MyBB Community Forums

MyBB Community Forums > Extensions > Plugins > Plugin Development > Update Avatar and Safe SQL
Full Version: Update Avatar and Safe SQL
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

ImJasonH

2014-11-08, 12:36 AM
Hello all.

Just having my hand at making a plugin to share but a little stuck on the basics.

What I'm aiming for is that when a user heads to the avatar section, they click an 'Update' button and my plugin gets their avatar from an external source and saves it locally and to the database.

Things I'm not sure of:
  • when/how to call a function to get the user avatar (using their username) - can the function be called from a button within the usercp   -    $plugins->add_hook("usercp_do_avatar_start", "myplugin_downloadandsetavatarfunction");?
  • how to edit the usercp template from within the plugin (call 'find_replace_templatesets()' on plugin install?)
  • what do these mean within the templates section {$something->somethingElse} (hooks?)
and finally


  • how to safely update the db (is this safe, what params to pass (just username), and how to call it

function myplugin_updatefunction() {
  global $db;

  $db->query("UPDATE ".TABLE_PREFIX."users SET avatar=SOME/AVATAR/STRING/LOCATION WHERE username=USERNAME); 
}
)



I don't want too much detail, just a point in the right direction or some keywords.

Have a good one,
- Jason.



EDIT: If this belongs in Plugin Development could it please be moved, sorry about that.

dragonexpert

2014-11-08, 01:56 PM
Moved to Plugin Development.

Quote:what do these mean within the templates section {$something->somethingElse} (hooks?)

Anything that is {$something->something_else} is a variable of the class $something. The scope of it can be public, private, or protected. Similarly if you see{$something['something_else']}, something_else is an array key of $something.

Quote:how to safely update the db (is this safe, what params to pass (just username), and how to call it

The best practice would be to use code similar to this:
$update_array = array(
"avatar" => $db->escape_string($mybb->get_input("avatar")
);
$db->update_query("users", $update_array, "uid=" . $mybb->user['uid']);

ImJasonH

2014-11-10, 12:55 AM
(2014-11-08, 01:56 PM)dragonexpert Wrote: [ -> ]Anything that is {$something->something_else} is a variable of the class $something. The scope of it can be public, private, or protected. Similarly if you see{$something['something_else']}, something_else is an array key of $something.


The best practice would be to use code similar to this:


$update_array = array(
"avatar" => $db->escape_string($mybb->get_input("avatar")
);
$db->update_query("users", $update_array, "uid=" . $mybb->user['uid']);

Thank you for that info.
How would I run a function within my plugin from a theme template (such as pressing a button inputs data), or can I only receive data while using {Iwantmyplugintodisplaystuff}, or would I rely on a user update hook?

Would doing 
$update_array = array("avatar" => "./uploads/avatars/" . $username .".png");
        $db->update_query("users", $update_array, "username=" . "\"".$username. "\"");
be as safe as the quoted above?

fonta

2014-11-10, 04:02 AM
I don't see you escaping anything which I think you should be doing.

ImJasonH

2014-11-10, 05:02 AM
Would this be safer in any way 
            $update_array = array("avatar" => $db->escape_string("./uploads/avatars/" . $mybb->user['username'] . ".png"));
           $db->update_query("users", $update_array, "username=" . "\"" . $mybb->user['username'] . "\"");
I'm not entirely sure about the usage of escape_string, but doesn't it remove certain special characters and help prevent against injection (and is it good practice to use it even with no user input)?

Rakes

2014-11-10, 03:47 PM
(2014-11-10, 05:02 AM)ImJasonH Wrote: [ -> ]Would this be safer in any way 


            $update_array = array("avatar" => $db->escape_string("./uploads/avatars/" . $mybb->user['username'] . ".png"));
           $db->update_query("users", $update_array, "username=" . "\"" . $mybb->user['username'] . "\"");
I'm not entirely sure about the usage of escape_string, but doesn't it remove certain special characters and help prevent against injection (and is it good practice to use it even with no user input)?
Uhm no cuz now you just created a sqli in the where portion of the query.

            $update_array = array("avatar" => $db->escape_string("./uploads/avatars/" . $mybb->user['username'] . ".png"));
           $db->update_query("users", $update_array, 'username="' . $db->escape_string($mybb->user['username']) . '"');

Also escape_string is fine to prevent injections and is not meant to remove special characters.
MyBB Community Forums > Extensions > Plugins > Plugin Development > Update Avatar and Safe SQL