2014-07-19, 12:06 AM
Hey guys so i saw this thread http://community.mybb.com/thread-123744.html and realised how bad this was and how insecure it was...
So i worked on my own... i haven't done mysqli stuff in a while (i can't use the built in mybb query functions because it updates the lastactive time.
Any way does this code look ok? Can you suggest improvements? like i said i haven't done mysqli stuff in a while. Any major security issues in it?
also here is the same code on http://puu.sh/ahqk6/6500f4b02d.txt
Basically the original thread got unread counts and then showed them using a chrome extension mine will be a windows desktop application and it also gets message and subject
Here is the JSON it outputs http://puu.sh/ahqvN/c1a65b0aff.txt
So if any 1 who isn't busy could check my code for issues that would be great
Thanks, Fma965, Cyanlabs.
Slightly changed the code
parsing the JSON great
And now we have the application showing the stuff... now to add a interval some settings and a notification
UM YEAH... so it's all ready for release, just need to confirm the PHP Code is safe... so can some one get back to me ASAP Thanks.
LeeFish where are you lol (if you even remember me)
So i worked on my own... i haven't done mysqli stuff in a while (i can't use the built in mybb query functions because it updates the lastactive time.
Any way does this code look ok? Can you suggest improvements? like i said i haven't done mysqli stuff in a while. Any major security issues in it?
<?php
/*--------------------------------------------------------------------------------------------------------------------------
MyBB Notifier - V1.0 (Server Side).
Created By CyanLabs. (http://cyanlabs.net)
Credit to ShrinkOnce @ http://community.mybb.com/thread-123744.html for the idea.
I based it on the post above but have included security such as API key as in the old version.
ANY ONE COULD GET THE SALT AND MD5 OF THE OWNERS (UID 1) ACCOUNT. DO NOT USE THE OLD VERSION BY ShrinkOnce.
The old version was also based on a chrome extension where as mine will be a windows application and possible other OS's
My version also uses JSON to parse not only the count but also the subject, poster and message.
Feel free to improve or break this code and re-distribute it. Leave the credit for both Fma965/Cyanlabs and ShrinkOnce.
Please edit the line below to set your API Key to something secure.
--------------------------------------------------------------------------------------------------------------------------*/
define("APIKEY", "CYANLABS"); //CHANGE 'CYANLABS' TO WHATEVER YOU WANT, YOU WILL NEED TO ENTER IT ON THE CLIENT ASWELL.
//--------------------------------------------------------------------------------------------------------------------------
//VALIDATES API KEY
if (isset($_GET["apikey"])) {$key = $_GET["apikey"];}else{die("No API Key");}
if ($key != APIKEY) die("Invalid API Key");
//WE USE OUR OWN DB CONNECTION TO AVOID MYBB UPDATING OUR LASTVISIT WHICH IT DOES WHEN WE USE GLOBAL.PHP
require_once 'inc/config.php';
$db = new mysqli($config['database']['hostname'], $config['database']['username'], $config['database']['password'], $config['database']['database']);
//GETS TIMESTAMP FOR LAST ACTIVE (UID 1 ONLY)
$query = 'select lastactive from '.$config['database']['table_prefix'].'users WHERE uid = 1';
$result = $db->query($query);
if($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$last_active = stripslashes($row['lastactive']);
}
}
//GETS ALL POSTS WITH DATELINE HIGHER THAN OUR LASTACTIVE TIME
$query = 'select subject,username,message from '.$config['database']['table_prefix'].'posts WHERE dateline > '.$last_active.' ORDER BY dateline DESC';
$result = $db->query($query);
//CREATES JSON FROM DATABASE RESULTS
$json = array();
if($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$json[] = $row;
}
}
//ADDS POST COUNT TO JSON AND ECHO'S IT OUT
$json['count'] = $result->num_rows;
echo json_encode($json);
?>
also here is the same code on http://puu.sh/ahqk6/6500f4b02d.txt
Basically the original thread got unread counts and then showed them using a chrome extension mine will be a windows desktop application and it also gets message and subject
Here is the JSON it outputs http://puu.sh/ahqvN/c1a65b0aff.txt
{
"0":{
"subject":"RE: SACNR Keybinder Evolution",
"username":"test",
"message":"another test"
},
"1":{
"subject":"RE: Install XPEnology (DSM 5.0) on the N54L",
"username":"test",
"message":"Testing @fma965"
},
"count":2
}
So if any 1 who isn't busy could check my code for issues that would be great
Thanks, Fma965, Cyanlabs.
Slightly changed the code
//CREATES JSON FROM DATABASE RESULTS
$json = array();
if($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$row_array['subject'] = $row['subject'];
$row_array['message'] = strip_tags($row['message']);
$row_array['username'] = $row['username'];
array_push($json,$row_array);
}
}
parsing the JSON great
And now we have the application showing the stuff... now to add a interval some settings and a notification
UM YEAH... so it's all ready for release, just need to confirm the PHP Code is safe... so can some one get back to me ASAP Thanks.
LeeFish where are you lol (if you even remember me)