[Session Tutorial] - $user_profile_link string & more.

[TheOracle]

Ok. I have decided to create a new topic. This way, users will find this more easier rather than using the search for ' all ' topics I have corrected earlier today.

Update: This is NOT a security fix but a Session Tutorial.
Update: [29-12-2005] - Redirection from HTML template files.

This topic was much longer than right now but it turns out it will be much shorter than expected.

It is my understanding that good number of coders uses really great codings but aren't quite familiar with 4images classes.

To all coders, when you create a MOD (which involves the $user_profile_link string), make sure, when you point out your <a href= tag, to "always call the $site_sess->url class.

For instance,

you have this code :

(Yes V@no - with quotes now) :

$user_profile_link = (!empty($url_show_profile)) ? str_replace("{user_id}", $image_row['user_id'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&amp;".URL_USER_ID."=".$image_row['user_id'];
$user_name_link = "<a href=\"".$site_sess->url($user_profile_link)."\">".$user_name."</a>";

and not like this :

$user_profile_link = !empty($url_show_profile) ? preg_replace("/{user_id}/", $image_row['user_id'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&amp;".URL_USER_ID."=".$image_row['user_id'];
$user_name_link = "<a href=\"".$user_profile_link."\">".$user_name."</a>";

Otherwise, the user's session will expire as he will need to login again. As for the preg_replace, according to V@no, it is useless in this case. As for the (), simply a safer equality.

Another example. Assuming you do not want to add the $user_name_link as an individual string but you'd like to use it as part of a registering array, do it like this :

$site_template->register_vars(array(
"user_name_link" => "<a href=\"".$site_sess->url($user_profile_link)."\">".$user_name."</a>",
"link_name" => $lang['your_link_name']
));

and NOT like this :

$site_template->register_vars(array(
"user_name_link" => "<a href=\"".$user_profile_link."\">".$user_name."</a>"
));

[Update - 29-12-2005]

When you're using a redirect link from your HTML templates, make sure you use the array name you used above. For instance, in this case, the name is : user_name_link. In your HTML template files, it would become : {user_name_link}.

So ;

Code: [Select]


<a href="{user_name_link}">{link_name}</a>


Meaning, do NOT use is like this :

<a href="yourfile.php?yourquery">link name</a>

Then, add it into your lang/<your_lang>/main.php file

like this :

Code: [Select]


$lang['your_link_name'] = "Your link name";


from your HTML template files.

Otherwise, it will result a session time out and the user will, also, have to login again (indefinitely - for both cases - if not corrected).

Merry Christmas to you all.

Regards.

TheOracle.

[V@no]

1) what "security risk" is there?
2) what "weakness" is there?
3) this is only a very minor perfomance related issue and on big scale it will gain no more then 0.001 second of the php execution (compilation) time, nothing else...you just scare people by false security accusation and missleading by this topic...


P.S. by using [quote][/quote] with combination with [code][/code] tags makes it very difficult to see what changes has to be made, hard to compare the two strings.

[TheOracle]

this is only a very minor perfomance related issue and on big scale it will gain no more then 0.001 second of the php execution (compilation) time, nothing else...you just scare people by false security accusation and missleading by this topic...

There's more than that actually. A redirect path was being used without $site_sess->url, which is considered a risk.

P.S. by using

with combination with

Code: [Select]

tags makes it very difficult to see what changes has to be made, hard to compare the two strings.

Something told me I was going to read that someday. I use : Quote for actual texts. I use Code for new text. As for the very difficult, I don't see how difficult he could be if it's only about replacing lines.

[V@no]

There's more than that actually. A redirect path was being used without $site_sess->url, which is considered a risk.

Again, why is it a risk? when url() function not used it would only not add sessionid to the url IF needed and that means if a visitor has cookies blocked, it would loose their session settings (aka logout), and has nothing to do with security!
But anyway, adding url() function to the lines you mentioned not necesary and wrong, because the url() function would be used later on that variable:

    $user_profile_link = (!empty($url_show_profile)) ? preg_replace("/{user_id}/", $image_row['user_id'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&amp;".URL_USER_ID."=".$image_row['user_id'];
    $user_name_link = "<a href=\"".$site_sess->url($user_profile_link)."\">".$user_name."</a>";

(example from functions.php)

Something told me I was going to read that someday. I use : Quote for actual texts. I use Code for new text. As for the very difficult, I don't see how difficult he could be if it's only about replacing lines.

Ok, lets test it.

where is it easier to find the differnece:
1) between this:

    $user_profile_link = (!empty($url_show_profile)) ? preg_replace("/{user_id}/", $image_row['user_id'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&amp;".URL_USER_ID."=".$image_row['user_id'];

and this:

Code: [Select]

    $user_profile_link = ((!empty($url_show_profile)) ? preg_replace("/{user_id}/", $image_row['user_id'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&".URL_USER_ID."=".$image_row['user_id'];)
2) or between this

Code: [Select]

    $user_profile_link = (!empty($url_show_profile)) ? preg_replace("/{user_id}/", $image_row['user_id'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&".URL_USER_ID."=".$image_row['user_id'];and this

Code: [Select]

    $user_profile_link = ((!empty($url_show_profile)) ? preg_replace("/{user_id}/", $image_row['user_id'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&".URL_USER_ID."=".$image_row['user_id'];)
And to answer you question "why would you need see the difference when its simply the replace line?"  my answer is: sometimes people have already modifyed line, and replacing it with the default "fixed" line could make it problematic for them, instead they could apply only the changes mentioned.

[TheOracle]

$user_profile_link = (!empty($url_show_profile)) ? preg_replace("/{user_id}/", $image_row['user_id'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&amp;".URL_USER_ID."=".$image_row['user_id'];
$user_name_link = "<a href=\"".$site_sess->url($user_profile_link)."\">".$user_name."</a>";

I see your point. Althought, coders who publishes MODs doesn't always realize that the $site_sess->url needs to be added - even though it is included after the $user_profile_link (which, in this case, is the $user_name_link). A good example would be to look at the Dreamboard MOD. Meaning, if users follows this topic, as an example, it would allow them to understand the purpose of adding that class name.

For instance, assuming you're actually creating the $user_profile_link string and you do not add the $user_name_link below, what would actually happened ? I guess you can understand that both of us gets the point of coding. Althought, some distributors might also have excellent skills but aren't simply familiar with that class name.

From there, wouldn't that be considered a risk ?

And to answer you question "why would you need see the difference when its simply the replace line?"  my answer is: sometimes people have already modifyed line, and replacing it with the default "fixed" line could make it problematic for them, instead they could apply only the changes mentioned.

Well, the way you mentionned it - it would be like I was the author of the actual forum and it ain't the case. Meaning, if you're saying there are different results comparing to the Quote and Code command, then it is up to the ADMIN level of this forum to intergrate the proper colors into the Codes command as well (since it is already a part of the Quote one).

Meaning, this function will, typically, affect all users and they'll be pointed to use other functions (which isn't their responsability). To conclude, if you're having problems with some functions - from the forum's core (and if it cannot be customized from your Forum Control Panel) - then I guess we shouldn't be advertised for something we can't use can't we ?

Now, what I'm saying is that you aren't the author neither but you should consider the fact there are numerous sorts of Forum scripts on the net and you should try some until it could satisfy the DEV's needs. Of course, that would also involve importing the current database and all current topics that has already been posted in the past - until now (which is not an easy task).

So, as a result, this matter is 50/50 since users can't customize the codes from their end and you can't easily consider to switch scripts simply by clapping.

Meaning, users shall use all available codes they'd like - since they're showing up from their account from their post window. That's all there is really . . . Otherwise, how many users will you need to tell to switch from Code to Quote on this forum (even by making an announcements) ?

Long terms short : Simply de-active the Code function if it's causing you trouble and we'll only use Quotes.

[V@no]

Althought, coders who publishes MODs doesn't always realize that the $site_sess->url needs to be added - even though it is included after the $user_profile_link (which, in this case, is the $user_name_link). A good example would be to look at the Dreamboard MOD. Meaning, if users follows this topic, as an example, it would allow them to understand the purpose of adding that class name.

Well, if so, this has nothing to do with 4images core, but only applyed to "some" mods. And you already replyed to every topic out there that uses such lines.

For instance, assuming you're actually creating the $user_profile_link string and you do not add the $user_name_link below, what would actually happened ? I guess you can understand that both of us gets the point of coding. Althought, some distributors might also have excellent skills but aren't simply familiar with that class name.

From there, wouldn't that be considered a risk ?

Risk to loose session settings and get logout - yes, but it has nothing to do with security in 4images itself!

Well, the way you mentionned it - it would be like I was the author of the actual forum and it ain't the case. Meaning, if you're saying there are different results comparing to the Quote and Code command, then it is up to the ADMIN level of this forum to intergrate the proper colors into the Codes command as well (since it is already a part of the Quote one).

Meaning, this function will, typically, affect all users and they'll be pointed to use other functions (which isn't their responsability). To conclude, if you're having problems with some functions - from the forum's core (and if it cannot be customized from your Forum Control Panel) - then I guess we shouldn't be advertised for something we can't use can't we ?

Now, what I'm saying is that you aren't the author neither but you should consider the fact there are numerous sorts of Forum scripts on the net and you should try some until it could satisfy the DEV's needs. Of course, that would also involve importing the current database and all current topics that has already been posted in the past - until now (which is not an easy task).

So, as a result, this matter is 50/50 since users can't customize the codes from their end and you can't easily consider to switch scripts simply by clapping.

Meaning, users shall use all available codes they'd like - since they're showing up from their account from their post window. That's all there is really . . . Otherwise, how many users will you need to tell to switch from Code to Quote on this forum (even by making an announcements) ?

Long terms short : Simply de-active the Code function if it's causing you trouble and we'll only use Quotes.

I think only you can understand what you just said...if one uses a feature for something it was not ment to be used for (aka misusing it), that mean that forum software has to be adjust for that??? HUH?

The [quote] tags are not made to be used for code, because it ment to be used for quoting someone. It does not have to reproduce all the white spaces from the text, therefore if code was published between quote tags should loose its original format, besides that, normal font is used and each letter has its own width on the screen. [code] tags, on other hand, is ment to reproduce the original format of the text and has fixed width for each letter, that makes it easier to read and it ensures that no bbcode or smiles would be parsed inside the text:
http://www.4homepages.de/forum/Themes/default/help/posting.english.html#bbcref

[TheOracle]

And you already replyed to every topic out there that uses such lines.

Yes, correct. I should of been more clear on that since I didn't see the $user_name_link from sessions.php which used the $site_sess->url below.

Risk to loose session settings and get logout - yes, but it has nothing to do with security in 4images itself!

Ah ! very well, I will correct my topic's subject then.

that mean that forum software has to be adjust for that??? HUH?

Yes, that's right. It should be ajusted since people, who will use Quotes and Codes, will get confused on why it doesn't show any colors with Codes but quotes only.

For instance, if I remember correctly, with IPB, there are ways to customize these two features from the FCP (Forum Control Panel).

[V@no]

Yes, that's right. It should be ajusted since people, who will use Quotes and Codes, will get confused on why it doesn't show any colors with Codes but quotes only.

hmmm...why would it confuse someone? these are not related to each other features, they ment to be used for different purposes. They should be different from each other, otherwise why would u need have two different tags that would produce exactly the same result?
As of color, I dont like the quote color myself, but Jan decided it works fine, so be it

[TheOracle]

As of color, I dont like the quote color myself, but Jan decided it works fine, so be it

Ah ! that's the one. In that case, that explains everything.

P.S : I have just corrected my first post.

[TheOracle]

Update: My tutorial has just been updated.