wolfshaven Posted September 23, 2009 Share Posted September 23, 2009 I'm currently updating a form mod for Simple Machines Forum. It allows forum admins to create simple custom forms that serve as a template for their users posts. In other words a user fills out a form and pre-formatted forum post is created based on the users answers.The problem I'm running into is If a user is filling out a field for input type="text" or a textarea and they enter a dollar sign somewhere in their answer the form treats it as a string variable. This is mostly common if the user enters some thing like... Bill made $12.43 and Joe made $15.98It will output to the forum post as...Bill made .43 and Joe made .98Is there something I can do to prevent this from happening?Thanks in advanceJim Link to comment Share on other sites More sharing options...
Ingolme Posted September 23, 2009 Share Posted September 23, 2009 What code are you using? I don't think it's possible for form data to be parsed like that. Link to comment Share on other sites More sharing options...
jeffman Posted September 23, 2009 Share Posted September 23, 2009 By any chance is this an AJAX app? If so, you might need to run your data through encodeURIComponent() . It's generally a good idea anyway. Link to comment Share on other sites More sharing options...
wolfshaven Posted September 23, 2009 Author Share Posted September 23, 2009 What code are you using? I don't think it's possible for form data to be parsed like that.Its a large complicated mod split up over multiple files. The package can be found at...http://custom.simplemachines.org/mods/index.php?mod=1279Version 1.5 is the latest and the bug happens in both the versions for SMF 1.1.x and 2.xIm not sure if this helps but the code looks something like this... // Large Text box? elseif ($field_data['type'] == 'largetextbox') { echo ' <textarea rows="5" cols="45" name="', $field_name, '" id="', $field_name, '">', $field_data['value'], '</textarea>'; } // Int, Float or text box? else echo ' <input type="text" name="', $field_name, '" id="', $field_name, '" value="', $field_data['value'], '" />'; // Do the formating for both large and normal textboxes. default: $value = isset($_REQUEST[$field['title']]) ? $_REQUEST[$field['title']] : ''; // If value is empty then set it to the default. if(($value == '') && !$required) $value = $default; // Only bother with further formating if there is now some text. - This avoids huge errors with the parse_bbc() function returning all bbc. if(!($value == '')) { // Remove all bbc code if we don't need to parse it. if(!in_array('parse_bbc', $type_vars)) $value = strip_tags(parse_bbc($value, false), '<br>'); // Restrict the length of value if necessary, can stuff up html, but hey... if(($size != '')) $value = substr($value, 0, $size); } } // Do the formating for both large and normal textboxes. default: $value = isset($_REQUEST[$field['title']]) ? $_REQUEST[$field['title']] : ''; // If value is empty then set it to the default. if(($value == '') && !$required) $value = $default; // Only bother with further formating if there is now some text. - This avoids huge errors with the parse_bbc() function returning all bbc. if(!($value == '')) { // Remove all bbc code if we don't need to parse it. if(!in_array('parse_bbc', $type_vars)) $value = strip_tags(parse_bbc($value, false), '<br>'); // Restrict the length of value if necessary, can stuff up html, but hey... if(($size != '')) $value = substr($value, 0, $size); } } // Do we have an invalid value? Is this field required? if(($required && (($value == '') || ($value == '0')) && ($field['type'] != 'checkbox')) // Failing for selectboxes is far more simple, If there is no valid value, it fails. || (($field['type'] == 'selectbox') && ($value == ''))) { // Do the 'fail form/field' stuff. $data[$i]['failed'] = true; $fail_submit = true; continue; } // Add this fields value to the list of variables for the output post. $vars[] = '/\{'.$field['title'].'\}/'; $replace[] = $value; // Also add this data back into the data array, just in case we can't actually submit the form. $data[$i]['value'] = $value; // Do a small fix for the last line, if this is a checkbox. if($field['type'] == 'checkbox') $data[$i]['value'] = isset($_REQUEST[$field['title']]) ? $_REQUEST[$field['title']] : false; if (($required) && (!$data[$i]['value'])) { // Do the 'fail form/field' stuff. $data[$i]['failed'] = true; $fail_submit = true; continue; } // Do a small fix for the last line, if this is a largetextbox. if(($field['type'] == 'largetextbox')) $data[$i]['value'] = isset($_REQUEST[$field['title']]) ? $_REQUEST[$field['title']] : ''; } // Do we have completly valid field data? if(!$fail_submit) { require_once($sourcedir.'/Subs-Post.php'); // Replace all vars with their correct value, for both the message and the subject. $output = preg_replace($vars, $replace, $output); $subject = preg_replace($vars, $replace, $subject); // Collect all necessary parameters for the creation of the post. $msgOptions = array( 'id' => 0, 'subject' => $subject, 'body' => $output, 'smileys_enabled' => true, ); $topicOptions = array( 'id' => 0, 'board' => $board, 'mark_as_read' => true, ); $posterOptions = array( 'id' => $user_info['id'], ); // Finally create the post!!! :D createPost($msgOptions, $topicOptions, $posterOptions); // Redirect this user as well. redirectexit('board=' . $board . '.0'); } } Note: this is only part of the entire mod but I think this might be where its getting hung up. *undecided* Link to comment Share on other sites More sharing options...
wolfshaven Posted September 23, 2009 Author Share Posted September 23, 2009 By any chance is this an AJAX app? If so, you might need to run your data through encodeURIComponent() . It's generally a good idea anyway.I know SMF uses AJAX in places but the modification is all php and html Link to comment Share on other sites More sharing options...
Ingolme Posted September 23, 2009 Share Posted September 23, 2009 Are you using preg_replace() or some other kind of regular expression function?The only thing that would parse a $ with numbers next to it is a regular expression when using it as a backreference. Link to comment Share on other sites More sharing options...
justsomeguy Posted September 23, 2009 Share Posted September 23, 2009 // Replace all vars with their correct value, for both the message and the subject. $output = preg_replace($vars, $replace, $output); $subject = preg_replace($vars, $replace, $subject); Link to comment Share on other sites More sharing options...
wolfshaven Posted September 24, 2009 Author Share Posted September 24, 2009 // Replace all vars with their correct value, for both the message and the subject. $output = preg_replace($vars, $replace, $output); $subject = preg_replace($vars, $replace, $subject);Yep Just those two lines, I just assumed that that would just take the data from the form and then converts it to the template for the post. I don't see anyplace in the mod where it changes any of it with regular expressions. Actually as I look through the entire code for the mod I don't see any regular expressions at all.I did find... // Format the form output, so that the WYSIWYG editor works correctly if (!empty($_REQUEST['message_mode']) && isset($_REQUEST['output'])) { require_once($sourcedir . '/Subs-Editor.php'); $_REQUEST['output'] = html_to_bbc($_REQUEST['output']); $_REQUEST['output'] = un_htmlspecialchars($_REQUEST['output']); $_REQUEST['output'] = $smcFunc['htmlspecialchars']($_REQUEST['output'], ENT_QUOTES); preparsecode($_REQUEST['output']); } Perhaps use htmlentities instead? Either way I didn't think they effected dollar signs. :-/ Link to comment Share on other sites More sharing options...
Ingolme Posted September 24, 2009 Share Posted September 24, 2009 preg_replace() stands for "Perl-compatible regular expressions replace"Here's an example of what it can do: $input = "XZN59";echo preg_replace("/^([A-Z]*)/", "Letters: $1", $input);// Outputs "Letters: XZN"// $1 is a backreference to the first group of parenthesis in the regular expression Link to comment Share on other sites More sharing options...
wolfshaven Posted September 26, 2009 Author Share Posted September 26, 2009 Ok I found a regular expression in the mod // Add this fields value to the list of variables for the output post. $vars[] = '/\{'.$field['title'].'\}/'; $replace[] = $value; // Also add this data back into the data array, just in case we can't actually submit the form. $data[$i]['value'] = $value; To me it looks like it says....Find the fields "title" between { } and replace it with the users input. I don't see where it lists characters that any characters to be included or excluded. Should I add one in there someplace or is the syntax some what off?If that doesn't get it I'm not sure what to do other then re-release the mod with that particular bug still remaining. Link to comment Share on other sites More sharing options...
Ingolme Posted September 26, 2009 Share Posted September 26, 2009 Ok I found a regular expression in the mod // Add this fields value to the list of variables for the output post. $vars[] = '/\{'.$field['title'].'\}/'; $replace[] = $value; // Also add this data back into the data array, just in case we can't actually submit the form. $data[$i]['value'] = $value; To me it looks like it says....Find the fields "title" between { } and replace it with the users input. I don't see where it lists characters that any characters to be included or excluded. Should I add one in there someplace or is the syntax some what off?If that doesn't get it I'm not sure what to do other then re-release the mod with that particular bug still remaining. The quick fix is to escape the $ symbols. Try this:$replace[] = str_replace('$','\$',$value); Hmm, but I think that there should be a better way to do it, thought it might require changing a lot of code. Link to comment Share on other sites More sharing options...
wolfshaven Posted September 27, 2009 Author Share Posted September 27, 2009 Well whether or not its the "proper" fix, it works perfectly.Thanks Ingolme You Rock!!! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.