MyBB Community Forums

a great plugin, yust add a game sector modul and it is perfect for me ^^

Dammit...you are right about delete_post. They changed it and yet didn't inform anyone. That's just great.

It's class_moderation_delete_posts hook now. It did work before..trust me it did. Looks like I have to rewrite that today. Same goes for class_moderation_delete_thread too...grrr...

Quote:There's quite a few places where inputs are directly sent into the DB without escaping.

Can you give me an example? I am pretty sure I protected anyplace that a query was made a couple updates ago. Security is very important to me. While I might lax a bit on queries I take no chances with security. If you find a hole ...please tell me asap.

Ahh...$thread[uid]....I may have to use that. Certainly my code could benefit from more experienced coders but at the time no one seemed willing to take on the task. Where were you 6 months ago?

labrocca Wrote:Dammit...you are right about delete_post. They changed it and yet didn't inform anyone. That's just great.

http://community.mybboard.net/showthread...#pid139659

Someone needs to update the wiki =P If i don't forget, i will do it this weekend

Broken for 5 months....I think I am gonna hide in shame.

Working to fix it now though. bah...

Well, I have a few requests for this
1. As I said, change usergroup. I could probably actually code this myself after looking at the demo.

2. A download inventory, you can download items you pay for.

BP

labrocca Wrote:Dammit...you are right about delete_post. They changed it and yet didn't inform anyone. That's just great.

It's class_moderation_delete_posts hook now. It did work before..trust me it did. Looks like I have to rewrite that today. Same goes for class_moderation_delete_thread too...grrr...

Ahh, I see. Not your fault then
Glad I could help!

labrocca Wrote:

Quote:There's quite a few places where inputs are directly sent into the DB without escaping.

Can you give me an example? I am pretty sure I protected anyplace that a query was made a couple updates ago. Security is very important to me. While I might lax a bit on queries I take no chances with security. If you find a hole ...please tell me asap.

Well, I can't give an exhaustive list - you'll have to find it yourself, but I'll try to help. The aforementioned ones in the AdminCP are there. Also, check /myps.php

	$db->query("UPDATE ".TABLE_PREFIX."users SET myps='".$db->escape_string($newmyps)."' WHERE username='".$mybb->input['username']."'");

The input is sent directly into the query. There's a few other places in the same file where the same input is sent into a query.

labrocca Wrote:Ahh...$thread[uid]....I may have to use that. Certainly my code could benefit from more experienced coders but at the time no one seemed willing to take on the task. Where were you 6 months ago?

I only started looking at PHP a few months back
Been programming a fair bit in other languages, so picked up PHP really quick.

blueparukia Wrote:Well, I have a few requests for this
1. As I said, change usergroup. I could probably actually code this myself after looking at the demo.

Added to list

blueparukia Wrote:2. A download inventory, you can download items you pay for.

Coming out real soon

Awesome,

BP

Anyways, updated to v0.2 - fixes a few bugs found in v0.11.
Other main changes are quite a few modifications to how the AdminCP back-end operates (only really for modules).
Also, item handling is much better.

Upgrade instructions: just simply overwrite the files - no need to deactivate anything.

Please report any bugs or issues!

ZiNga BuRgA Wrote:

blueparukia Wrote:2. A download inventory, you can download items you pay for.

Coming out real soon

That is basically what I asked that you didn't seem to understand, though I'm happy to see it's coming soon. I'll give the mod a try once that module is released with it.

Can i ask is there a feature for downloads for cash?