MyBB Hacks / Modifications / My Profile Tweets [v 1.0]

 My Profile Tweets [v 1.0]
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #2
RE: My Profile Tweets [v 1.0]
Thanks for the effort and sharing!

Just a few issues, which I feel is important, that I found:

PHP Code:
1
2
3
4
5
6
7
 
		$values = htmlspecialchars($mybb->input['mpt']);

		$uid = $mybb->user[uid];
		if ($db->query("UPDATE ".TABLE_PREFIX."users SET mpt='$values' WHERE uid='$uid'"))
		{
			redirect("usercp.php","Congratulations, Your Profile Twitter ID has been successfully Updated !");
		}

You should run $values through $db->escape_string, not htmlspecialchars.  Otherwise, this plugin is vulnerable to SQL injection.  htmlspecialchars should only be used at display time, however, as you're inserting this directly into Javascript, you really need more sanitisation over this variable.
$uid = $mybb->user[uid]; should be $uid = $mybb->user['uid'];  You have some other instances of dropping quotes around array indicies in templates - all of these should have quotes around them.
In general, you should use $db->update_query, instead of $db->query for updates, unless you have some special circumstance, in which case, you should use $db->write_query

You shouldn't be escaping $ characters in find_replace_templatesets replacements, since you're using single quote strings.
Also, this is actually incorrect:

PHP Code: 
"gid"			=> "NULL",

Simply don't set these ID fields on DB insertion.

This is probably a bit convoluted:

PHP Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 
	$enable = $mybb->settings['my_profile_tweets_enable'];

	$uid = $memprofile['uid'];
	$query = $db->simple_select("users", "*", "uid='$uid'");
	$mpt = $db->fetch_field($query, "mpt");

	if (empty($mpt))
	{
		$mpt = $mybb->settings['my_profile_tweets_default'];
	}

	if ($enable != "0")
	{
		eval("\$my_profile_tweets = \"".$templates->get("my_profile_tweets")."\";");
	}

Try this instead:

PHP Code:
1
2
3
4
5
6
 
	if(!$mybb->settings['my_profile_tweets_enable']) return;

	$mpt = $memprofile['mpt'];
	if(empty($mpt)) $mpt = $mybb->settings['my_profile_tweets_default'];
	$uid = $memprofile['uid'];
	eval("\$my_profile_tweets = \"".$templates->get("my_profile_tweets")."\";");


Hope that helps Smile

My Blog
09-22-2010 09:18 AM
Find all posts by this user Quote this message in a reply

« Next Oldest | Next Newest »

Messages In This Thread
My Profile Tweets [v 1.0] - Imran - 09-22-2010, 03:42 AM
RE: My Profile Tweets [v 1.0] - ZiNgA BuRgA - 09-22-2010 09:18 AM
RE: My Profile Tweets [v 1.0] - Imran - 09-22-2010, 04:04 PM
RE: My Profile Tweets [v 1.0] - RateU - 09-23-2010, 03:38 AM
RE: My Profile Tweets [v 1.0] - Imran - 09-23-2010, 07:10 AM

Threaded Mode | Linear Mode
 Standard Tools
Forum Jump:



Contact Us | MyBB Hacks | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication