PHP in Templates and Template Conditionals

[faviouz]

Replace this (lines 47 and 56):

die ("Ga terug, gebruik de 'vorige pagina' knop hiervoor");

With this:

echo "Ga terug, gebruik de 'vorige pagina' knop hiervoor";

[Robbert]

So I can't do this with 'die'?

The problem with 'echo' in this example is the fact that the check doesn't have any function anymore. Because if the script isn't stopped at that point it still sends out the email.

If this is the case I think I have no other choice than just take out the 'empty field & email check'.

Thanks for your help!

[faviouz]

I understand what you mean. I didn't notice that when looking through the code. You're basically checking if the fields are empty - in which case an error message is sent - but the email is sent anyway.

A more logical approach would be to only send the email if the fields are not empty. Otherwise an error message would be displayed. Here's some pseudo-code to give you a basic idea:

if(!empty(fields))
	mail([email protected], subject, message)
else
	echo "Error"

And yes, die() stops everything and outputs only what you specified. So that's not what you want to use here. Just echo out the message you want and move on. Also, your form is vulnerable to XSS attacks. You may want to escape the user's input (i.e. the $_POST variables).

[Robbert]

Thanks again

But this time it's a bit above my level haha, so I have to look up exactly what you mean. The XSS attacks sounds bad

[dexon95]

Hi, i need help with this code :

$balance = mysql_query("SELECT `balance` FROM iconomy WHERE `username` = '{$mybb->user[\'fid4\']}'");
echo mysql_real_escape_string($balance); 

Cause MyBB is telling me it have a security issue :/
And i don't really see how i can fix it

Can you help me please ?

[Paul H.]

What you need to do is this:

$fid4 = mysql_real_escape_string($mybb->user['fid4']);
$result = $db->query("SELECT `balance` FROM iconomy WHERE `username` = '{$fid4}'");
$balance = $db->fetch_array($result);
echo $balance; 

[dexon95]

Thank
Now it saved

But now i got a fatal error on the page :/

Fatal error: Call to a member function query() on a non-object in C:\...\global.php(353) : eval()'d code(13) : eval()'d code on line 7

The line 7 : $result = $db->query("SELECT balance FROM iconomy WHERE username = '{$fid4}'");

I'll try some things if i fix, ill tell you But if you know what is wrong, thank to tell me ^.^

---

Oh i just saw this :
$fid4 = mysql_real_escape_string($mybb->user['fid4']);

Need to change to : $fid4 = mysql_real_escape_string({$mybb->user['fid4']});

and it fix the fatal error, but i got one new, :
Parse error: syntax error, unexpected '{', expecting ')' in C:\...\global.php(353) : eval()'d code(13) : eval()'d code on line 6

Line 6 : $fid4 = mysql_real_escape_string({$mybb->user['fid4']});

---

I can still type : $fid4 = mysql_real_escape_string{$mybb->user['fid4']};

But i get this error now : Parse error: syntax error, unexpected '{' in C:\...\global.php(353) : eval()'d code(13) : eval()'d code on line 6

[Paul H.]

It was correct the way I had it,

$fid4 = mysql_real_escape_string($mybb->user['fid4']);

The problem is that the MyBB DB object, $db, isn't globalized.

[TheNova]

I have added this to my sidebar:

<a href="##"><img src="{$mybb->user['avatar']}" /></a>

But I want to make it so that if you are not logged in, it shows a default avatar. I'm not good with PHP but I figured it would be something along the lines of:

If logged in show avatar else no avatar.

Although, I'd also like an extra bit of code so that if a user is logged in and they haven't chosen an avatar to show a no avatar image too.

===

Also, is this safe to use? I mean, only admins can insert PHP? I don't want my forum getting hacked or anything. I'm the only admin, so it should be safe, right?

[FooFighter]

Is this valid with 1.6.5/1.6.6+ ?