tips for phpbb3 modders

[EXreaction]

It probably is just easier to do this in the php files to call the image:

Code: Select all

<img src="' . $phpbb_root_path . 'styles/' . $user->theme['template_path'] . '/imageset/' . $user->data['user_lang'] . '/button_blog_new.gif">

replace button_blog_new.gif with the name of your image.

[quick5pnt0]

I would like to know as well. I would guess it is something like the permissions where you can simply upload a file and it will automatically be included and display what it needs.

I believe there is no need for code modification with a plugin/hooks system.

Yea with a plugin that uses hooks you don't need to modify any of the phpbb files. Instead all you would do is upload the mod in a plugins folder, and enable it in the ACP. Or at least that's the way it works with Coppermine.

[Handyman]

I would like to know as well. I would guess it is something like the permissions where you can simply upload a file and it will automatically be included and display what it needs.

I believe there is no need for code modification with a plugin/hooks system.

Yea with a plugin that uses hooks you don't need to modify any of the phpbb files. Instead all you would do is upload the mod in a plugins folder, and enable it in the ACP. Or at least that's the way it works with Coppermine.

does it override the current core system if there is a conflict or how does that work?
I may need to download Drupal and find out

[jimmygoon]

No such thing as conflict. For example if you had a silly mod that added a new BBCODE button *yes I know this is already a feature* --- PHPBB3 Core would ask the modules if there were render-bbcode-hooks, your mod would... It would say MYMOD_hook_bbcode_render() { }. Inside the brackets it has access to the same things as phpbb3 core- meaning that it could unset buttons if necessary - so it could remove the URL button and then it could add a new button to the array containing the BBCODE's.... No need for "overridal" persay... Its all part of the API.

It would make phpbb3 more like a framework for really building the exact style of forum you need rather than piecing one together with mods... (I mean, they are still modules, but it feels right, ya know?)

Like I said, if time were no object...

[Acyd Burn]

Please refrain from bringing up drupal (again) or this will get locked.

[asinshesq]

It probably is just easier to do this in the php files to call the image:

Code: Select all

<img src="' . $phpbb_root_path . 'styles/' . $user->theme['template_path'] . '/imageset/' . $user->data['user_lang'] . '/button_blog_new.gif">

replace button_blog_new.gif with the name of your image.

That's way easier. I'l give that a try but it looks to me like it should work fine.

[poyntesm]

I just perfer to seperate php & html...but I will have a think about this one, as maybe in the long run the users will make more errors and it will be hassle for the MOD author.

[asinshesq]

Here's a potentially confusing thing: escaping single quotes to avoid sql injection risks.

The coding guidelines say:

Always use $db->sql_escape() if you need to check for a string within an SQL statement (even if you are sure the variable can not contain single quotes - never trust your input), for example:

That function replaces the old str_replace("\'", "''") we used for phpbb2 mods. Fine. But the guidelines go on to say

If you need to UPDATE or INSERT data, make use of the $db->sql_build_array() function. This function already escapes strings and checks other types, so there is no need to do this here.

If you use both $db->sql_escape() and $db->sql_build_array() (as you would do if you take in input from several different parts of a form, clean each of them as they come in to be safe and then use sql_build_array to build a sql array, the two methods of escape double up on each other and you end up with data that has too many back slashes in the database (so when you try to pull it out and display it you get words like here\'s rather than here's). The solution is to avoid doubling up, but I suspect this will lead to confusion since some but not all sqls will go through sql_build_array and as a result people will be more likely to miss escaping in some cases than they would if you only had one way to escape. Any thoughts?

[Handyman]

[quote="Handyman]Though it's better to put it in a sql_build_array insert like this

Code: Select all

<?php 
$sql_ary = array(
    'message'    => utf8_normalize_nfc(request_var('message', '', true)),
);
$sql = 'INSERT INTO ' . YOUR_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
$db->sql_query($sql);

using the sql_build_array cleans it up so you don't have to use the sql_escape… and you don't have the unsightly \' stuff going on.[/quote]

Just use the sql_build_array like that and you won't have a problem.
It also makes the code cleaner and easier to deal with.

You can also use it for update

Code: Select all

<?php 
$sql_ary = array(
    'message'    => utf8_normalize_nfc(request_var('message', '', true)),
    'field2'         => $number,
);
$sql = 'UPDATE ' . YOUR_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . " WHERE user_id = $user_id";
$db->sql_query($sql);

@Meik sorry, I should have known better.

[jojobarjo32]

IMO, the sql_escape method should be call only IN sql queries. There is no special reason to do :

Code: Select all

$foo = $db->sql_escape($bar);

$sql = "SELECT some_stuff
		FROM table_name
		WHERE foo = '" . $foo . "'";
$db->sql_query($sql);

Rather do :

Code: Select all

$sql = "SELECT some_stuff
		FROM table_name
		WHERE foo = '" . $db->sql_escape($foo) . "'";
$db->sql_query($sql);

$db->sql_query('INSERT INTO table_name ' . $db->sql_build_array('INSERT', array('foo' => $foo)));

And you will never have problems with double escaped chars