHPBB is missing or there is no check for IN_PHPBB is set.

4) backticks

I used those in an sql. arent these allowed?

[ FAIL ] bbDKP_dev2/root/updatebbdkp/update_bbdkp.php: Using backticks at line 424:

Code: Select all

(snip)    `class_wow_new` smallint(5) unsigned NOT NULL ) " ;  (snip)
TIA :D
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 26841
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: mpv validation questions

Post by Paul »

pixel001 wrote:hi guys, i've got a few mpv validation questions for a mod that isnt released yet

1) include_once()

seems not to pass mpv. why?

Code: Select all

include_once('dataaccessor.php');
Include is prefered. Its not something we deny for ;)
2) stripslashes()

i used Stripslashes on an xml. this generated a Fail condition in mpv.

bbDKP_dev2/plugins/ctrt/root/includes/acp/ctrt/aliases/import.php: Using stripslashes() at line 92:

Code: Select all

$xml = $this->parser->validateXML(stripslashes($_POST['xml']));
i read that request_var is always mandatory but in this case i would be posting an xml.
You should use request_var, that handles the stripslashes. After that call htmlspecialchars_decode.
3) IN_PHPBB
why should 'IN_PHPBB' always be set ?

[ WARNING ] bbDKP_dev2/root/updatebbdkp/update_ctrt.php: A define for IN_PHPBB is missing or there is no check for IN_PHPBB is set.
For security reasons. If you include phpBB files and its not set you get a white page. If you include that file and you dont have a check for it you can in some cases exploit that (Like when register global is on).
4) backticks

I used those in an sql. arent these allowed?

[ FAIL ] bbDKP_dev2/root/updatebbdkp/update_bbdkp.php: Using backticks at line 424:

Code: Select all

(snip)    `class_wow_new` smallint(5) unsigned NOT NULL ) " ;  (snip)
TIA :D
No. backticks are mysql only.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development
User avatar
michaelo
Registered User
Posts: 1292
Joined: Thu Jun 13, 2002 3:49 am
Location: Dublin, Ireland
Name: Michael O'Toole
Contact:

Re: mpv validation questions

Post by michaelo »

Although include_once is not denied it can be overcome by adding the following for function calls you can use include instead...

Example: Your normal function call might looks like this...

Code: Select all

function phpbb_preg_quote($str, $delimiter)
{
	$text = preg_quote($str);
	$text = str_replace($delimiter, '\\' . $delimiter, $text);

	return $text;
}
To eliminate the warning (and also add additional benefits):

Code: Select all

if(!function_exists('phpbb_preg_quote'))
{
	function phpbb_preg_quote($str, $delimiter)
	{
		$text = preg_quote($str);
		$text = str_replace($delimiter, '\\' . $delimiter, $text);

		return $text;
	}
}
For classes use something like...

Code: Select all

if (!class_exists('class_name')) {...}
Last edited by michaelo on Sat Aug 15, 2009 1:45 pm, edited 1 time in total.
Contributions: Mods & Styles Extensions
(site is down): Kiss Portal Engine
User avatar
michaelo
Registered User
Posts: 1292
Joined: Thu Jun 13, 2002 3:49 am
Location: Dublin, Ireland
Name: Michael O'Toole
Contact:

Re: mpv validation questions

Post by michaelo »

Question re: Using $_GET
One report gives:

Code: Select all

[ FAIL ] stargate_portal/root/blocks/block_style_select.php: Using $_GET at line 153:

Code: Select all
    $check = sizeof($_GET);

request_var() should be used.
Any way around this?
Contributions: Mods & Styles Extensions
(site is down): Kiss Portal Engine
User avatar
igorw
Former Team Member
Posts: 8024
Joined: Fri Dec 16, 2005 12:23 pm
Location: {postrow.POSTER_FROM}
Name: Igor Wiedler

Re: mpv validation questions

Post by igorw »

Regarding include_once, I would take a different approach. Something like this (same applies to functions too):

Code: Select all

if (!class_exists('my_class'))
{
    include($phpbb_root_path . 'includes/my_class.' . $phpEx);
}
Regarding $_GET, I don't see why you would need to use sizeof for $_GET, but if there is a good reason, it's sure allowed. For example running an isset() on a $_POST variable is perfectly fine.
Igor Wiedler | area51 | GitHub | trashbin | Formerly known as evil less than three
Locked

Return to “[3.0.x] MOD Writers Discussion”