Snitz Forums 2000 - PM mod bug fix

Snitz Forums 2000

Snitz Forums 2000

Home | Profile | Register | Active Topics | Members | Search | FAQ

Username:	Password:
Save Password
Forgot your Password?

All Forums

Help Groups for Snitz Forums 2000 Users

Help: MOD Implementation

PM mod bug fix

Topic Locked

Printer Friendly

Author

Topic

modifichicci
Average Member

Italy
787 Posts

Posted - 02 January 2008 : 10:31:35

About the fix posted here:
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=66176

Only some doubts and question:
in pm_options the variable statusstorage and emailstorage hasn't to be sanitized also?

And in files the include inc_func_common isn't a double include as it is included in inc_header or inc_header_short?

Sorry if these questions are obvious.

Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum

Edited by - modifichicci on 02 January 2008 14:37:00

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 02 January 2008 : 16:04:20

Aren't they sanitized whenever they are used to access the DB? If they are not, please show me where.

Snitz 3.4 Readme | Like the support? Support Snitz too

modifichicci
Average Member

Italy
787 Posts

Posted - 02 January 2008 : 16:17:07

They are not:

if Request.QueryString("mode") = "setoptions" then
		'## Forum_SQL
		strSql = "UPDATE " & strMemberTablePrefix & "MEMBERS "
		strSql = strSql & " SET M_PMRECEIVE = '" & Request.Form("statusstorage") & "', "
		strSql = strSql & "     M_PMEMAIL = '" & Request.Form("emailstorage") & "'"
		strSql = strSql & " WHERE " & strMemberTablePrefix & "MEMBERS.M_NAME = '" & strDBNTUserName & "'"
		strSql = strSql & " AND " & strMemberTablePrefix & "MEMBERS.M_PASSWORD = '" & ChkString(Request.Cookies(strUniqueID & "User")("PWord"),"SQLString") & "'"

they are imput here:


	"    <input type=""radio"" name=""emailstorage"" value=""1"""
		if rs("M_PMEMAIL") = "1" then
			Response.Write(" checked")
		end if
		Response.Write	"> Receive e-mail notification of private messages.<br>" & vbNewLine & _
				"    <input type=""radio"" name=""emailstorage"" value=""0"""
		if rs("M_PMEMAIL") = "0" then
			Response.Write(" checked")

no other place where they are treated.

Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 02 January 2008 : 16:18:56

Can you tell me line numbers?

Snitz 3.4 Readme | Like the support? Support Snitz too

modifichicci
Average Member

Italy
787 Posts

Posted - 02 January 2008 : 16:21:37

line 52 and 53 in files in your post are lines updating db

and lines 158 and 164 for statusstorage input
and lines 176 and 181 for emailstorage input

Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 02 January 2008 : 17:18:15

I was working with two files, when fixing the bugs. Likely I corrected the wrong one. Only the DB access needs protection.

I've updated the files. Any other issues you have with them?

Snitz 3.4 Readme | Like the support? Support Snitz too

modifichicci
Average Member

Italy
787 Posts

Posted - 02 January 2008 : 17:22:13

No only the include file= inc_func_common that I think it's not necessary because that file is included in inc_header...
THanks a lot

Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 02 January 2008 : 17:38:06

I didn't look at any other mod code, worried just about security.

Snitz 3.4 Readme | Like the support? Support Snitz too

modifichicci
Average Member

Italy
787 Posts

Posted - 02 January 2008 : 17:43:16

I understand, thx, can we download new files now?

Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 02 January 2008 : 17:46:26

Sure, the zip file has been updated. I will post an announcement about it too.

Snitz 3.4 Readme | Like the support? Support Snitz too

modifichicci
Average Member

Italy
787 Posts

Posted - 02 January 2008 : 17:52:46

Sorry, I have downloaded the files and they seem the same as the previous version .. verified with winmerge and lines writing to db are the same with request.form...

Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 02 January 2008 : 17:57:26

I confirmed that it was fixed before uploading. Maybe you have it cached somewhere. I'm changing the filename and editing the post, just in case.

Snitz 3.4 Readme | Like the support? Support Snitz too

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 02 January 2008 : 17:59:21

Changed the filename to avoid caching and confirmed the changes are indeed in the new set of files.

Snitz 3.4 Readme | Like the support? Support Snitz too

modifichicci
Average Member

Italy
787 Posts

Posted - 02 January 2008 : 18:01:58

Ok now i have downloaded the new file, thanks again !!

Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 02 January 2008 : 18:07:08

Thank you, too.

Snitz 3.4 Readme | Like the support? Support Snitz too

Topic

Topic Locked

Printer Friendly

Jump To:

Snitz Forums 2000

© 2000-2021 Snitz™ Communications

This page was generated in 1.62 seconds.

Powered By: Snitz Forums 2000 Version 3.4.07