so im adding commands to a very popular vbulletin plugin, and there's this one i cant seem to get to work properly no matter what i try. The code i have so far is
$cybcb_checkban = strpos($vbulletin->GPC['ccb_newmessage'], '/ban');
if($cybcb_checkban !== false AND $cybcb_candelall)
{
$banuserurl = $vbulletin->options['bburl'].'/misc.php?'.$vbulletin->session->vars['sessionurl'].'do=ccb_banuser&u=2';exec_header_redirect($banuserurl);
}
what i need it to do is the part that says
do=ccb_banuser&u=2
is replace the 2 with the text entered in my chat.
vbulletin kinda has its own language but the base concept of it is PHP
but for reference, this is a default command already in the plugin
$cybcb_checkme = strpos($vbulletin->GPC['ccb_newmessage'], '/me ');
if ($cybcb_checkme !== false)
{
$vbulletin->GPC['ccb_newmessage'] = str_replace('/me ', $vbulletin->userinfo['username'].' ', $vbulletin->GPC['ccb_newmessage']);
$vbulletin->GPC['ccb_newmessage'] = '[color='.$vbulletin->options['cybchatbox_mecolor'].']* '.$vbulletin->GPC['ccb_newmessage'].'[/color]';
}
I've been playing around with this for a few days now, and the only result I've got semi working is the first code at the top, the problem with that as you may have guess by entering
/ban (USER ID HERE)
the only user that will get banned is user 2 (obviously)
so i just need something that will give the code the ability to be /ban (userID)
i know its got to be something like
$banuserurl = $vbulletin->options['bburl'].'/misc.php?'.$vbulletin->session->vars['sessionurl'].'do=ccb_banuser&u=.$vbulletin->GPC['ccb_newmessage']';exec_header_redirect($banuserurl);
but that doesnt seem to work =/ anyone have the answer? or can point me in the right direction, I'd be very grateful =) thanks.
$vbulletin->GPC['ccb_newmessage'] will contain the whole message, so if you send
/ban 123455
$vbulletin->GPC['ccb_newmessage'] will have /ban 123455
what you can then do is remove '/ban ' and you'll be left with the User ID
so something like
$cybcb_checkban = strpos($vbulletin->GPC['ccb_newmessage'], '/ban');
if($cybcb_checkban !== false AND $cybcb_candelall)
{
$vbulletin->GPC['ccb_newmessage'] = str_replace('/ban ', '', $vbulletin->GPC['ccb_newmessage']);
$banuserurl = $vbulletin->options['bburl'].'/misc.php?'.$vbulletin->session->vars['sessionurl'].'do=ccb_banuser&u=' . $vbulletin->GPC['ccb_newmessage'];
exec_header_redirect($banuserurl);
}
or
$cybcb_checkban = strpos($vbulletin->GPC['ccb_newmessage'], '/ban');
if($cybcb_checkban !== false AND $cybcb_candelall)
{
$banuserurl = $vbulletin->options['bburl'].'/misc.php?'.$vbulletin->session->vars['sessionurl'].'do=ccb_banuser&u=' . substr($vbulletin->GPC['ccb_newmessage'], 4);
exec_header_redirect($banuserurl);
}
should work
note: that 4 should probably be replaced with something like substr($vbulletin->GPC['ccb_newmessage'], strpos($vbulletin->GPC['ccb_newmessage'], '/ban') + strlen('/ban'));
Related
Hello i did use the search before posting this.
Im new to php/mysql been doing soooo much reading. have been able to make a game that a few friends are playing. its like a pvp game.
Anyway one of the people playing found a way to glitch buying and selling units by putting a . in front of the value. i do have a protect feature for stripping illegal characters
function protect($string) {
return mysql_real_escape_string(strip_tags(addslashes($string)));
}
this works for other characters but not with . im not asking for someone to do it for me just wanted to be pointed in the right direction.
but just encase someone asks here is the code im using
if(isset($_POST['buy'])){
$sword = protect($_POST['sword']);
$shield = protect($_POST['shield']);
$gold_needed = (10 * $sword) + (10 * $shield);
if($sword < 0 || $shield < 0){
output("You must buy a positive number of weapons!");
}elseif($stats['gold'] < $gold_needed){
output("You do not have enough gold!");
}else{
$weapon['sword'] += $sword;
$weapon['shield'] += $shield;
$update_weapons = mysql_query("UPDATE `weapon` SET
`sword`='".$weapon['sword']."',
`shield`='".$weapon['shield']."'
WHERE `id`='".$_SESSION['uid']."'") or die(mysql_error());
$stats['gold'] -= $gold_needed;
$update_gold = mysql_query("UPDATE `stats` SET `gold`='".$stats['gold']."'
WHERE `id`='".$_SESSION['uid']."'") or die(mysql_error());
include("update_stats.php");
output("You have bought weapons!");
}
If anyone could give me a hand i would greatly appreciate it
i did find something "string functions, substr replace and str replace"
but can i use two functions in 1 query? sorry im new
EDIT***
Here is the query posted in update_stats
$update_stats = mysql_query("UPDATE `stats` SET
`income`='".$income."',`farming`='".$farming."',
`attack`='".$attack."',`defense`='".$defense."'
WHERE `id`='".$_SESSION['uid']."'") or die(mysql_error());
one of the people playing found a way to glitch buying and selling units by putting a . in front of the value
Well, you've not disclosed EXACTLY what the vulnerability is, but I'll hazard a guess that by input of a decimal value they run around your pricing/math? So, a number of possibilities, I should think?
if (substr($string, 0, 1) == ".") {
//return false, warn, etc.
}
That could go in your "protect" function.
Likewise, you could use intval() or even is_numeric() ... here I just add it to the assignment:
$sword = protect(intval($_POST['sword']));
You could also play with a regular expression. I'm assuming $value to be numeric? How many digits max? I've used 5:
if (preg_match("%\.\d{1,5}%", $sword)) { //this guy's playing w/us
die("Go away, bad hax0rz! :-P");
}
I am looking for a way to fix a certain piece of coding I have, it's probably simple to solve but I'm reall stuck. I haven't created this code myself
The code is triggered by a user entering his details, and the next piece of code filters out 2 parts of an URL based on the login of the user.
$regex = "/ranking.asp\?Group=(([A-Za-z]+) - ([0-9]+))/";
if (preg_match_all($regex, $str, $matches_out)) {
$data->groupLevel = $matches_out[2][0];
$data->groupNumber = $matches_out[3][0];
}
$matches_out[2][0] provides a letter
$matches_out[3][0] provides a number
When a user hits the top tier, the url is not ranking.php?group=A - 1 anymore (for example) but just ranking.php. This will obviously return an error, because it's looking for something else.
Now what I want to do is something like
if(code doesnt provide error){
execute the code;
}else{
$data->groupLevel = 'toptier';
$data->groupNumber = 1;
}
Or something similar which practically does the same. I hope someone can help me with this, it's very much appreciated! :)
If I understand correctly, when the code you posted causes an error, i.e. preg_match_all, you want to default to hard coded values?
I would think you should add an else statement like this.
$regex = "/ranking.asp\?Group=(([A-Za-z]+) - ([0-9]+))/";
if (preg_match_all($regex, $str, $matches_out)) {
$data->groupLevel = $matches_out[2][0];
$data->groupNumber = $matches_out[3][0];
}else{ //if the regex throws error, do this
$data->groupLevel = 'toptier';
$data->groupNumber = 1;
}
I’ve tried for some time now to solve what probably is a small issue but I just can’t seem get my head around it. I’ve tried some different approaches, some found at SO but none has worked yet.
The problem consists of this:
I’ve a show-room page where I show some cloth. On each single item of cloth there is four “views”
Male
Female
Front
Back
Now, the users can filter this by either viewing the male or female model but they can also filter by viewing front or back of both gender.
I’ve created my script so it detects the URL query and display the correct data but my problem is to “build” the URL correctly.
When firstly enter the page, the four links is like this:
example.com?gender=male
example.com?gender=female
example.com?site=front
example.com?site=back
This work because it’s the “default” view (the default view is set to gender=male && site=front) in the model.
But if I choose to view ?gender=female the users should be able to filter it once more by adding &site=back so the complete URL would be: example.com?gender=female&site=back
And if I then press the link to see gender=male it should still keep the URL parameter &site=back.
What I’ve achived so far is to append the parameters to the existing URL but this result in URL strings like: example.com?gender=male&site=front&gender=female and so on…
I’ve tried but to use the parse_url function, the http_build_query($parms) method and to make my “own” function that checks for existing parameters but it does not work.
My latest try was this:
_setURL(‘http://example.com?gender=male’, ‘site’, ‘back’);
function _setURL($url, $key, $value) {
$separator = (parse_url($url, PHP_URL_QUERY) == NULL) ? '?' : '&';
$query = $key."=".$value;
$url .= $separator . $query;
var_dump($url); exit;
}
This function works unless the $_GET parameter already exists and thus should be replaced and not added.
I’m not sure if there is some “best practice” to solve this and as I said I’ve looked at a lot of answers on SO but none which was spot on my issue.
I hope I’ve explained myself otherwise please let me know and I’ll elaborate.
Any help or advice would be appreciated
You can generate the links dynamically using the following method:
$frontLink = (isset($_GET['gender'])) ? 'mydomain.com?gender='.$_GET['gender'].'&site=front':'mydomain.com?site=front';
$backLink = (isset($_GET['gender'])) ? 'mydomain.com?gender='.$_GET['gender'].'&site=back':'mydomain.com?site=back';
This is a 1 line if statement which will set the value of the variables $frontLink and $backlink respectively. The syntax for a 1 line if statement is $var = (if_statement) ? true_result:false_result; this will set the value of $var to the true_result or false_result depending on the return value of the if statement.
You can then do the same for the genders:
$maleLink = (isset($_GET['site'])) ? 'mydomain.com?gender=male&site='.$_GET['site']:'mydomain.com?gender=male';
$femaleLink = (isset($_GET['site'])) ? 'mydomain.com?gender=female&site='.$_GET['site']:'mydomain.com?gender=female';
Found this by searching for a better solution then mine and found this ugly one (That we see a lot on the web), so here is my solution :
function add_get_parameter($arg, $value)
{
$_GET[$arg] = $value;
return "?" . http_build_query($_GET);
}
<?php
function requestUriAddGetParams(array $params)
{
$parseRes=parse_url($_REQUEST['REQUEST_URI']);
$params=array_merge($_GET, $params);
return $parseRes['path'].'?'.http_build_query($params);
}
?>
if(isset($_GET['diagid']) && $_GET['diagid']!='') {
$repParam = "&diagid=".$_GET['diagid'];
$params = str_replace($repParam, "", $_SERVER['REQUEST_URI']);
$url = "http://".$_SERVER['HTTP_HOST'].$params."&diagid=".$ID;
}
else $url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."&diagid=".$ID;
I am having one hell of a time coming up with a decent way make this if statement search a file for these codes. I set up the text file to read from as such:
myfile.txt
r)
0Y7
1a6
q.
#g
#(
#a
!P
T[
V}
0,
Here is a brief of what I got going.
$subject = file_get_contents(fvManager_Path . 'myfile.txt');
if ( preg_match('/^[a-zA-Z0-9,]+$/',$result['fmbushels_itemCode'], $subject) ) {
Basically I am trying to search the text file line by line to see if the whole string exists. They are case sensitive as well.
$result['fmbushels_itemCode'] is from a sql query and always returns a code like the above in the text.
I'd appreciate any help on this. If someone knows a better way of doing this or a different command, I'd be willing to give that a shot as well :)
edit:
private function _fvShareBushels() {
$subject = file_get_contents(fvManager_Path . 'myfile.txt');
if (count($vShareArray) > 0) {
$vCntMoves = count($vShareArray);
for ($vI = 0;$vI < $vRunMainLoop;$vI++) {
sell $result['fmbushels_itemCode']);
}
}
}
This is a snippet of a big code. I had to rip most out because of post limitation. The area I could be working with is:
if (count($vShareArray) > 0) {
If I could make this something like:
if (count($vShareArray) > 0 && $result['fmbushels_itemCode'] **is not in** $subject) {
If you want to do line by line, use the file() function.
$f = file(fvManager_Path . 'myfile.txt');
foreach($f AS $line){
// $line is current line at file
}
I'm not to sure if you understand completely how preg_match works. The first parameter is the regular expression pattern, the second is what you want to match the pattern to, and the third is an array of matches. So for every valid pattern matched in the second parameter a new index on the array is created.
I'm not 100% on what you're trying to accomplish. Are you trying to see if the $result['fmbushels_itemCode'] exists in the file?
If the above is the correct case you simply just need to do something like:
$f = file('myfile.txt');
array_map('trim', $f);
if(in_array($result['fmbushels_itemCode'], $f)){
// success
}
I am trying to format another sites data to insert into my database. He wants to close his site, so is giving me his sites listings. But im having to format his data from his flatfile database, to go into my mysql database.
Im looping through his text file, and getting his values. Then formatting as needed before inserting them into my DB.
Because our sites use completely different storage formats and fields, im having a few problems with something.
My site has a designer field. His doesnt. so im trying to search through his description field to find a match within my designer table. If there is a match i want to get the designer ID to insert into the designer id field. But i cant get this code to work.
Could someone please suggest a fix? or if theres a better way to do this?
$fp = fopen('listings.txt','r');
if (!$fp) {echo 'ERROR: Unable to open file.'; exit;}
$loop = 0;
while (!feof($fp)) {
$loop++;
$line = fgets($fp,1024); //use 2048 if very long lines
$field[$loop] = explode (' ', $line);
$get_designers = mysql_query("SELECT * FROM dress_designers");
$row_designers = mysql_fetch_array($get_designers);
$totalRows_designers = mysql_num_rows($get_designers);
do{
// Note our use of ===. Simply == would not work as expected
// because the position of 'a' was the 0th (first) character.
$mystring = strtolower($field[$loop][8]);
$findme = strtolower($row_designers['designer_name']);
$pos = strpos($mystring, $findme);
// Note our use of ===. Simply == would not work as expected
// because the position of 'a' was the 0th (first) character.
if ($pos === false) {
$designer = "Other";
} else {
$designer = "Siopa Rince";
}
} while ($row_designers = mysql_fetch_assoc($get_designers));
$fp++;
}
fclose($fp);
I only put "Siopa Rince" as a test. But this isnt working. If i take the text from the file, and paste it in the $mystring and put siopa rince in $findme... it works.
Any suggestions would be greatly appreciated!
Thanks,
Danny
OK... what about just entering the info as is? I tried a few different ways, but the result is returning null...
After i insert the data, ill use searches to join the required row to get an ID:
SELECT dress_test.dress_title, (
SELECT dress_designers.designer_id
FROM dress_designers
WHERE MATCH (
dress_test.dress_desc
)
AGAINST (
'dress_designers.designer_name'
IN boolean MODE
)
) AS real_designer_id
FROM dress_test
Another version:
SELECT dress_test.dress_title, dress_designers.designer_name
FROM dress_test
JOIN dress_designers ON MATCH(dress_test.dress_title, dress_test.dress_desc) AGAINST
('dress_designers.designer_name' in boolean mode)
Any other suggestions??
Your first assignment to $row_designers uses mysql_fetch_array, while your second uses mysql_fetch_assoc
Instead of do { ... } while, why not just while () { ... }
Remove this line $row_designers = mysql_fetch_array($get_designers);
And turn your loop into...
while ($row_designers = mysql_fetch_assoc($get_designers)) {
// string search here
}
Everything else looks fine - if you're having troubles, check the values with either echo to print string or print_r to print arrays.