vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=327480

Extension/product for creating custom BBcode executing my PHP code?
by vbSuperfan
22 Aug 2019 20:52

I'm quite surprised that I cannot find anything on this topic on Google, since it seems like an extremely likely thing for people to want to do, that is: Creating a special BBcode that can execute some certain PHP code of mine and then produce some string based on it?

In my case, I simply want the BBcode to return the user ID of the vBulletin user currently viewing the post where this BB code is located, like this:

Your User ID is: 1234

Does anyone have any tips for good skeleton code, tutorials or other useful starting points for creating your own PHP-based BBcodes like this, by means of an extension/product? The official vBulletin support indicates to me that this should at least be possible, here?

I've even heard that this (PHP-based custom BB codes) was standard functionality in vB4, available directly from the AdminCP, but removed in vB5, which makes it even more likely that a lot of people would have liked to created such extensions/products for vB5, so what am I missing?

In Omnibus 22 Aug 2019 21:10

The UserID appears when you hover over the user avatar. It's in the User Profile URL. Why would you need to create a PHP function to call the UserID when it's already easily available? I mean, it can be done but if it's not necessary it's a lot of work for nothing.

delicjous 23 Aug 2019 14:31

You could not execute php in a bbcode as far as I know. But yiu could execute javascript and you should use javascript for any task like this. By the way... Not anything that sounds not logical for anybody isn't logical for someone!

Dave 23 Aug 2019 15:20

Quote:

Originally Posted by delicjous (Post 2600343)
You could not execute php in a bbcode as far as I know. But yiu could execute javascript and you should use javascript for any task like this. By the way... Not anything that sounds not logical for anybody isn't logical for someone!

Problem is that he seems to need mobile support too on which you cannot execute custom JavaScript.

Anyway pretty sure they removed any kind of "eval" call in vBulletin because it opens the site up for many security risks.

In Omnibus 23 Aug 2019 16:44

Quote:

Originally Posted by delicjous (Post 2600343)
You could not execute php in a bbcode as far as I know. But yiu could execute javascript and you should use javascript for any task like this. By the way... Not anything that sounds not logical for anybody isn't logical for someone!

I didn't mean to imply the customer doesn't need it, only that it's not going to be easy to code if it genuinely is necessary to whatever ends are trying to be served. When you start getting into trying to reverse engineer code to make it work you're asking for problems. Security would be the primary one. If you can backdoor into the core code then so can someone else.

vbSuperfan 27 Aug 2019 00:26

Quote:

Originally Posted by In Omnibus (Post 2600332)
The UserID appears when you hover over the user avatar. It's in the User Profile URL. Why would you need to create a PHP function to call the UserID when it's already easily available? I mean, it can be done but if it's not necessary it's a lot of work for nothing.

Please see my justification for this functionality here.

Believe me, it's necessary.


Quote:

Originally Posted by In Omnibus (Post 2600345)
When you start getting into trying to reverse engineer code to make it work you're asking for problems.

The entire extension architecture of vBulletin 5 is more or less based on having to "reverse engineer code" in order to do anything (i.e. knowing which class methods to override/extend), so this statement doesn't make sense at all I'd say?

Quote:

Originally Posted by In Omnibus (Post 2600345)
Security would be the primary one. If you can backdoor into the core code then so can someone else.

This doesn't make any sense either. If I create a custom BB code that executes some static PHP code to generate its output (e.g. in order to display the user ID of the viewing user), this:

a) Doesn't open up any security vulnerabilities whatsoever.

b) Doesn't constitute any "backdooring" any more than any other PHP code added to vBulletin by any other extension, of for that matter, the core developers of vBulletin itself.

PS.
My main occupation is being a senior IT security expert, performing code security audits and providing advice for large organizations like banks and government entities...


All times are GMT. The time now is 01:19.

Powered by vBulletin® Version 3.8.12
Copyright © 2019, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.