Nice. I think I'll try this.
If you want the
@ before Username open the file.
Find:
return str_replace(array("{uid}", "{username}"), array($result['uid'], $result['username']), "<a href=\"" . PROFILE_URL . "\">{username}</a>");
Replace With:
return "@" . str_replace(array("{uid}", "{username}"), array($result['uid'], $result['username']), "<a href=\"" . PROFILE_URL . "\">{username}</a>");
For now i don't plan adding into plugin.
You're not escaping username right. It's possible to inject SQL with @['' SQL HERE]. This could be a security issue. Use $db->escape_string() for every variable that goes in a query. Especially important where user input is involved.
Other suggestions I found while testing:
May I suggest you use get_profile_link($uid) instead of PROFILE_URL, and get_post_link($pid, $tid) instead of THREAD_URL_POST? This way you'd automatically support URLs made by SEO plugins and it's much easier than str_replace array()...
It's currently possible to tag oneself.
When someone quotes a post that has tags in it, it tags again.
Tags are evaluated in forums that do not allow MyCode.
It would be nice for users to have an 'ignore tags' option for people who don't want to get their PM box spammed with tags. Some forums only offer limited PM space so such a feature could be useful...
It would be nice to have a spam protection similar to the 'thread subscription', i.e. don't send another tag if the user was already tagged for this thread, and the user hasn't read the thread (or the tag) since.
(2010-03-24, 07:26 PM)frostschutz Wrote: [ -> ]You're not escaping username right. It's possible to inject SQL with @['' SQL HERE]. This could be a security issue. Use $db->escape_string() for every variable that goes in a query. Especially important where user input is involved.
Other suggestions I found while testing:
May I suggest you use get_profile_link($uid) instead of PROFILE_URL, and get_post_link($pid, $tid) instead of THREAD_URL_POST? This way you'd automatically support URLs made by SEO plugins and it's much easier than str_replace array()...
It's currently possible to tag oneself.
When someone quotes a post that has tags in it, it tags again.
Tags are evaluated in forums that do not allow MyCode.
It would be nice for users to have an 'ignore tags' option for people who don't want to get their PM box spammed with tags. Some forums only offer limited PM space so such a feature could be useful...
It would be nice to have a spam protection similar to the 'thread subscription', i.e. don't send another tag if the user was already tagged for this thread, and the user hasn't read the thread (or the tag) since.
I've to be serious, i didn't keep in mind all these things, this is what happens when i want to write plugin without thinking properly, these are very stupid mistakes that i'm not used to make, thank you very much for pointing me!
Yes i released it now! It is in the first post.
This is a bufix release only.
I suggest you to re-download it as there is a security vulnerability (my apologies).
Thanks again frostschutz!
This plugin has been rewritten.
The concept of this will be completely different.
The tags are in a separate database table.
Now in the User CP (currently writing the code for this) there is a section where you can choose to let everyone tag you, or no or allow it only to your buddies, when you will change the setting it will not affect the older tags (as they're stored in database, with the actual method i couldn't implement this as it relies completely on strings manipulation).
Now i've to ultimate the User CP page.
Last thing: the tags you made with this version will not be available in the next due to completely different approaches
![[Image: logovf.png]](https://camo.mybb.com/1d4987fa295cb50a7a9bd7d0b320e29a4850731a/687474703a2f2f696d6736392e696d616765736861636b2e75732f696d6736392f363439382f6c6f676f76662e706e67)
New version available at first post.
