createPost - Call-time pass-by-reference has been deprecate error

Started by mpglivecarlo, July 27, 2012, 05:22:28 PM

Previous topic - Next topic

mpglivecarlo

Quote from: Arantor on July 27, 2012, 08:44:22 PM
The screening part is right, except that you don't check that $post_errors is empty before trying to create the post.

Either way, once you've made the post, it still won't do anything because while you're giving it JavaScript to output once you're done, you're not actually calling that code so it quite rightly will just give you an empty page.

(The correct thing to do once the page is finished is to call redirectexit() with the URL of where users should be going. But DO NOT put $id_msg back in the redirection of the URL, there is absolutely no reason to do that and plenty of reasons not to.)

How can i check if the $post_errors is empty? you man before calling the createPost function to check if is set or am i missunderstanding?

Thx for the redirectexit tip, the only thing is that i need users to go back to the same page they where when they posted the message, meaning the front end template where information from the topíc was shown and i need to to give the id to the link or else it wont load the message info in the template; just like when you browse in the forum you can see on the link the topic and msg. Or if you know a work around, please let me know; the thing is that it must return to the custom frontend template and not to any forum.

thanks again for help and patience.

live627

if (empty($post_error))
{
    // POST NOW, DAMMIT!
}

EDIT: Fixed logic :P

Arantor

Quotegive the id to the link or else it wont load the message info in the template; just like when you browse in the forum you can see on the link the topic and msg.

Except that's not what you're passing to the link, you're passing the actual message. To return to the actual message, use $msgOptions['id'] after calling createPost (because that will be the actual msg id as in the database and you can use that with <a id="msg_id_goes_here"></a> in the target page. Either way, you do it that way, and not by creating a vulnerability vector.

@live, surely you mean:

if (!empty($post_error))
{
    // Tell the user something went wrong but do NOT go to createPost
}

mpglivecarlo

Quote from: Arantor on July 28, 2012, 08:31:19 AM
Quotegive the id to the link or else it wont load the message info in the template; just like when you browse in the forum you can see on the link the topic and msg.

Except that's not what you're passing to the link, you're passing the actual message. To return to the actual message, use $msgOptions['id'] after calling createPost (because that will be the actual msg id as in the database and you can use that with <a id="msg_id_goes_here"></a> in the target page. Either way, you do it that way, and not by creating a vulnerability vector.

@live, surely you mean:

if (!empty($post_error))
{
    // Tell the user something went wrong but do NOT go to createPost
}


As always thank you.

The $msgOptions['id'] will give me the id for the recently posted message, but the id i need is the one from the topics first message so in the template it will load the first message (main body) and in the lower part the rencently posted messages attached to the other.

The method you explained to make it more secure using <a id="msg_id_goes_here"></a> i really didnt understand.

thx again

Arantor

QuoteThe $msgOptions['id'] will give me the id for the recently posted message, but the id i need is the one from the topics first message so in the template it will load the first message (main body) and in the lower part the rencently posted messages attached to the other.

So go load that. Your current code doesn't do that anyway, it returns the body of the supplied message back to your other page.

QuoteThe method you explained to make it more secure using <a id="msg_id_goes_here"></a> i really didnt understand.

I don't see what's hard to understand about it. It's just doing exactly (literally) what SMF does. What your current code does is push the message body back through the redirection, which is insecure and unnecessary.

Like so much of the rest of this thread, you're asking for help but not providing nearly enough detail about how it currently works or how you expect it to work.

mpglivecarlo

Quote from: Arantor on July 28, 2012, 05:32:28 PM
QuoteThe $msgOptions['id'] will give me the id for the recently posted message, but the id i need is the one from the topics first message so in the template it will load the first message (main body) and in the lower part the recently posted messages attached to the other.

So go load that. Your current code doesn't do that anyway, it returns the body of the supplied message back to your other page.

QuoteThe method you explained to make it more secure using <a id="msg_id_goes_here"></a> i really didn't understand.

I don't see what's hard to understand about it. It's just doing exactly (literally) what SMF does. What your current code does is push the message body back through the redirection, which is insecure and unnecessary.

Like so much of the rest of this thread, you're asking for help but not providing nearly enough detail about how it currently works or how you expect it to work.

Just as you dint understand what i would like to do (or trying to do) i dint understand "exactly (literally) what smf does", so with my poor php skills I'm trying to take the basic features of the forum to an external template because I'm going to be using the forum as a backend for news redaction, that's all, users will never go inside the forum itself.

I cant load the $msgoptions['id'] because the template query would fill the the template with the information based on the id supplied, meaning only the last message that was posted.

Currently the template loads the first message from a topic (taken as the main news) and users will have the option to comment that news piece via the simple form i posted, that form passes the information to the php file you have been helping me with, creates the message (child message to the news topic) then has to redirect me back to the template and reload the topics first message in the main body, and the comment must appear beneath it.

Same thing smf does when someone replies using quick reply in a forum and get back to the topic they posted on.

I know that there must be a simpler way of doing it and a even more secure; once again this is my second project using smf as the core of the website and by the looks of it, the first one is very insecure and poorly optimized as for what you say, that's why i would like to understand what did you mean, but it seems to be getting on your nerves.

thank you for your time and help.

Arantor

It's been getting on my nerves because all the way along you've been giving me as little information as possible, which makes it very hard to help you - it's only actually been with this last post that you actually explained what you were trying to do, though avoiding the fact that you're essentially duplicating a ton of SMF functionality for no readily apparent reason.

QuoteJust as you dint understand what i would like to do (or trying to do) i dint understand "exactly (literally) what smf does",

Well, you're copying SMF's functionality.

Once it inserts the message, it's looking to go back to the message, which requires the topic and the message id. Since I was going off your code, and not having any real idea of what you were trying to do, it's hardly surprising you got useless advice. (Since what you'd written code-wise was not what you wanted.)

And you're still not actually answering ANY of my questions. You're somewhere, posting something somewhere and expecting it to redirect somewhere else. What are these URLs exactly?

mpglivecarlo

Quote from: Arantor on July 29, 2012, 05:05:05 PM
It's been getting on my nerves because all the way along you've been giving me as little information as possible, which makes it very hard to help you - it's only actually been with this last post that you actually explained what you were trying to do, though avoiding the fact that you're essentially duplicating a ton of SMF functionality for no readily apparent reason.

QuoteJust as you dint understand what i would like to do (or trying to do) i dint understand "exactly (literally) what smf does",

Well, you're copying SMF's functionality.

Once it inserts the message, it's looking to go back to the message, which requires the topic and the message id. Since I was going off your code, and not having any real idea of what you were trying to do, it's hardly surprising you got useless advice. (Since what you'd written code-wise was not what you wanted.)

And you're still not actually answering ANY of my questions. You're somewhere, posting something somewhere and expecting it to redirect somewhere else. What are these URLs exactly?

I know it may be difficult to understand but im just trying to use some of the functions from smf as a core "service", not interested in the visual part and some functionality that smf has.

For this topic i just need the functionality to post topics and reply, later on i will probably need to do the same for registration and personal messaging, don't know if i will need more in the future.

I am sure that you will say that why if those features are the only ones i need the i should use a blog or other software, my reply would be that id rather prefer to have more core functionality programmed in the core and to use it later regardless of what i am using right now.

thank you for your help and patience.

Arantor

Given that you're completely reimplementing core functionality from scratch, you're not making any use of 'core functionality', it's all your own code, so you're not benefitting from any amount of core functionality.

The reason I said about looking at what SMF does is because you basically need to copy most of Post2() and a decent amount of Display.php and Post.php, which is some of the most complex logic in SMF to reimplement securely.

Given that's what you're doing, it would be a waste of my time to spend any more in this thread. I'm an SMF specialist, not a copy/paste merchant.

mpglivecarlo


Advertisement: