Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 07 Oct 2014, 15:25
SkyStryder SkyStryder is offline
 
Join Date: Dec 2007
clean_array_gpc question

I have a URL that looks like this:
beta.test.com/vb/runlib.php?do=cars&model=cobalt&fsec=6,13,19,30&for=federal%20express
I am concerned with checking the fsec variable. If I use TYPE_INT, it truncates
all but the first number. If I use TYPE_STR, that doesn't really help. Could someone
point me in the right direction?

Thank you!
Reply With Quote
  #2  
Old 07 Oct 2014, 15:27
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
How do you want to check it? You can use TYPE_STR then do your own checking. I assume you want to check to avoid vulnerabilities? Then it depends on how you intend to use the value.
Reply With Quote
  #3  
Old 07 Oct 2014, 15:27
mokujin's Avatar
mokujin mokujin is offline
 
Join Date: Nov 2005
Real name: Đạt
What about TYPE_UNIT ?
__________________
I am on holiday (18 Jan to 14 Feb), so I can't complete your requests in time, sorry guys, hope next time you still hire me. Thanks

PM me for custom paid modifications for your vB3/vB4 forums ...
Reply With Quote
  #4  
Old 07 Oct 2014, 15:44
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Set as string and you could do something like this:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #5  
Old 07 Oct 2014, 15:55
SkyStryder SkyStryder is offline
 
Join Date: Dec 2007
Thank you, This looks doable.
In answer to the others, this is pretty much what I would need to do if I used
TYPE_NOHTML (TYPE_STR). TYPE_UINT also returns just the first number.

Thank you all!
Reply With Quote
  #6  
Old 07 Oct 2014, 16:02
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
You indeed want to use TYPE_NOHTML unless you actually make use of HTML in certain strings.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #7  
Old 07 Oct 2014, 16:40
TheAdminMarket's Avatar
TheAdminMarket TheAdminMarket is offline
 
Join Date: Jun 2013
Real name: Christos Teriakis
Try TYPE_ARRAY_INT (for numbers) or TYPE_ARRAY_STR (for strings)

EDIT: Try the article below. Is superior and it helped me a lot to start coding for vB
http://www.vbulletin.org/forum/showt...ight=Variables

Last edited by TheAdminMarket; 07 Oct 2014 at 16:57. Reason: Typo
Reply With Quote
  #8  
Old 07 Oct 2014, 17:11
SkyStryder SkyStryder is offline
 
Join Date: Dec 2007
I tried TYPE_ARRAY_INT and it would appear that I got an empty array as a result...
I used fsec=51,71,68,88,93,90 from the URL. I tried print_r and var_dump and they
seem to confirm the results. It definitely wasn't a string anymore. explode croaked... 8-)

--------------- Added 07 Oct 2014 at 17:49 ---------------

I thing that I have noticed is that isset() is not working as expected with $vbulletin->GPC['xx']
It seems to resolve to always true which is not what it says in class_core.php.
Reply With Quote
  #9  
Old 07 Oct 2014, 18:23
TheAdminMarket's Avatar
TheAdminMarket TheAdminMarket is offline
 
Join Date: Jun 2013
Real name: Christos Teriakis
Originally Posted by SkyStryder View Post
I tried TYPE_ARRAY_INT and it would appear that I got an empty array as a result...
I've used this code so many times and works fine, but I'm currently out of my base to post a real example. Even if TYPE_ARRAY_... is more secure as it add one more level of security on what type of data to receive, you can also use TYPE_ARRAY without setting if it's number or text string.

--------------- Added 07 Oct 2014 at 21:44 ---------------

Also, because as I seen you're collecting the values from URL, you must use the syntax:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

r = Request
p = Post
g = Get

Last edited by TheAdminMarket; 07 Oct 2014 at 18:44.
Reply With Quote
  #10  
Old 07 Oct 2014, 19:24
SkyStryder SkyStryder is offline
 
Join Date: Dec 2007
[QUOTE=NickTheGreek;2518036]
Also, because as I seen you're collecting the values from URL, you must use the syntax:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

That is exactly what I have and I get an empty array. Not to be too obvious
but fsec looks like a string.. "1,2,4" I was getting the impression that
TYPE_ARRAY_INT would do the conversion? It definitely sets the type.
Reply With Quote
  #11  
Old 07 Oct 2014, 19:47
TheAdminMarket's Avatar
TheAdminMarket TheAdminMarket is offline
 
Join Date: Jun 2013
Real name: Christos Teriakis
Originally Posted by SkyStryder View Post
If I use TYPE_STR, that doesn't really help.
Why are you saying it? The code below works fine:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

You can check it:
http://www.christeris.net/vb422/test...sec=6,13,19,30

--------------- Added 07 Oct 2014 at 19:51 ---------------

Originally Posted by SkyStryder View Post
Not to be too obvious
but fsec looks like a string.. "1,2,4" I was getting the impression that
TYPE_ARRAY_INT would do the conversion? It definitely sets the type.
TYPE_ARRAY_INT should never works as you're sending the data as string and not as Array. Further more I don't even know if you can send Array in a URL. But as form element you can do, and guarantee that TYPE_ARRAY_INT and TYPE_ARRAY_STR works. But as form element.
Reply With Quote
  #12  
Old 07 Oct 2014, 19:58
SkyStryder SkyStryder is offline
 
Join Date: Dec 2007
yes, I do realize that and that method works. I was further interested
in if TYPE_ARRAY_INT would work... However, looking at the class,
TYPE_ARRAY_INT is defined as '102' but never used as far as I can tell.
Reply With Quote
  #13  
Old 07 Oct 2014, 20:01
TheAdminMarket's Avatar
TheAdminMarket TheAdminMarket is offline
 
Join Date: Jun 2013
Real name: Christos Teriakis
Originally Posted by SkyStryder View Post
yes, I do realize that and that method works. I was further interested
in if TYPE_ARRAY_INT would work... However, looking at the class,
TYPE_ARRAY_INT is defined as '102' but never used as far as I can tell.
We can continue with more tests tomorrow. It's 23:00pm for me, and my bed is calling me
Reply With Quote
  #14  
Old 07 Oct 2014, 20:11
SkyStryder SkyStryder is offline
 
Join Date: Dec 2007
Thank you for the help!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 15:41.

Layout Options | Width: Wide Color: