phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

[RELEASED] Track PMs for phpBB2


 
Search this topic... | Search MOD Development... | Search Box
Register or Login to Post    Index » MOD Development  Previous TopicPrint TopicNext Topic
Author Message
vlad77
Board Member



Joined: 31 May 2015

Posts: 26


flag
PostPosted: Sun Jun 17, 2018 7:45 am 
Post subject: Track PMs for phpBB2

Title: Track PMs for phpBB2
Author: Manipe, vlad77
Description: Mod like phpBB3 - in personal messages displays the correspondence history. Further development of fashion by Manipe. Functionality brought to the level of phpBB3
Version: 2.0.5
Note: If you are upgrading from mod by Manipe it is recommended that you delete and recreate the database column 'privmsgs_track_id'.



track_pms_2.0.5.zip
 Description:

Download
 Filename:  track_pms_2.0.5.zip
 Filesize:  5.49 KB
 Downloaded:  19 Time(s)

Back to top
Vendethiel
Board Member



Joined: 26 Oct 2014

Posts: 69



PostPosted: Tue Jun 19, 2018 9:17 am 
Post subject: Re: Track PMs for phpBB2

That seems really good.

I want to install this mod, but I have a security concern: since you accept the $_POST var "id_for_pm_track", a user could fake that ID to track someone else's message, and thus see someone else's private message.
It's probably not an actual security issue in practice, since the function pm_track only selects PMs from a certain user, but still, I would be wary of inserting tampered data.

Great job!

_________________
Developer on EzArena, the ADR premod.
Developer on Icy Phoenix, the phpBB hybrid cms.
Developer on IntegraMOD.
Back to top
vlad77
Board Member



Joined: 31 May 2015

Posts: 26


flag
PostPosted: Tue Jun 19, 2018 7:23 pm 
Post subject: Re: Track PMs for phpBB2

Hello Vendethiel,
This sql request prevents access to other people's private messages
Code:
      $sql = "SELECT pm.privmsgs_id, pm.privmsgs_type, pm.privmsgs_subject, pm.privmsgs_date, pm.privmsgs_enable_html, pm.privmsgs_enable_smilies, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text, u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS user_id_2, u.user_avatar, u.user_avatar_type, u.user_allowavatar
         FROM " . PRIVMSGS_TABLE . " pm, " . PRIVMSGS_TEXT_TABLE . " pmt, " . USERS_TABLE . " u, " . USERS_TABLE . " u2
         WHERE pmt.privmsgs_text_id = pm.privmsgs_id
            AND pm.privmsgs_track_id = " . $pm_track_id . "
            AND u.user_id = pm.privmsgs_from_userid
            AND u2.user_id = pm.privmsgs_to_userid
            AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
               AND ( pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . "
                  OR pm.privmsgs_type = " . PRIVMSGS_READ_MAIL . "
                  OR pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . "
                  OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . "  ) )
            OR ( pm.privmsgs_from_userid =  " . $userdata['user_id'] . "
               AND ( pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . "
                  OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . "
                  OR pm.privmsgs_type = " . PRIVMSGS_SENT_MAIL . "
                  OR pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " ) )
            )
         ORDER BY privmsgs_date DESC
         LIMIT 0," . $pm_track_limiter;
AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
Back to top
Vendethiel
Board Member



Joined: 26 Oct 2014

Posts: 69



PostPosted: Wed Jun 20, 2018 11:59 am 
Post subject: Re: Track PMs for phpBB2

Yes, this is what I mentioned in the second part.
I still prefer not to insert wrong data in the first place. But I think yours is safe.

_________________
Developer on EzArena, the ADR premod.
Developer on Icy Phoenix, the phpBB hybrid cms.
Developer on IntegraMOD.
Back to top
vlad77
Board Member



Joined: 31 May 2015

Posts: 26


flag
PostPosted: Wed Jun 20, 2018 4:35 pm 
Post subject: Re: Track PMs for phpBB2

If you want, try to replace the "$pm_track_id = $id_for_pm_track;" to "return $id_for_pm_track;" But for safety it is unnecessary.
Line "$pm_track_id = $id_for_pm_track;" will be used when viewing automatically generated private messages, if "$pm_track_id = pm_track($id_for_pm_track, 1);" replaced by "$pm_track_id = pm_track($id_for_pm_track);"
Back to top
Display posts from previous:   
Register or Login to Post    Index » MOD Development  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0297 seconds using 18 queries. (SQL 0.0027 Parse 0.0026 Other 0.0245)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo