createPost - Call-time pass-by-reference has been deprecate error

[mpglivecarlo]

hi,

im using the create post function to create a message inside a topic from an outside form, and when i send the information i get the error

Deprecated: Call-time pass-by-reference has been deprecated in D:\xampp\htdocs\blah\scripts\inter.php on line 47

line 47 is:
createPost(&$msgOptions, &$topicOptions, &$posterOptions);

i know that some people have fixed this eliminating the & from the function but i have tried that and when i post it just gets stuck at a blank page.

Any help is welcome since im stuck at this point.

[live627]

Need more to help. Have you declared each variable? How?

[mpglivecarlo]

this is basically the code that takes the information from the form dont know if my newb php is enough.

Code Select Expand

if($ac=="post"){
    require_once('../../forum/Sources/Subs-Post.php');
if (isset($save) ) {

$id_board=$_POST["id_board"];
$id_topic=$_POST["id_topic"];
$id_msg=$_POST["id_msg"];
$msg=$_POST["msg"];
$id_user=$context['user']['id'];
$title="Test";
         
            $msgOptions = array(
            'icon' => 'xx',
              'smileys_enabled' => true,
              'body' => $msg,
                'subject' => $title,
                    );
           
            $topicOptions = array(
                'board' => $id_board,
                'id' => $id_topic,
                'mark_as_read' => true,
                );

            $posterOptions = array(
                'id' =>  $id_user,
                'update_post_count' => true,
                 );
createPost(&$msgOptions, &$topicOptions, &$posterOptions);

                 if($save){
                  echo '<SCRIPT language="JavaScript"> function getgoing(){ top.location="../seccion.php?sec=news&id='.$id_msg.'"; } </SCRIPT>';
                    }
                 }
    }

thx for any help

[live627]

Is this an extension of SMF or your own thing using SSI?

[mpglivecarlo]

"my own thing" using ssi.php

[live627]

ok then... is the above code within a function?

[mpglivecarlo]

nope, just in a plain php file that is called using the form using the link

Code Select Expand

<form action="scripts/inter.php?ac=post" method="post" enctype="multipart/form-data">
<input type="hidden" name="brd" value="<?php echo $id_board ?>" />
<input type="hidden" name="tpc" value="<?php echo $id_topic ?>" />
<input type="hidden" name="id" value="<?php echo $id_msg ?>" />
<table>
<tr>
<td><b>comment:</b></td>
<td><textarea type="text" name="msg" cols="65" rows="3" /></textarea></td>
<td><input type="submit" name="submit" value="Send" class="publicar-empresa" /></td>
</tr>
                                                        </table>
</form>

[Arantor]

And what's that PHP? We don't really care too much about the form, but we do care about the code that you've written which calls createPost...

[mpglivecarlo]

OK, as I said code is inside a simple php file that calls the ssi.php, and the subs-post.php to make the post.

the lines on top of the code i posted are just

Code Select Expand

require_once('../../forum/SSI.php');
mysql_select_db('my_database');

and thats it, it is weird that its not working now because on another website i used the same procedure and works fine. maybe php version (its PHP Version 5.3.8 )?

[Arantor]

Seriously, please just post the entire damn file. The problem is related to how you're setting up and calling createPost. But since you're unable or unwilling to post the actual code itself that's broken, I'm unable or unwilling to help you!

[mpglivecarlo]

no need to be rude, the whole code in the file you already got, is in post #2 but if you need it to be in a single code tag here it is

Code Select Expand

<?php
require_once('../../forum/SSI.php');
mysql_select_db('my_database');

$ac=$_GET["ac"];

if($ac=="post"){
    require_once('../../forum/Sources/Subs-Post.php');
if (isset($save) ) {

$id_board=$_POST["id_board"]; 
$id_topic=$_POST["id_topic"];
$id_msg=$_POST["id_msg"]; 
$msg=$_POST["msg"]; 
$id_user=$context['user']['id'];
$title="Test";
          
            $msgOptions = array(
             'icon' => 'xx',
              'smileys_enabled' => true,
               'body' => $msg,
                'subject' => $title,
                    );
            
            $topicOptions = array(
                'board' => $id_board,
                'id' => $id_topic,
                'mark_as_read' => true,
                 );

            $posterOptions = array(
                'id' =>  $id_user,
                'update_post_count' => true,
                 );
createPost(&$msgOptions, &$topicOptions, &$posterOptions);
 
                 if($save){
                  echo '<SCRIPT language="JavaScript"> function getgoing(){ top.location="../seccion.php?sec=news&id='.$id_msg.'"; } </SCRIPT>';
                    }
                 }
    }

?>

That all the code inside the file for now, just started the file, it will eventually have more small part of code that i have not written. My php is not expert as you can see, so please bear with me.

thanks for any help.

[Arantor]

no need to be rude

There's also no need to keep posting bits and bits of code makes it much harder to figure out what's going on, second guessing what information might or might not be relevant.

I'm still not convinced it's all the code since as it stands, it shouldn't even work (just throw an error about $ac being undefined)

Version of SMF?

[mpglivecarlo]

smf 2.0.2

You are right i didnt put the $ac didnt copy (ill edit the post), but aside from that thats all the code that all the code inside that php, if im missing things are due to my lack of php, not for me lying about it.

dont know if it helps but ill write it still

1. im using a simple html template in front end, pulling information from the SMF DB from a specific message id
2. the hidden fields are filled with the information i pull from the message so that i can complete the information for the new post arrays neede by the function createPost.
3. when someone fills the textarea and submits the form calls the php file that i have posted the code for.
4. what i was expecting is that the php file calls the createPost function and feeds the arrays of settings the function needs to creat a post.
5. that it. basically making a quick reply box for a topic in an outside html form.

once again i dont know what im doing wrong.

[Arantor]

Well, you were half right to start with, take out the & in the createPost calls. Given the code you've posted, it ending up at a blank screen is completely what should happen.

That said, there are a number of steps you need to carry out ahead of calling createPost. You need to call $smcFunc['htmlspecialchars'] on the subject and body text (with ENT_QUOTES, just as Post.php does) and you need to call preparsecode() on the body text as well. Not doing these things is very bad.

[mpglivecarlo]

Well, you were half right to start with, take out the & in the createPost calls. Given the code you've posted, it ending up at a blank screen is completely what should happen.

That said, there are a number of steps you need to carry out ahead of calling createPost. You need to call $smcFunc['htmlspecialchars'] on the subject and body text (with ENT_QUOTES, just as Post.php does) and you need to call preparsecode() on the body text as well. Not doing these things is very bad.

So after I get the values from the form i should do thoose steps in that order?

1. $smFunc['htmlspecialchars'] on the body and subject
2. preparsecode() on the body text

and should not display the error "Deprecated: Call-time pass-by-reference has been deprecated" ?

thank you and ill try to setup your suggestions and see if i get it right.

[Arantor]

Yes, like SMF does. You should probably review the code in Post2() in Post.php.

But you're missing my point. The error is being displayed because you're using & in the function calls, not for any other reason - and you do not require those at all. It's entirely possible that there's something else going on, but when you get the blank page at the end, that's what's supposed to happen because you haven't given it anything else to do.

The instructions I've given are to make sure people don't injection nasty code into your site through this form.

[mpglivecarlo]

Yes, like SMF does. You should probably review the code in Post2() in Post.php.

But you're missing my point. The error is being displayed because you're using & in the function calls, not for any other reason - and you do not require those at all. It's entirely possible that there's something else going on, but when you get the blank page at the end, that's what's supposed to happen because you haven't given it anything else to do.

The instructions I've given are to make sure people don't injection nasty code into your site through this form.

Leaving the security changes i have to make, i have tried to use the function without the & like this:

createPost($msgOptions, $topicOptions, $posterOptions);

And at the end it just returns a blank page, so i dont know what else could it be.

[Arantor]

And at the end it just returns a blank page, so i dont know what else could it be.

It's doing EXACTLY WHAT YOU TOLD IT TO DO.

It reads the data, calls createPost. What did you expect it to do? createPost creates the post. It's up to you to then display something or redirect or something.

[mpglivecarlo]

i was testing then to echo out some variables but didnt work.

i did this, i checked the post2() part in post.php, and found the part where it gets filtered (hope i found the right part) this is how the file looks now is it ok? or did i mess all up? thank you for your help and patience.

Code Select Expand

if($ac=="post"){
    require_once('../../foro/Sources/Subs-Post.php');
if (isset($save)){

// Check the subject and message.
if (!isset($_POST['sub']) || $smcFunc['htmltrim']($smcFunc['htmlspecialchars']($_POST['sub'])) === '')
$post_errors[] = 'no_subject';
if (!isset($_POST['msg']) || $smcFunc['htmltrim']($smcFunc['htmlspecialchars']($_POST['msg']), ENT_QUOTES) === '')
$post_errors[] = 'no_message';
elseif (!empty($modSettings['max_messageLength']) && $smcFunc['strlen']($_POST['msg']) > $modSettings['max_messageLength'])
$post_errors[] = 'long_message';
else
{
// Prepare the message a bit for some additional testing.
$_POST['msg'] = $smcFunc['htmlspecialchars']($_POST['msg'], ENT_QUOTES);

// Preparse code. (Zef)
if ($user_info['is_guest'])
$user_info['name'] = $_POST['guestname'];
preparsecode($_POST['msg']);

// Let's see if there's still some content left without the tags.
if ($smcFunc['htmltrim'](strip_tags(parse_bbc($_POST['msg'], false), '<img>')) === '' && (!allowedTo('admin_forum') || strpos($_POST['msg'], '[html]') === false))
$post_errors[] = 'no_message';
}

$id_board=$_POST["brd"];
$id_topic=$_POST["tpc"];
$id_msg=$_POST["id"];
$msg=$_POST["msg"];
$id_user=$context['user']['id'];
$title=$_POST["sub"];

            $msgOptions = array(
            'icon' => 'xx',
              'smileys_enabled' => true,
              'body' => $msg,
                'subject' => $title,
                    );
           
            $topicOptions = array(
                'board' => $id_board,
                'id' => $id_topic,
                'mark_as_read' => true,
                );

            $posterOptions = array(
                'id' =>  $id_user,
                'update_post_count' => true,
                 );

createPost($msgOptions, $topicOptions, $posterOptions);

                 if($save){
                  echo '<SCRIPT language="JavaScript"> function getgoing(){ top.location="../seccion.php?sec=news&id='.$id_msg.'"; } </SCRIPT>';
                    }
        }
    }

it posted the message correctly but, wanted to check with you if i did the message and subject check right.

[Arantor]

The screening part is right, except that you don't check that $post_errors is empty before trying to create the post.

Either way, once you've made the post, it still won't do anything because while you're giving it JavaScript to output once you're done, you're not actually calling that code so it quite rightly will just give you an empty page.

(The correct thing to do once the page is finished is to call redirectexit() with the URL of where users should be going. But DO NOT put $id_msg back in the redirection of the URL, there is absolutely no reason to do that and plenty of reasons not to.)

[mpglivecarlo]

The screening part is right, except that you don't check that $post_errors is empty before trying to create the post.

Either way, once you've made the post, it still won't do anything because while you're giving it JavaScript to output once you're done, you're not actually calling that code so it quite rightly will just give you an empty page.

(The correct thing to do once the page is finished is to call redirectexit() with the URL of where users should be going. But DO NOT put $id_msg back in the redirection of the URL, there is absolutely no reason to do that and plenty of reasons not to.)

How can i check if the $post_errors is empty? you man before calling the createPost function to check if is set or am i missunderstanding?

Thx for the redirectexit tip, the only thing is that i need users to go back to the same page they where when they posted the message, meaning the front end template where information from the topíc was shown and i need to to give the id to the link or else it wont load the message info in the template; just like when you browse in the forum you can see on the link the topic and msg. Or if you know a work around, please let me know; the thing is that it must return to the custom frontend template and not to any forum.

thanks again for help and patience.

[live627]

if (empty($post_error))
{
    // POST NOW, DAMMIT!
}

EDIT: Fixed logic

[Arantor]

give the id to the link or else it wont load the message info in the template; just like when you browse in the forum you can see on the link the topic and msg.

Except that's not what you're passing to the link, you're passing the actual message. To return to the actual message, use $msgOptions['id'] after calling createPost (because that will be the actual msg id as in the database and you can use that with <a id="msg_id_goes_here"></a> in the target page. Either way, you do it that way, and not by creating a vulnerability vector.

@live, surely you mean:

Code Select Expand


if (!empty($post_error))
{
    // Tell the user something went wrong but do NOT go to createPost
}


[mpglivecarlo]

give the id to the link or else it wont load the message info in the template; just like when you browse in the forum you can see on the link the topic and msg.

Except that's not what you're passing to the link, you're passing the actual message. To return to the actual message, use $msgOptions['id'] after calling createPost (because that will be the actual msg id as in the database and you can use that with <a id="msg_id_goes_here"></a> in the target page. Either way, you do it that way, and not by creating a vulnerability vector.

@live, surely you mean:

Code Select Expand


if (!empty($post_error))
{
    // Tell the user something went wrong but do NOT go to createPost
}


As always thank you.

The $msgOptions['id'] will give me the id for the recently posted message, but the id i need is the one from the topics first message so in the template it will load the first message (main body) and in the lower part the rencently posted messages attached to the other.

The method you explained to make it more secure using <a id="msg_id_goes_here"></a> i really didnt understand.

thx again

[Arantor]

The $msgOptions['id'] will give me the id for the recently posted message, but the id i need is the one from the topics first message so in the template it will load the first message (main body) and in the lower part the rencently posted messages attached to the other.

So go load that. Your current code doesn't do that anyway, it returns the body of the supplied message back to your other page.

The method you explained to make it more secure using <a id="msg_id_goes_here"></a> i really didnt understand.

I don't see what's hard to understand about it. It's just doing exactly (literally) what SMF does. What your current code does is push the message body back through the redirection, which is insecure and unnecessary.

Like so much of the rest of this thread, you're asking for help but not providing nearly enough detail about how it currently works or how you expect it to work.

[mpglivecarlo]

The $msgOptions['id'] will give me the id for the recently posted message, but the id i need is the one from the topics first message so in the template it will load the first message (main body) and in the lower part the recently posted messages attached to the other.

So go load that. Your current code doesn't do that anyway, it returns the body of the supplied message back to your other page.

The method you explained to make it more secure using <a id="msg_id_goes_here"></a> i really didn't understand.

I don't see what's hard to understand about it. It's just doing exactly (literally) what SMF does. What your current code does is push the message body back through the redirection, which is insecure and unnecessary.

Like so much of the rest of this thread, you're asking for help but not providing nearly enough detail about how it currently works or how you expect it to work.

Just as you dint understand what i would like to do (or trying to do) i dint understand "exactly (literally) what smf does", so with my poor php skills I'm trying to take the basic features of the forum to an external template because I'm going to be using the forum as a backend for news redaction, that's all, users will never go inside the forum itself.

I cant load the $msgoptions['id'] because the template query would fill the the template with the information based on the id supplied, meaning only the last message that was posted.

Currently the template loads the first message from a topic (taken as the main news) and users will have the option to comment that news piece via the simple form i posted, that form passes the information to the php file you have been helping me with, creates the message (child message to the news topic) then has to redirect me back to the template and reload the topics first message in the main body, and the comment must appear beneath it.

Same thing smf does when someone replies using quick reply in a forum and get back to the topic they posted on.

I know that there must be a simpler way of doing it and a even more secure; once again this is my second project using smf as the core of the website and by the looks of it, the first one is very insecure and poorly optimized as for what you say, that's why i would like to understand what did you mean, but it seems to be getting on your nerves.

thank you for your time and help.

[Arantor]

It's been getting on my nerves because all the way along you've been giving me as little information as possible, which makes it very hard to help you - it's only actually been with this last post that you actually explained what you were trying to do, though avoiding the fact that you're essentially duplicating a ton of SMF functionality for no readily apparent reason.

Just as you dint understand what i would like to do (or trying to do) i dint understand "exactly (literally) what smf does",

Well, you're copying SMF's functionality.

Once it inserts the message, it's looking to go back to the message, which requires the topic and the message id. Since I was going off your code, and not having any real idea of what you were trying to do, it's hardly surprising you got useless advice. (Since what you'd written code-wise was not what you wanted.)

And you're still not actually answering ANY of my questions. You're somewhere, posting something somewhere and expecting it to redirect somewhere else. What are these URLs exactly?

[mpglivecarlo]

It's been getting on my nerves because all the way along you've been giving me as little information as possible, which makes it very hard to help you - it's only actually been with this last post that you actually explained what you were trying to do, though avoiding the fact that you're essentially duplicating a ton of SMF functionality for no readily apparent reason.

Just as you dint understand what i would like to do (or trying to do) i dint understand "exactly (literally) what smf does",

Well, you're copying SMF's functionality.

Once it inserts the message, it's looking to go back to the message, which requires the topic and the message id. Since I was going off your code, and not having any real idea of what you were trying to do, it's hardly surprising you got useless advice. (Since what you'd written code-wise was not what you wanted.)

And you're still not actually answering ANY of my questions. You're somewhere, posting something somewhere and expecting it to redirect somewhere else. What are these URLs exactly?

I know it may be difficult to understand but im just trying to use some of the functions from smf as a core "service", not interested in the visual part and some functionality that smf has.

For this topic i just need the functionality to post topics and reply, later on i will probably need to do the same for registration and personal messaging, don't know if i will need more in the future.

I am sure that you will say that why if those features are the only ones i need the i should use a blog or other software, my reply would be that id rather prefer to have more core functionality programmed in the core and to use it later regardless of what i am using right now.

thank you for your help and patience.

[Arantor]

Given that you're completely reimplementing core functionality from scratch, you're not making any use of 'core functionality', it's all your own code, so you're not benefitting from any amount of core functionality.

The reason I said about looking at what SMF does is because you basically need to copy most of Post2() and a decent amount of Display.php and Post.php, which is some of the most complex logic in SMF to reimplement securely.

Given that's what you're doing, it would be a waste of my time to spend any more in this thread. I'm an SMF specialist, not a copy/paste merchant.

[mpglivecarlo]

ok then thank you for time and honesty.

regards.