MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > sql error 1064 on reputation - + please help
Full Version: sql error 1064 on reputation - + please help
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

MuslimBB

2013-03-26, 03:59 PM
So I just got this error why?


MyBB SQL Error

MyBB has experienced an internal SQL error and cannot continue.

SQL Error:
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's progress thread')' at line 3
Query:
INSERT INTO mybb_reputation (uid,adduid,pid,reputation,dateline,comments) VALUES ('20','1','187','2','1364313532','For a useful message in thread Ahmed's progress thread')

Please contact the MyBB Group for support.
I went into mysql phpadmin and selected all tables and said repair but it did not resolve the issue (i read somewhere else to try this)
Oh and I am using the fast reputation plugin always worked so no ida why it stopped out of no where

Fast way to change reputation (1.3.1)
How do i check this line 3? help please Smile
I was looking at the table and there is this, how do i debug this and figure out what syntax is doing this

This is what is in mybb_reputation
The baaallin seems out of place as its suppose to be a -+ sign only on posts with that plugin so not sure where that came from unless it was something i was testing before cant tell date wise lol...

rid uid adduid pid reputation dateline comments
2 4 1 4 2 1361319212 For [url=http://muslimbodybuilding.com/Forum/showt...
3 1 5 2 1 1361319968 For [url=http://muslimbodybuilding.com/Forum/showt...
4 1 5 1 1 1361319971 For [url=http://muslimbodybuilding.com/Forum/showt...
5 5 1 5 2 1361320623 For [url=http://muslimbodybuilding.com/Forum/showt...
6 5 4 5 1 1361324500 For [url=http://muslimbodybuilding.com/Forum/showt...
7 1 4 2 1 1361324507 For [url=http://muslimbodybuilding.com/Forum/showt...
8 1 4 1 1 1361325924 For [url=http://muslimbodybuilding.com/Forum/showt...
9 11 1 116 2 1363323871 For [url=http://muslimbodybuilding.com/Forum/showt...
10 1 11 0 1 1363479945 Baaaaaaalin
11 11 1 141 2 1363482418 For [url=http://muslimbodybuilding.com/Forum/showt...
12 1 11 146 1 1363488484 For [url=http://muslimbodybuilding.com/Forum/showt...
13 1 11 159 1 1363568828 For [url=http://muslimbodybuilding.com/Forum/showt...
14 11 1 160 2 1363572930 For [url=http://muslimbodybuilding.com/Forum/showt...

Josh H.

2013-03-27, 06:44 AM
I think the message/comment is unescaped for some reason. It look's like the single quote in "Ahmed's" is ending the query prematurely.

MuslimBB

2013-03-27, 06:53 AM
How do I resolve that? other than renaming the thread?

Josh H.

2013-03-27, 03:43 PM
Well I don't know the plugin too well, but see if you can find where that type of query is located inside the plugin file. Could you paste that line and the ones around it here in a [php] block, and I'll help you with it.

MuslimBB

2013-03-28, 06:59 PM
The weird thing is it worked up until now and now it doesn't work at all Sad I changed nothing... strange... any of the plugins i added recently i disabled to test and it remained the same..



This is the whole plugin no such line im confused:

<?php
/**
 * FastRep 1.0
 *
 * Copyright © 2009 iarspider
 * Website: none
 * License: GPL v3
 *
 */

// Disallow direct access to this file for security reasons
if(!defined("IN_MYBB"))
{
	die("Direct initialization of this file is not allowed.<br /><br />Please make sure IN_MYBB is defined.");
}

require_once ("inc/functions.php");

$plugins->add_hook("xmlhttp", "fastrep_xmlhttp");
$plugins->add_hook("postbit", "fastrep_postbit");

function fastrep_info()
{
	global $lang;
	$lang->load("fastrep", false, true);

	/**
	 * Array of information about the plugin.
	 * name: The name of the plugin
	 * description: Description of what the plugin does
	 * website: The website the plugin is maintained at (Optional)
	 * author: The name of the author of the plugin
	 * authorsite: The URL to the website of the author (Optional)
	 * version: The version number of the plugin
	 * guid: Unique ID issued by the MyBB Mods site for version checking
	 * compatibility: A CSV list of MyBB versions supported. Ex, "121,123", "12*". Wildcards supported.
	 */
	return array(
		"name"			=> "Fast way to change reputation",
		"description"	=> $lang->fastrep_plugin_desc,
		"website"		=> "",
		"author"		=> "iarspider",
		"authorsite"	=> "",
		"version"		=> "1.3.1",
		"guid" 			=> "",
		"compatibility" => "*"
	);
}

function fastrep_find_replace_templatesets_re($title, $find, $replace, $autocreate=1, $limit=-1)
{
	global $db;
	if($autocreate != 0)
	{
		$query = $db->simple_select("templates", "*", "title='$title' AND sid='-2'");
		$master = $db->fetch_array($query);
		$oldmaster = $master['template'];
		$master['template'] = preg_replace($find, $replace, $master['template'], $limit);
		if($oldmaster == $master['template'])
		{
			return false;
		}
		$master['template'] = $db->escape_string($master['template']);
	}
	$query = $db->query("
		SELECT s.sid, t.template, t.tid
		FROM ".TABLE_PREFIX."templatesets s
		LEFT JOIN ".TABLE_PREFIX."templates t ON (t.title='$title' AND t.sid=s.sid)
	");
	while($template = $db->fetch_array($query))
	{
		if($template['template']) // Custom template exists for this group
		{
			if(!preg_match($find, $template['template']))
			{
				return false;
			}
			$newtemplate = preg_replace($find, $replace, $template['template'], $limit);
			$template['template'] = $newtemplate;
			$update[] = $template;
		}
		elseif($autocreate != 0) // No template exists, create it based off master
		{
			$newtemp = array(
				"title" => $title,
				"template" => $master['template'],
				"sid" => $template['sid']
			);
			$db->insert_query("templates", $newtemp);
		}
	}

	if(is_array($update))
	{
		foreach($update as $template)
		{
			$updatetemp = array("template" => $db->escape_string($template['template']), "dateline" => TIME_NOW);
			$db->update_query("templates", $updatetemp, "tid='".$template['tid']."'");
		}
	}
	return true;
}

function fastrep_find_replace_templatesets($title, $find, $replace, $autocreate=1)
{
	global $db;
	if($autocreate != 0)
	{
		$query = $db->simple_select("templates", "*", "title='$title' AND sid='-2'");
		$master = $db->fetch_array($query);
		$oldmaster = $master['template'];
		$master['template'] = str_replace($find, $replace, $master['template']);
		if($oldmaster == $master['template'])
		{
			return false;
		}
		$master['template'] = $db->escape_string($master['template']);
	}
	$query = $db->query("
		SELECT s.sid, t.template, t.tid
		FROM ".TABLE_PREFIX."templatesets s
		LEFT JOIN ".TABLE_PREFIX."templates t ON (t.title='$title' AND t.sid=s.sid)
	");
	while($template = $db->fetch_array($query))
	{
		if($template['template']) // Custom template exists for this group
		{
			if(!strpos($template['template'], $find))
			{
				return false;
			}
			$newtemplate = str_replace($find, $replace, $template['template']);
			$template['template'] = $newtemplate;
			$update[] = $template;
		}
		elseif($autocreate != 0) // No template exists, create it based off master
		{
			$newtemp = array(
				"title" => $title,
				"template" => $master['template'],
				"sid" => $template['sid']
			);
			$db->insert_query("templates", $newtemp);
		}
	}

	if(is_array($update))
	{
		foreach($update as $template)
		{
			$updatetemp = array("template" => $db->escape_string($template['template']), "dateline" => TIME_NOW);
			$db->update_query("templates", $updatetemp, "tid='".$template['tid']."'");
		}
	}
	return true;
}

function fastrep_install()
{
	global $db, $lang;

	//$db->query("ALTER TABLE `".TABLE_PREFIX."reputation` ADD `pid` INT( 10 ) DEFAULT '-1' NOT NULL AFTER `adduid` ");

	$lang->load("fastrep", false, true);

	$settings_gid = $db->insert_query('settinggroups', array(
		'name' => 'fastrep',
		'title' => $lang->fastrep_settings,
		'disporder' => 51,
	));

	$db->insert_query('settings', array(
		'name' => 'fastrep_negimg',
		'optionscode' => 'text',
		'value' => './images/icons/thumbsdown.gif',
		'title' => $lang->fastrep_settings_negimg,
		//'description' => $lang->fastrep_settings_negimg_desc,
		'disporder' => 1,
		'gid' => $settings_gid
	));

	$db->insert_query('settings', array(
		'name' => 'fastrep_posimg',
		'optionscode' => 'text',
		'value' => './images/icons/thumbsup.gif',
		'title' => $lang->fastrep_settings_posimg,
		//'description' => $lang->fastrep_settings_posimg_desc,
		'disporder' => 2,
		'gid' => $settings_gid
	));

	$db->insert_query('settings', array(
		'name' => 'fastrep_max',
		'optionscode' => 'text',
		'value' => 5,
		'title' => $lang->fastrep_settings_maxdispvote,
		'description' => $lang->fastrep_settings_maxdispvote_desc,
		'disporder' => 3,
		'gid' => $settings_gid
	));

	rebuildsettings();
}

function fastrep_activate()
{
	fastrep_find_replace_templatesets('postbit_reputation', '{$lang->postbit_reputation}', '{$lang->postbit_reputation} <img alt="-" title="-" onclick="javascript:negrep({$post[\'pid\']})" src="{$mybb->settings[\'fastrep_negimg\']}"/> <span id="postrep_{$post[\'pid\']}">', 1);
	fastrep_find_replace_templatesets('postbit_reputation', '{$post[\'userreputation\']}', '{$post[\'userreputation\']}</span> <img alt="+" title="+" onclick="posrep({$post[\'pid\']})" src="{$mybb->settings[\'fastrep_posimg\']}"/>', 1);
	fastrep_find_replace_templatesets('headerinclude', '{$stylesheets}', '<script type="text/javascript" src="{$mybb->settings[\'bburl\']}/jscripts/fastrep.js"></script>'."\n".'{$stylesheets}', 1);
//	fastrep_find_replace_templatesets("postbit", '{$post[\'button_find\']}', '{$post[\'button_find\']}{$post[\'fr_votes\']}', 1);
//	fastrep_find_replace_templatesets("postbit_classic", '{$post[\'iplogged\']}', '{$post[\'iplogged\']}{$post[\'fr_votes\']}', 1);
//	fastrep_find_replace_templatesets("postbit", '{$post[\'iplogged\']}', '{$post[\'iplogged\']}{$post[\'fr_votes\']}', 1);
	fastrep_find_replace_templatesets_re("postbit", '#[\t]*\<tr\>[\n\r\t]*\<td class\="trow1 post_buttons#', '{$post[\'fr_votes\']}'."\n".'$0', 1, 1);
	fastrep_find_replace_templatesets_re("postbit_classic", '#[\t]*\<tr\>[\t\n\r]*\<td class\="\{\$altbg\}" style\="white-space\: nowrap; text-align\: center; vertical-align\: middle;"\>\<span class\="smalltext"\>\{\$post\[\'postdate\'\]\} \{\$post\[\'posttime\'\]\}\</span\>\</td\>#', '{$post[\'fr_votes_c\']}'."\n".'$0', 1, 1);
}

function fastrep_deactivate()
{
	fastrep_find_replace_templatesets('postbit_reputation', '{$lang->postbit_reputation} <img alt="-" title="-" onclick="javascript:negrep({$post[\'pid\']})" src="{$mybb->settings[\'fastrep_negimg\']}"/> <span id="postrep_{$post[\'pid\']}">', '{$lang->postbit_reputation} ', 0);
	fastrep_find_replace_templatesets('postbit_reputation', '{$post[\'userreputation\']}</span> <img alt="+" title="+" onclick="posrep({$post[\'pid\']})" src="{$mybb->settings[\'fastrep_posimg\']}"/>', '{$post[\'userreputation\']}', 0);
	fastrep_find_replace_templatesets('headerinclude', '<script type="text/javascript" src="{$mybb->settings[\'bburl\']}/jscripts/fastrep.js"></script>'."\n", '', 0);
	fastrep_find_replace_templatesets("postbit_classic", '{$post[\'fr_votes_c\']}'."\n", '', 0);
	fastrep_find_replace_templatesets("postbit", '{$post[\'fr_votes\']}'."\n", '', 0);
}

function fastrep_uninstall()
{
	global $db;

	$db->delete_query("settings", "name IN('fastrep_negimg', 'fastrep_posimg', 'fastrep_max')");
	$db->delete_query("settinggroups", "name = 'fastrep'");

	$db->query("ALTER TABLE `mybb_reputation` DROP `pid`");
	rebuildsettings();
}

function fastrep_is_installed()
{
	global $db;

	$query = $db->simple_select("settings", "name", "name='fastrep_max'", array('limit' => 1));
	if($db->fetch_field($query, "name"))
	{
		return true;
	}

	return false;
}

function fastrep_xmlhttp() //Heavily based on reputation.php
{
	global $mybb, $pid, $db, $lang;
	$lang->load("fastrep", false, true);

	if($mybb->input['action'] == "negrep")
	{
		$pid = intval($_GET['pid']);

		$check_query = $db->simple_select("posts", "uid, tid", "pid='".$pid."'");
		$check = $db->num_rows($check_query);
		if($check == 0) //no such post
		{
			return;
		}

		$uid = $mybb->user['uid'];
		$user_permissions = user_permissions($uid);
		$row = $db->fetch_array($check_query);

		//Check if:
		//a) This is self-voting
		//b) Vote is cast by a guest
		//c) Poster can't give reputation
		//d) Poster can't use reputation system
		if (($uid == $row['uid']) ||  ($uid == 0) || ($mybb->usergroup['cangivereputations'] != 1) || ($user_permissions['usereputationsystem'] != 1))
		{
			$currep = $db->simple_select("users", "reputation", "uid='".$row['uid']."'");
			print get_reputation($db->fetch_field($currep, 'reputation'), $mybb->user['uid']);
			return;
		}

		//OK, seems like everything's fine => cast the vote!
		$threadinfo = $db->query("SELECT subject FROM ".TABLE_PREFIX."threads WHERE tid='".$row['tid']."';");
		$threadrow = $db->fetch_array($threadinfo);

		$query = $db->simple_select("reputation", "*", "adduid='".$mybb->user['uid']."' AND uid='".$row['uid']."' AND pid='".$pid."'");
		$existing_reputation = $db->fetch_array($query);

		$uid = $row['uid'];

		$url = $mybb->settings['bburl']."/showthread.php?pid=".$pid."#".$pid;
		$subject = $threadrow['subject'];

		$comments = str_replace("@url", $url, $lang->fastrep_useless);
		$comments = str_replace("@subj", $subject, $comments);

		$reputation = array(
			"uid" => $row['uid'],
			"adduid" => $mybb->user['uid'],
			"pid" => $pid,
			"reputation" => -1*intval($mybb->usergroup['reputationpower']),
			"dateline" => TIME_NOW,
			"comments" => $comments
		);

		// Updating an existing reputation
		if($existing_reputation['uid'])
		{
			$db->update_query("reputation", $reputation, "rid='".$existing_reputation['rid']."'");

			// Recount the reputation of this user - keep it in sync.
			$query = $db->simple_select("reputation", "SUM(reputation) AS reputation_count", "uid='{$uid}'");
			$reputation_value = $db->fetch_field($query, "reputation_count");

			$db->update_query("users", array('reputation' => intval($reputation_value)), "uid='{$uid}'");
		}
		// Insert a new reputation
		else
		{
			$db->insert_query("reputation", $reputation);

			// Recount the reputation of this user - keep it in sync.
			$query = $db->simple_select("reputation", "SUM(reputation) AS reputation_count", "uid='{$uid}'");
			$reputation_value = $db->fetch_field($query, "reputation_count");

			$db->update_query("users", array('reputation' => intval($reputation_value)), "uid='{$uid}'");
		}

		$reptext = get_reputation($reputation_value, $row['uid']);
		print $reptext;
	}

	if($mybb->input['action'] == "posrep")  //much like negrep, just different lang string
	{
		$pid = intval($_GET['pid']);

		$check_query = $db->simple_select("posts", "uid, tid", "pid='".$pid."'");
		$check = $db->num_rows($check_query);
		if($check == 0) //no such post
		{
			return;
		}

		$uid = $mybb->user['uid'];
		$user_permissions = user_permissions($uid);
		$row = $db->fetch_array($check_query);

		//Check if:
		//a) This is self-voting
		//b) Vote is cast by a guest
		//c) Poster can't give reputation
		//d) Poster can't use reputation system
		if (($uid == $row['uid']) || ($uid == 0) || ($mybb->usergroup['cangivereputations'] != 1) || ($user_permissions['usereputationsystem'] != 1))
		{
			$currep = $db->simple_select("users", "reputation", "uid='".$row['uid']."'");
			print get_reputation($db->fetch_field($currep, 'reputation'), $mybb->user['uid']);
			return;
		}

		//OK, seems like everything's fine => cast the vote!
		$threadinfo = $db->query("SELECT subject FROM ".TABLE_PREFIX."threads WHERE tid='".$row['tid']."';");
		$threadrow = $db->fetch_array($threadinfo);

		$query = $db->simple_select("reputation", "*", "adduid='".$mybb->user['uid']."' AND uid='".$row['uid']."' AND pid='".$pid."'");
		$existing_reputation = $db->fetch_array($query);

		$uid = $row['uid'];

		$url = $mybb->settings['bburl']."/showthread.php?pid=".$pid."#".$pid;
		$subject = $threadrow['subject'];

		$comments = str_replace("@url", $url, $lang->fastrep_useful);
		$comments = str_replace("@subj", $subject, $comments);

		$reputation = array(
			"uid" => $row['uid'],
			"adduid" => $mybb->user['uid'],
			"pid" => $pid,
			"reputation" => intval($mybb->usergroup['reputationpower']),
			"dateline" => TIME_NOW,
			"comments" => $comments
		);

		// Updating an existing reputation
		if($existing_reputation['uid'])
		{
			$db->update_query("reputation", $reputation, "rid='".$existing_reputation['rid']."'");

			// Recount the reputation of this user - keep it in sync.
			$query = $db->simple_select("reputation", "SUM(reputation) AS reputation_count", "uid='{$uid}'");
			$reputation_value = $db->fetch_field($query, "reputation_count");

			$db->update_query("users", array('reputation' => intval($reputation_value)), "uid='{$uid}'");
		}
		// Insert a new reputation
		else
		{
			$db->insert_query("reputation", $reputation);

			// Recount the reputation of this user - keep it in sync.
			$query = $db->simple_select("reputation", "SUM(reputation) AS reputation_count", "uid='{$uid}'");
			$reputation_value = $db->fetch_field($query, "reputation_count");

			$db->update_query("users", array('reputation' => intval($reputation_value)), "uid='{$uid}'");
		}

		$reptext = get_reputation($reputation_value, $row['uid']);
		print $reptext;
	}

	if ($mybb->input['action'] == "showrep")
	{
		print read_entries($mybb->input['pid']);
	}
}

function fastrep_postbit($post)
{
	$post['fr_votes'] = build_votelist($post['pid'], 'h');
	$post['fr_votes_c'] = build_votelist($post['pid'], 'c');
}

function build_votelist($pid=0, $postbit_type)
{
	global $post, $altbg, $lang;
	$entries = read_entries($pid, $postbit_type);
	$lang->load("fastrep", false, true);

	if(!$entries)
	{
		$css_display = "display:none;";
	}
	else
	{
		$css_display = "";
	}

	//$display = "<div valign=\"bottom;\" style=\"{$css_display}float:left\" id=\"fr_votes_{$post['pid']}\">{$entries}</div>";
	$display = "{$entries}";
	if ($postbit_type == 'h') //'new' or 'horizontal' postbit
	{
		$display = '<tr style="'.$css_display.'" id="fr_votes_'.$pid.'_r"><td class="trow1"><span class="smalltext">'.$lang->fastrep_votes.': </span><span id="fr_votes_'.$pid.'">'.$display.'</span></td></tr>';
	}
	else //'classic' or 'vertical' postbit
	{
		$display = '<tr style="'.$css_display.'" id="fr_votes_'.$pid.'_r"><td class="'.$altbg.'" style="text-align: center;"><span class="smalltext">'.$lang->fastrep_votes.': </span></td><td class="'.$altbg.'" id="fr_votes_'.$pid.'">'.$display.'</td></tr>';
	}

	return $display;
}

function read_entries($pid=0)
{
	global $db, $entries, $mybb, $showall, $additional, $lang;

	$lang->load("fastrep", false, true);

	$entries = "";
	$entries2 = "";
	$query = $db->simple_select('reputation', 'adduid, reputation', "pid='$pid'", array('order_by' => 'dateline', 'order_dir' => 'DESC'));

	$counter = 0;
	while($vote = $db->fetch_array($query))
	{
		$dbuser = get_user($vote['adduid']);
		if ($vote['reputation'] > 0)
		{
			$color = "green";
			$score = "+".$vote['reputation'];
		}
		else
		{
			$color="red";
			$score = $vote['reputation'];
		}

		$link = '<a href="'.get_profile_link($vote['adduid']).'" style="color: '.$color.'">'.$dbuser['username'].'</a>';

		if($counter < $mybb->settings['fastrep_max'])
		{
			$entries .= $r1comma."<span style='color: $color'>".$link." ($score)</span>";
		}

		else
		{
			$entries2 .= $r2comma."<span style='color: $color'>".$link." ($score)</span>";
			$r2comma =", ";
		}
		$r1comma =", ";
		$counter++;
	}
	if($entries2 == "" && $entries != "")
	{
		$entries = "<span class=\"smalltext\">{$entries}</span>";
		return $entries;
	}
	elseif($entries2 != "" && $entries != "")
	{
		$additional = "<br /><div style=\"display:none;\" id=\"fr_votes_{$pid}_a\"><div style=\"float:left\">{$entries2}&nbsp;&nbsp;<span style=\"font-size:8px\"><a style=\"text-decoration:none;\" href=\"javascript:hideAllVotes('fr_votes_{$pid}_a');\">[<i>x</i>] </a></span></div>";
		$entrieslist = "<div style=\"float:left\"><span class=\"smalltext\">{$entries}&nbsp;<a href=\"javascript:getAllVotes('fr_votes_{$pid}_a');\">....</a></div>{$additional}";
		return $entrieslist;
	}
	else
	{
		$entries = ""; // just to make sure
		return $entries;
	}

}

?>

Paul H.

2013-03-28, 11:08 PM
Deactivate the plugin, it is SQL injection vulnerable.

Josh H.

2013-03-28, 11:24 PM
Well. There's one solution Toungue

MuslimBB

2013-03-28, 11:37 PM
Is there an alternative plugin like it? I like the simple - and + for reps (used to be thumb up and down). I've disabled the plugin since it has a vulnerability. Thanks crazy guy lol.
Just was trying to find a mod and came across vbulletin guys how to make it like mybb lol yet i cant find a plugin to make it like this??

[Image: fd6ej9.jpg]

Besides the one which you mentioned that has a vulnerability (thank you for letting me know as I've removed it)

Just a simple +-? per post for users.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > sql error 1064 on reputation - + please help