MyBB Community Forums
[F] admin/settings.php: SQL options leak through into a <select> tag - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Community Archive (https://community.mybb.com/forum-106.html)
+--- Forum: Archived Forums (https://community.mybb.com/forum-143.html)
+---- Forum: Archived Development and Support (https://community.mybb.com/forum-155.html)
+----- Forum: Archived Bug Reports (https://community.mybb.com/forum-74.html)
+------ Forum: MyBB 1.2.2 (https://community.mybb.com/forum-49.html)
+------ Thread: [F] admin/settings.php: SQL options leak through into a <select> tag (/thread-15608.html)



[F] admin/settings.php: SQL options leak through into a <select> tag - rillig - 2007-01-21

When I remove the /settings.php file and make the directory read-only, the settings will be retrieved from the database.

Then I call /admin/settings.php?action=change

Later, the $options variable is used in the code without initializing it properly. Therefore, the first combo box contains items for the $options that had been used in the last SQL statement, in my case "title" and "ASC".

Some further questions:
* What is the settings.php good for at all? Is it just a cache?
* Why is the code using md5($debugmode) instead of checking the value directly?

Roland


RE: admin/settings.php: SQL options leak through into a <select> tag - Ryan Gordon - 2007-01-22

the md5 is there because the feature was not finished and did not make it into the mybb 1.0 final. However, I will change the $settings[''] to $settings = array();

As for the settings.php in the inc folder, it is a prebuilt cache of settings from the settings table for better performance.


RE: [F] admin/settings.php: SQL options leak through into a <select> tag - Ryan Gordon - 2007-01-22

This bug has been fixed in the latest code.

Please note the latest code is not live on the site or for download. An update will be released which contains this fix.