Please login or register.

Login with username, password and session length
Advanced search  
Pages: 1 2 [3] 4 5 ... 8

Author Topic: [ADDON] - sNews Calendar - with Integrated Admin - 1.6  (Read 46023 times)

poppoll

  • Full Member
  • ***
  • Karma: 47
  • Posts: 199
    • Poppoll's sNews playground
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #30 on: September 20, 2008, 11:06:10 pm »

Keys,
I posted the solution for the event manager. See higher..
There is another bug when using a db prefix.
No events in the event manager and nothing in the calendar.
The events under the calendar and the see all events links are working fine.
PP
« Last Edit: September 20, 2008, 11:17:37 pm by poppoll »
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #31 on: September 21, 2008, 12:30:24 am »

1 - The event manager panel is not displayed correctly in Firefox. In the css add this in .tableheader height: 25px;
2 - In Add New Event the Add and Cancel buttons are not displayed: In events_admin.php remove at line 454 an 455 the classes
PP

1 - Yes... I noticed this a short while ago. I've made several changes to the Add New and Edit Event panels, including adding height and moving some style declarations out of the admin functions and into the style.css where they belong. The calendar script... in its original form... had quite a lot of its styles declared within the function scripts themselves and some still remains within the functions. I will work on moving them out to style.css as time permits and will post update notices at the top of the first install instructions post in this topic.

2 - I noticed that too... they are fixed.

These changes have been added to the online demo and the download ZIP.
« Last Edit: September 21, 2008, 12:43:43 am by Keyrocks »
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #32 on: September 21, 2008, 12:52:38 am »

Keys,
There is another bug when using a db prefix. No events in the event manager and nothing in the calendar.
PP

Yepp... I accidentally missed adding ".db('prefix')." to the query string in function event_list() in events_admin.php.
All good now.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Rui Mendes

  • Development,Testing, Support
  • Hero Member
  • *****
  • Karma: 195
  • Posts: 1009
  • sNews1.7
    • Comunidade Portuguesa
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #33 on: September 21, 2008, 12:58:13 am »

IE7 now works well.

What I did:
1- I modify pop.php and move to the root, download pop.php here
2- In snewscal_js.php replace your first function
Quote
function cal_js() {    
global $ev_images_root;
?>
        <script type="text/JavaScript">
   function popupEvent(day, month, year, w, h) {
      var winl = (screen.width - w) / 2;
      var wint = (screen.height - h) / 2;
      var ppath = <?php echo '\''.$ev_images_root.'\''; ?>;

      win = window.open("/"+ppath+"/popup.php?day=" + day + "\u0026month=" + month + "\u0026year=" + year + "","Calendar","scrollbars=yes, status=yes, location=no, toolbar=no, menubar=no, directories=no, resizable=yes, width=" + w + ", height=" + h + ", top=" + wint + ", left=" + winl + "");
           
if (parseInt(navigator.appVersion) >= 4) { win.window.focus(); }
      }

   </script>
<?php
}

Logged
Need a Job on Europe. Linkdin - Facebook / Group

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #34 on: September 21, 2008, 02:22:24 am »

IE7 now works well.
What I did:
1- I modify pop.php and move to the root, download pop.php here
2- In snewscal_js.php replace your first function

OK... I replaced the function in snews_js.php (2) and put your popup.php in the sNews (site) root. The popup shows... "Object not found - 404".

To get the popup.php working from the sNews root... I removed the $ev_images_root from the jscript function. It is no longer needed if the popup.php file is in the root, since its only purpose was to add the calendar folder-name to the path.
Code: [Select]
<?php

#RUI's New function - with no $ev_images_root variable
function cal_js() {
?>

        <script type="text/JavaScript">
   function popupEvent(day, month, year, w, h) {
      var winl = (screen.width - w) / 2;
      var wint = (screen.height - h) / 2;

      win = window.open("popup.php?day=" + day + "\u0026month=" + month + "\u0026year=" + year + "","Calendar","scrollbars=yes, status=yes, location=no, toolbar=no, menubar=no, directories=no, resizable=yes, width=" + w + ", height=" + h + ", top=" + wint + ", left=" + winl + "");

if (parseInt(navigator.appVersion) >= 4) { win.window.focus(); }
      }

   </script>
<?php
}

?>


And the result is that it works on the Home page... but not on any other page.
Is there some other change that I need to make to have it work as you say it does?
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

poppoll

  • Full Member
  • ***
  • Karma: 47
  • Posts: 199
    • Poppoll's sNews playground
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #35 on: September 21, 2008, 02:34:29 am »

Keys,
Downloaded the latest calendar.zip and the prefix bug is still there.!
PP
Logged

Joost

  • Guest
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #36 on: September 21, 2008, 03:04:02 am »

And..... to make this script safe:

Let's turn this into a small lecture about security:
The script that sends a request to the server to return the event popup, can be found in the browser, clientside.This implies, that anyone with just basic knowledge of javascript or html forms can change the values (month, day, year) and send these to the server. It is not rocket science, the javascript can be changed or you can create a form that sends a get request.

Server side, these variables are inserted in a querystring:

$Q = mysql_query(sprintf("SELECT * FROM `events` WHERE `day` = '%s' AND `month` = '%s' AND `year` = '%s';", $_GET['day'], $_GET['month'], $_GET['year']));

As you can see,  $_GET['day'], $_GET['month'], $_GET['year'], neither one is sanitized. Just some tweaking is needed to insert a query that retrieves password and username.

Not tested, but something like:

 year="2006'; SELECT * FROM settings WHERE  name != 'bogus' or language='EN"

. . ..might do the trick'. This is called SQL injection

So the values need to be sanitized before sending a query to the database. Of course mysql_real_escape_string can be used here, making the string harmless.
Because the values should be integers (see table columns) you can check if the values consist of digits. If not abort the php-script.
Another way to sanitize, is simply force the values to be integer. Simply prepend the values with (int) like:

   $Q = mysql_query(sprintf("SELECT * FROM `events` WHERE `day` = '%s' AND `month` = '%s' AND `year` = '%s';", (int)$_GET['day'], (int)$_GET['month'], (int)$_GET['year']));

« Last Edit: September 21, 2008, 03:23:28 am by Joost »
Logged

Rui Mendes

  • Development,Testing, Support
  • Hero Member
  • *****
  • Karma: 195
  • Posts: 1009
  • sNews1.7
    • Comunidade Portuguesa
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #37 on: September 21, 2008, 03:10:21 am »

OK... I replaced the function in snews_js.php (2) and put your popup.php in the sNews (site) root. The popup shows... "Object not found - 404".
...

With my solution all browser works fine in localhost, but if you remove red text, doesn't work (I did try before)
Quote
var ppath = <?php echo '\''.$ev_images_root.'\''; ?>;
      win = window.open("/"+ppath+"/popup.php?day

What I found in IE7, javascript cannot captures the global variables, only in IE7
Quote
win = window.open("<?php echo ''.$ev_images_root.''; ?>/popup.php?day="....

I did think in another solution .htaccess but I'm not expert, to redirects to correct url
With all browsers, except IE7
http://www.yourdomain.com/category/popup.php ?....
jumps to
http://www.yourdomain.com/popup.php?....
If we can add a line to do this, was perfect

Logged
Need a Job on Europe. Linkdin - Facebook / Group

funlw65

  • Hero Member
  • *****
  • Karma: 96
  • Posts: 771
    • Country Lab
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #38 on: September 21, 2008, 02:41:22 pm »

And..... to make this script safe:

Let's turn this into a small lecture about security:
The script that sends a request to the server to return the event popup, can be found in the browser, clientside.This implies, that anyone with just basic knowledge of javascript or html forms can change the values (month, day, year) and send these to the server. It is not rocket science, the javascript can be changed or you can create a form that sends a get request.

Server side, these variables are inserted in a querystring:

$Q = mysql_query(sprintf("SELECT * FROM `events` WHERE `day` = '%s' AND `month` = '%s' AND `year` = '%s';", $_GET['day'], $_GET['month'], $_GET['year']));

As you can see,  $_GET['day'], $_GET['month'], $_GET['year'], neither one is sanitized. Just some tweaking is needed to insert a query that retrieves password and username.

Not tested, but something like:

 year="2006'; SELECT * FROM settings WHERE  name != 'bogus' or language='EN"

. . ..might do the trick'. This is called SQL injection

So the values need to be sanitized before sending a query to the database. Of course mysql_real_escape_string can be used here, making the string harmless.
Because the values should be integers (see table columns) you can check if the values consist of digits. If not abort the php-script.
Another way to sanitize, is simply force the values to be integer. Simply prepend the values with (int) like:

   $Q = mysql_query(sprintf("SELECT * FROM `events` WHERE `day` = '%s' AND `month` = '%s' AND `year` = '%s';", (int)$_GET['day'], (int)$_GET['month'], (int)$_GET['year']));



Ahhh! I like it soooo much! K+ Joost
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #39 on: September 21, 2008, 05:45:36 pm »

Keys,
Downloaded the latest calendar.zip and the prefix bug is still there.!
PP

You will need to be more specific about the "bug" you are experiencing.
I just downloaded and checked the ZIP and the files are the same as the ones used by the online demo at the moment.
Just to be sure, I did a backup of the online demo dbase and used it to create a prefixed table-set in the same dbase... and the online demo appears to be working fine using the prefix.
- the Event Manager panel shows the list of events in IE7, FF and Operat 9.0
- the Calendar popup shows the event data on any page in FF & Opera 9.0... but ONLY ON HOME in IE7... which has always been the case and Rui and I are working on a solution for that.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #40 on: September 21, 2008, 06:07:06 pm »

1With my solution all browser works fine in localhost, but if you remove red text, doesn't work (I did try before)

OK Riu. Let's walk through this again.
1 - I replaced function cal_js() with your revised function.
2 - I put your new popup.php file in the sNews root.
3 - When I open the Event Popup in IE7, FF and Opera 9.0... I get "Object not found! The requested URL was not found on this server." "Error 404"

The question I have... is the popup.php file supposed to be in the sNews root (same location as snews.php) or still in the calendar folder?
If we move it to the sNews root, then we have to remove /"+ppath+"/ from the win = window.open string so that the path to the popup.php is correct.

The result is that it works this way... on all pages in FF & Opera but ONLY ON HOME in IE7
Is there any other change to be made? to get it to display on ALL PAGES in IE7?
« Last Edit: September 21, 2008, 06:22:06 pm by Keyrocks »
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #41 on: September 21, 2008, 07:01:15 pm »

And..... to make this script safe:

Another way to sanitize, is simply force the values to be integer. Simply prepend the values with (int) like:

   $Q = mysql_query(sprintf("SELECT * FROM `events` WHERE `day` = '%s' AND `month` = '%s' AND `year` = '%s';", (int)$_GET['day'], (int)$_GET['month'], (int)$_GET['year']));



@ Joost... good point.
I had replaced that query string with a new one a few days back... defining the $_GET values as variables above, then using the variables in place of the values in the string. I'd noticed this approach being used in a few sNews functions already.

Question... does the security issue still exist in the new query (below)?
If so, does adding (int) to the values in the variables above the query string (as shown below) do the trick?
Code: [Select]
<?php

$day 
= (int)$_GET['day'];  $month = (int)$_GET['month'];  (int)$year $_GET['year'];
$Q mysql_query(sprintf("SELECT * FROM ".db('prefix')."events WHERE day ='$day' AND month ='$month' AND year = '$year'"));

?>

Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Joost

  • Guest
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #42 on: September 21, 2008, 07:24:09 pm »

Almost correct. There's one typo:

$day = (int)$_GET['day'];  $month = (int)$_GET['month'];  (int)$year = $_GET['year'];

Must be

$day = (int)$_GET['day'];  $month = (int)$_GET['month'];  $year = (int)$_GET['year'];

Logged

funlw65

  • Hero Member
  • *****
  • Karma: 96
  • Posts: 771
    • Country Lab
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #43 on: September 21, 2008, 07:25:25 pm »

You can also check them for ranges... year between x and y, ... etc ...
Logged

Joost

  • Guest
Re: [ADDON] - sNews Calendar - with Integrated Admin - 1.6
« Reply #44 on: September 21, 2008, 07:34:13 pm »

You can also check them for ranges... year between x and y, ... etc ...

Sure, but why built a service for persons who mess with variables?
Logged
Pages: 1 2 [3] 4 5 ... 8