2010-08-14, 01:41 PM
(This post was last modified: 2010-08-14, 04:02 PM by ImperfectShaun.)
I'm experiencing an issue when the title contains an apostrophe - the ' character
I know this is is the kinda hole that allows unwanted code to run on mysql.
I'm trying to fix it myself, but you should really update this. Other than this, it appears to work on 1.6, and adds a very good feature most moderation teams should use.
Critical changes required:
- $db->escape_string( subject )
- $db->escape_string( forum name )
Also, other changes you could do:
- Cannot report a report post (it sounds silly but makes sense)
- I changed the subject to "Report: [post-subject] by [post-author]" to be more specific; the reporting-user is the author of the thread.
- Take into account "Posts in this forum increase post count." option in settings - I would think most admins would turn this option off for a hidden system such as this one. I've just commented out that section for now.
I know this is is the kinda hole that allows unwanted code to run on mysql.
I'm trying to fix it myself, but you should really update this. Other than this, it appears to work on 1.6, and adds a very good feature most moderation teams should use.
Critical changes required:
- $db->escape_string( subject )
- $db->escape_string( forum name )
Also, other changes you could do:
- Cannot report a report post (it sounds silly but makes sense)
- I changed the subject to "Report: [post-subject] by [post-author]" to be more specific; the reporting-user is the author of the thread.
- Take into account "Posts in this forum increase post count." option in settings - I would think most admins would turn this option off for a hidden system such as this one. I've just commented out that section for now.