tips for phpbb3 modders

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
asinshesq
Registered User
Posts: 156
Joined: Fri May 14, 2004 10:32 pm
Location: NYC

Re: tips for phpbb3 modders

Post by asinshesq »

Handyman wrote:
asinshesq wrote:By the way, was I right in thinking that
utf8_normalize_nfc(request_var('message', '', true));
cleans a string so that it is ready for insertion into the db? Looking at request_var in functions.php I see it uses htmlspecialchars with ent compat which leaves single quotes alone and no corresponding str_replace to replace single quotes with something else...so what deals with that injection risk? Is there something in utf8_normalize_nfc that deals with that?

as far as I know, that doesn't deal with the injection risks… if you just use that, you would want to use something like

Code: Select all

<?php $db->sql_escape(utf8_normalize_nfc(request_var('message', '', true)));
Though it's better to put it in a sql_build_array insert like this

Code: Select all

<?php 
$sql_ary = array(
    'message'    => utf8_normalize_nfc(request_var('message', '', true)),
);
$sql = 'INSERT INTO ' . YOUR_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
$db->sql_query($sql);
using the sql_build_array cleans it up so you don't have to use the sql_escape… and you don't have the unsightly \' stuff going on.

Thanks. I just corrected the first post in this topic to reflect that information.
Alan
User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: tips for phpbb3 modders

Post by EXreaction »

Looking good. :)

I was wondering what the local permission was for, I see now. :P
jimmygoon
Registered User
Posts: 75
Joined: Thu Jun 23, 2005 3:59 am

Re: tips for phpbb3 modders

Post by jimmygoon »

Random thought: Why is PHPBB3 not modular like Drupal?

99% of Drupal modules (I made the stat up but it is close probably) are non intrusive to core files because of the hooks that are in place with drupal core. I wish phpbb3 had that functionality... or really ANY forum software :x

The tips listed are great though, and encourage a very nonintrusive, modular design and I have to say, I love it :D
User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: tips for phpbb3 modders

Post by EXreaction »

Probably because phpBB3 was started something like 5 years ago... ;)

Wait for phpBB4. :P
User avatar
Handyman
Registered User
Posts: 522
Joined: Thu Feb 03, 2005 5:09 am
Location: Where no man has gone before!
Contact:

Re: tips for phpbb3 modders

Post by Handyman »

I've heard the hooks system mentioned before… but what does it do? does it make it possible to install a mod without modding files?
My phpBB3 Mods || My Mod Queue
Search Engine Friendly (SEO) URLs || Profile link on Avatar and/or Username || AJAX Chat
Display Posts Anywhere || CashMod || AJAX Quick Edit || AJAX Quick Reply

Image
asinshesq
Registered User
Posts: 156
Joined: Fri May 14, 2004 10:32 pm
Location: NYC

Re: tips for phpbb3 modders

Post by asinshesq »

I just added some additional commentary at the end of (9) about $db->sql_in_set(). If you're following this thread and you don't want to go back and try to figure out what I changed, here's the addition:
asinshesq wrote: A word about $db->sql_in_set(): the coding guidelnes say: "The $db->sql_in_set() function should be used for building IN () and NOT IN () constructs" and gives as an example:

Code: Select all

$sql = 'SELECT *
	FROM ' . FORUMS_TABLE . '
	WHERE ' . $db->sql_in_set('forum_id', $forum_ids);
$db->sql_query($sql);
Two thngs to keep in mind:

- Even though mysql actually needs a comma separated list for its IN feature, the second parameter of sql_in_set ($forum_ids in the above example) needs to be an array (the function then changes the array to a comma separated list usable by mysql program). That is actually pretty useful, but if you are converting old code that uses IN you will need to keep in mind that you should now use an array that you feed into that function.

- The way to build NOT IN is to add a third parameter 'true'. If you look at the comments for the function in dbal.php you will see that they have it backwards (the way the function is written you should use 'true' if you want NOT IN but the function comment says the opposite).
Alan
User avatar
jojobarjo32
Registered User
Posts: 164
Joined: Wed Jun 22, 2005 7:38 pm
Location: France

Re: tips for phpbb3 modders

Post by jojobarjo32 »

Remember that MySQL is not the only supported DBMS.
A little note too : a fourth parameter (boolean) exists and permit to pass (if true) or not (default) an empty array.
User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: tips for phpbb3 modders

Post by Kellanved »

- The way to build NOT IN is to add a third parameter 'true'. If you look at the comments for the function in dbal.php you will see that they have it backwards (the way the function is written you should use 'true' if you want NOT IN but the function comment says the opposite).


Report that as a bug, please. :D
No support via PM.
Trust me, I'm a doctor.
asinshesq
Registered User
Posts: 156
Joined: Fri May 14, 2004 10:32 pm
Location: NYC

Re: tips for phpbb3 modders

Post by asinshesq »

jojobarjo32 wrote: Remember that MySQL is not the only supported DBMS.

Right, I was just referring to mysql as an example. The point is that in DBAL you need to feed a comma separated list into an IN test but sql_in_list() does that work for you so that you can just stick with an array (and in fact if you try to use a comma separated list with sql_in_list() it doesn't work).
kellanved wrote: Report that as a bug, please.

I wasn't sure whether you were kidding. Is a screwed up comment technically a 'bug' that I should report?
Alan
User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: tips for phpbb3 modders

Post by Kellanved »

The sourcecode documentation is generated from those comments.
It is a very real documentation bug and should be reported.
No support via PM.
Trust me, I'm a doctor.
Post Reply