I need a solution to what's bound to be a really simplistic problem. I'm running a php/mysql script on my site and one of the functions it performs to display a news/text post and dynamically link it to a corresponding image file. If you're thinking "webcomic" you're right on the money. The news posts are formatted according to a .tpl file.

The script itself is Comikaze (http://www.comikaze.org) and I've tried contacting the creator, but I've not heard anything back for quite some time and after several attempts.

The thing I need help with is that I need to insert a link into that .tpl (news_print.tpl) file that will dynamically link from the news post to the corresponding image page. I've discovered that simply inserting PHP into the news_print.tpl file does not work. What I thought I'd do would be to define a new variable that I'd be able to use inside the news_print.tpl file.

Variables that already exist are {NES_AVATAR}, {NEWS_POST}, {NEWS_DATE}, {NEWS_POSTER}, and a few others.

The variable I need is already used by the script elsewhere as $comic_id; the comic rotation/navigation uses it to, well "navigate." However how to turn it into something that news_print.tpl can use... that's what I'm not sure about. I did some serious digging and I found this specific file that looks like it has to do with the news_print.tpl, and is called newsDO.class.php. Inside the code on line #48 begins the following code:
function formatNewsPost($poster,$email,$avatar,$title,$post,$time,$nl2br) {
$post = $this->nl2brNewsPost($post,$nl2br);
if (!empty($avatar))
$avatar = "<img src=\"$avatar\" alt=\"$poster\" border=\"0\" />";
$replace['{NEWS_POSTER}'] = $poster;
$replace['{NEWS_EMAIL}'] = $email;
$replace['{NEWS_AVATAR}'] = $avatar;
$replace['{NEWS_TITLE}'] = $title;
$replace['{NEWS_POST}'] = $post;
$replace['{NEWS_DATE}'] = $time;

return $this->_common->getTemplate('news_print.tpl', $replace);
}
I thought that if I added $comic_id into the function call on the first line and the $replace['{COMIC_ID}'] = $comic_id; down with the rest that this would allow me to use {COMIC_ID} as a variable with the news_print.tpl file. Unfortunately, all it does when I attempt to use it is spits out this error:
Warning: Missing argument 8 for formatnewspost() in /var/www/html/smcomikaze/includes/classes/newsDO.class.php on line 48
My website is essentially done, this is the last bit of code I need to wedge into it and *poof* off it goes. Once I can get this to work it's keg time!

Thanks to anyone who's taken the time to read this over!

try adding


global $comic_id;

right after the function call

try adding


global $comic_id;

right after the function call

Eek, I'm not exactly sure where you mean; something like:

function formatNewsPost($poster,$email,$avatar,$title,$post,$time,$nl2br) {
global $comic_id;
$post = $this->nl2brNewsPost($post,$nl2br);
if (!empty($avatar))
$avatar = "<img src=\"$avatar\" alt=\"$poster\" border=\"0\" />";

$replace['{NEWS_POSTER}'] = $poster;
$replace['{NEWS_EMAIL}'] = $email;
$replace['{NEWS_AVATAR}'] = $avatar;
$replace['{NEWS_TITLE}'] = $title;
$replace['{NEWS_POST}'] = $post;
$replace['{NEWS_DATE}'] = $time;

return $this->_common->getTemplate('news_print.tpl', $replace);
}

Then adding the $replace['{COMIC_ID}'] = $comic_id; in with the rest? :confused:

Yes, that is what I meant. I didn't see $comic_id defined anywhere so I was thinking it is a global variable.

Something about your earlier post stuck in my head last night and then it suddenly hit me: while I was changing the function's definition I had completely neglected to update any of the function calls. Once I updated all the function calls it was nearly working; instead of returning any errors it was simply returning a ID value of null. I looked around and some of the other code in one of the files where the function was being called and rolled the roulette on $comicID instead of $comic_id and it all fell into place perfectly. Every post on every page points to the correct comic.

Thanks for helping to get my gears turning Blm, I totally appreciate it!

toasty,

I'm not sure if this is your code or someone elses... but this line of code is SERIOUSLY at risk of XSS:


$avatar = "<img src=\"$avatar\" alt=\"$poster\" border=\"0\" />";

I am pretty sure that $avatar is either a path (of some sort) which would just mean so much joy to hackers.

Going with something like this is going to make your code substaintially more secure:


$avatar = '<img src="' . $avatar . '" alt="' . $poster . '" border="0" />';

Also, be sure to make sure the $avatar cannot do sub-paths such as: /../



$avatar = str_replace('../', '', $avatar);
$avatar = '<img src="' . $avatar . '" alt="' . $poster . '" border="0" />';


That would be a good first start to securing this code.

But even if you do not secure the code by checking the path, at least make it so XSS cannot be an issue.

This page ( http://ha.ckers.org/xss.html ) is a great reference when checking/developing your code.

Wow, thanks John!

No, infact the code isn't mine, I'm simply using the script in my website. I plugged in the (first part of the) code you mentioned and everything still works. Working and more secure - a wonderful thing. When I tried the $avatar = str_replace('../', '', $avatar); the page stopped displaying the image. I imagine I'm probably just placing it in the wrong location.

Thanks again for your advise!

Sure thing toasty,

The str_replace() might have caused an error depending on if your application uses server_paths (ie: /var/www/...) or if your application uses http_paths (ie: http://www...) for it's avatars. Different applications/developers deal with avatar paths in different ways. The str_replace() is specifically for locally stored avatars (and thus using server_paths). Sorry if this screwed up things.

btw, plugging in those XSS values (I know there are a lot of them to test) are mostly designed to break SQL queries, however, the theory behind than also apply to getting into a root folder of your server.

Hopefully whoever developed this application knows what they are doing and has thought about xss injections. Lord knows while I was apart of phpBB, we had our fair share of xss issues. Seems people spend more time trying to break code and hacking then they do outside enjoying the nature around them. Oh-well.

Again, sorry if my code caused your script to fault.

John

It's all good John, truthfully I'm happy that I was able to slip some of it in to be more secure then it was initially. As far as screwing up the code, no big deal at all, nothing a simple CTRL-Z, resave, refresh page didn't fix. :D