MyBB

Robbert · (This post was last modified: 01-03-2012 01:21 PM by Robbert.)

This is a part of the send template:

PHP Code:

<table border="0" cellspacing="0" cellpadding="5" class="tborder">
<thead>
<tr>
<td class="thead" colspan="5">

<div><strong><a href="caresheet.php">Invul lijst</a></strong><br />
  <div class="smalltext"></div></div>
</td>
</tr>
<tr>
<td class="trow2" valign="top">
<strong><div class="smalltext">

<?php

$ip = $_POST['ip'];
$httpref = $_POST['httpref'];
$httpagent = $_POST['httpagent'];
$visitor = $_POST['visitor'];
$visitornick = $_POST['visitornick'];
$visitormail = $_POST['visitormail'];
$vraag1 = $_POST['vraag1'];
$vraag2 = $_POST['vraag2'];
$vraag3 = $_POST['vraag3'];
$vraag4 = $_POST['vraag4'];
$vraag5 = $_POST['vraag5'];
$vraag6 = $_POST['vraag6'];
$vraag7 = $_POST['vraag7'];
$vraag8 = $_POST['vraag8'];
$vraag9 = $_POST['vraag9'];
$vraag10 = $_POST['vraag10'];
$vraag11 = $_POST['vraag11'];
$vraag12 = $_POST['vraag12'];
$vraag13 = $_POST['vraag13'];
$vraag14 = $_POST['vraag14'];
$vraag15 = $_POST['vraag15'];
$vraag16 = $_POST['vraag16'];
$vraag17 = $_POST['vraag17'];
$attn = $_POST['attn'];


if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,".")))
{
echo "<h2>Voer een juist email adres in, gebruik de 'vorige pagina' knop hiervoor</h2>\n";
$badinput = "<h2>De vragenlijst is niet correct ingevult, gebruik de 'vorige pagina' knop hiervoor</h2>\n";
echo $badinput;
die ("Ga terug, gebruik de 'vorige pagina' knop hiervoor");
}

if(empty($visitor) || empty($visitormail) || empty($visitornick) || empty($vraag1) || 
empty($vraag2) || empty($vraag3) || empty($vraag4) || empty($vraag5) || 
empty($vraag6) || empty($vraag7) || empty($vraag8) || empty($vraag9) || 
empty($vraag10) || empty($vraag11) || empty($vraag12) || empty($vraag13) || 
empty($vraag14) || empty($vraag15) || empty($vraag16) || empty($vraag17)) {
echo "<h2>Vul overal iets in, gebruik de 'vorige pagina' knop hiervoor</h2>\n";
die ("Ga terug, gebruik de 'vorige pagina' knop hiervoor");
}


$todayis = date("l, F j, Y, g:i a") ;

$attn = $attn ;
$subject = $attn;

$notes = stripcslashes($notes);

$message = " $todayis [EST] \n

Van: $visitor ($visitormail)\n
Gebruikersnaam: $visitornick\n
Wetenschappelijke naam: $vraag1 \n
Nederlandse Naam: $vraag2 \n
Oorsprong: $vraag3 \n
Habitat: $vraag4 \n
Temperatuur: $vraag5 \n
Luchtvochtigheid: $vraag6 \n
Volwassen grootte: $vraag7 \n
Voeding: $vraag8 \n
Lichturen: $vraag9 \n
Aanbevolen grootte van het verblijf: $vraag10 \n
Gedrag: $vraag11 \n
Karakter: $vraag12 \n
Voortplanting: $vraag13 \n
Opkweek: $vraag14 \n
Extra informatie: $vraag15 \n
Naamsvermelding: $vraag16 \n
Fotos: $vraag17 \n
";

$from = "From: $visitormail\r\n";


mail("robbertkok@gmail.com", $subject, $message, $from);

?>

<p align="center">
<br /><br />
<a href="http://www.hetslangenforum.nl"> Bedankt voor het invullen van de invul lijst, 
klik hier om terug te gaan naar Het Slangenforum </a>
</p>

  <p>
 </td>

</tr>

</table> 

If the languare (Dutch) is a problem to read around let me know.

Edit: I've placed some enters in it so it doensn't break out of of the forum here.

**Fábio Maia** · 01-03-2012, 01:27 PM

Replace this (lines 47 and 56):

PHP Code:

die ("Ga terug, gebruik de 'vorige pagina' knop hiervoor"); 

With this:

PHP Code:

echo "Ga terug, gebruik de 'vorige pagina' knop hiervoor"; 

Robbert · 01-03-2012, 02:03 PM

So I can't do this with 'die'?

The problem with 'echo' in this example is the fact that the check doesn't have any function anymore. Because if the script isn't stopped at that point it still sends out the email.

If this is the case I think I have no other choice than just take out the 'empty field & email check'.

Thanks for your help!

**Fábio Maia** · 01-03-2012, 02:30 PM

I understand what you mean. I didn't notice that when looking through the code. You're basically checking if the fields are empty - in which case an error message is sent - but the email is sent anyway.

A more logical approach would be to only send the email if the fields are not empty. Otherwise an error message would be displayed. Here's some pseudo-code to give you a basic idea:

Code:

if(!empty(fields))

    mail(example@example.com, subject, message)

else

    echo "Error"

And yes, die() stops everything and outputs only what you specified. So that's not what you want to use here. Just echo out the message you want and move on. Also, your form is vulnerable to XSS attacks. You may want to escape the user's input (i.e. the $_POST variables).

Robbert · 01-03-2012, 02:38 PM

Thanks again Smile

But this time it's a bit above my level haha, so I have to look up exactly what you mean. The XSS attacks sounds bad Wink

dexon95 · 01-09-2012, 01:44 AM

Hi, i need help with this code :

PHP Code:

$balance = mysql_query("SELECT `balance` FROM iconomy WHERE `username` = '{$mybb->user[\'fid4\']}'");
echo mysql_real_escape_string($balance); 

Cause MyBB is telling me it have a security issue :/
And i don't really see how i can fix it Sad

Can you help me please ?

**Paul H.** · 01-09-2012, 02:34 AM

What you need to do is this:

PHP Code:

$fid4 = mysql_real_escape_string($mybb->user['fid4']);
$result = $db->query("SELECT `balance` FROM iconomy WHERE `username` = '{$fid4}'");
$balance = $db->fetch_array($result);
echo $balance; 

dexon95 · (This post was last modified: 01-09-2012 03:04 AM by dexon95.)

Thank

Now it saved Smile

But now i got a fatal error on the page :/

Fatal error: Call to a member function query() on a non-object in C:\...\global.php(353) : eval()'d code(13) : eval()'d code on line 7

The line 7 : $result = $db->query("SELECT `balance` FROM iconomy WHERE `username` = '{$fid4}'");

I'll try some things if i fix, ill tell you Smile

But if you know what is wrong, thank to tell me ^.^

Oh i just saw this :
$fid4 = mysql_real_escape_string($mybb->user['fid4']);

Need to change to : $fid4 = mysql_real_escape_string({$mybb->user['fid4']});

and it fix the fatal error, but i got one new, :
Parse error: syntax error, unexpected '{', expecting ')' in C:\...\global.php(353) : eval()'d code(13) : eval()'d code on line 6

Line 6 : $fid4 = mysql_real_escape_string({$mybb->user['fid4']});

I can still type : $fid4 = mysql_real_escape_string{$mybb->user['fid4']};

But i get this error now : Parse error: syntax error, unexpected '{' in C:\...\global.php(353) : eval()'d code(13) : eval()'d code on line 6

**Paul H.** · 01-09-2012, 02:33 PM

It was correct the way I had it,

PHP Code:

$fid4 = mysql_real_escape_string($mybb->user['fid4']); 

The problem is that the MyBB DB object, $db, isn't globalized.

TheNova · (This post was last modified: 01-14-2012 05:05 AM by TheNova.)

I have added this to my sidebar:

Code:

<a href="##"><img src="{$mybb->user['avatar']}" /></a>

But I want to make it so that if you are not logged in, it shows a default avatar. I'm not good with PHP but I figured it would be something along the lines of:

If logged in show avatar else no avatar.

Although, I'd also like an extra bit of code so that if a user is logged in and they haven't chosen an avatar to show a no avatar image too.

===

Also, is this safe to use? I mean, only admins can insert PHP? I don't want my forum getting hacked or anything. I'm the only admin, so it should be safe, right?