| Author |
 Topic  |
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
 Posted - 13 September 2006 : 18:38:45
|
The strtopicsortord variable in forum.asp is not properly sanitized.
To fix this, find the following code in forum.asp file, around line 66, and add the code in red:Select Case strtopicsortord
Case "asc"
strSortOrd = " ASC"
Case Else
strSortOrd = " DESC"
strtopicsortord = "desc"
End Select < |
Support Snitz Forums
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
|
|
mkervin
Junior Member
100 Posts |
Posted - 15 September 2006 : 19:52:40
|
| FYI, Davio I downloaded the update files for 3.4.0.6 from 3.4.0.5 and forum.asp was not one of the files included in the update. The code you listed above I just added to my forum.asp from 3.4.0.5 just a headsup nothing more.< |
 |
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 15 September 2006 : 20:07:05
|
| mkervin, I just downloaded the file from sourceforge. I see the forum.asp file in there. You sure you downloaded the right file?< |
Support Snitz Forums
|
|
|
|
mkervin
Junior Member
100 Posts |
Posted - 15 September 2006 : 22:33:48
|
Davio, let me go and redownload it and check. This is the update we are talking about. I just checked the file I have on my machine it is sf2k_34_05up06.zip and there is no forum.asp in it. I can send it to you or upload it to my site so you can download it. It you can point me to the file I need with all the files I would appreciate it. Please I am not trying to be a pain I just want this upgrade to go smoothly for me and I truly appreciate all the work.
Just redownloaded the file and this one does have it in; my original didn't. Boy I am glad I caught it, thanks. File size is different too 230 -- 239. I wish I could tell you what mirror I used on the first one. I believe it was Virgina in North America.< |
Edited by - mkervin on 16 September 2006 01:50:39 |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 16 September 2006 : 01:53:42
|
I had updated the sourceforge files with forum.asp file. It seems the updated file has not populated to all the mirrors as yet.
Glad you got it sorted out though.< |
Support Snitz Forums
|
|
|
|
richfed
Average Member
United States
999 Posts |
Posted - 17 September 2006 : 09:15:22
|
OK - I have a modified topic sorting on my forum.asp ... Below is the section in question. Am I properly "sanitized"? If not, any suggestions?
'-------------------------------------------
' FORUM SORTING MOD VARIABLES
'-------------------------------------------
' Code Mod for mypage variable
dim mypage : mypage = request("whichpage")
if ((Trim(mypage) = "") or IsNumeric(mypage) = False) then mypage = 1
mypage = cLng(mypage)
' Topic Sorting Variables
dim strtopicsortord :strtopicsortord = request("sortorder")
'dim strtopicsortfld :strtopicsortfld = request("sortfield")
dim strtopicsortday :strtopicsortday = request("days")
dim inttotaltopics : inttotaltopics = 0
dim strSortCol, strSortOrd
'Select Case strtopicsortord
' Case "asc"
' strSortOrd = " ASC"
' Case Else
' strSortOrd = " DESC"
'End Select
'Select Case strtopicsortfld
' Case "topic"
' strSortCol = "T_SUBJECT" & strSortOrd
' Case "author"
' strSortCol = "M_NAME" & strSortOrd
' Case "replies"
' strSortCol = "T_REPLIES" & strSortOrd
' Case "views"
' strSortCol = "T_VIEW_COUNT" & strSortOrd
' Case "lastpost"
' strSortCol = "T_LAST_POST" & strSortOrd
' Case Else
' strtopicsortfld = "lastpost"
' strSortCol = "T_LAST_POST" & strSortOrd
'End Select
'strQStopicsort = "FORUM_ID=" & Forum_ID
'-------------------------------------------
'##### Modified Topic Sorting 1-1 : replace above 23 lines with below 8 lines
' you also can comment out above "dim strtopicsortfld :strtopicsortfld = request("sortfield")" this line.(optional)
' change original code to function getSortCol(xxx)
if trim(request("sortorder")) <> "" then
strSortCol = getSortCol(strtopicsortord)
else
strSortCol = ""
end if
strQStopicsort = "FORUM_ID=" & Forum_ID
'########## Modified Topic Sorting ##########
if request("ARCHIVE") = "true" then
strActivePrefix = strTablePrefix & "A_"
ArchiveView = "true"
ArchiveLink = "ARCHIVE=true&"
elseif request("ARCHIVE") <> "" then
Response.Redirect "default.asp"
Response.End
else
strActivePrefix = strTablePrefix
ArchiveView = ""
ArchiveLink = ""
end if< |
Rich
[size=1]A Complete Idiot's Guide to MOD Implementation || On the Trail of the Last of the Mohicans[/size=1] |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 17 September 2006 : 14:53:12
|
| Post a link to a txt version of your file, so I can take a look at it.< |
Support Snitz Forums
|
|
|
|
richfed
Average Member
United States
999 Posts |
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 18 September 2006 : 06:13:02
|
| Thanks, Davio!< |
|
|
| |
Topic |
|
Topic Locked
