character conversion -- what function is this??

**blm126** · 09-24-2006, 03:59 AM

grep is a *nix command. It uses regular expressions I believe. You can probably get a version for Mac. Also some code editors provide a similiar tool(mine does).

**djr33** · 09-24-2006, 04:22 AM

What does it do, and how would I go about using it?
I use both mac and pc (windows, not linux, sorry), by the way.

EDIT: Ok, got that answer with google... it searches for stuff that matches a string. Cool.
However, not sure how to run it on the server. The code you gave, Twey, isn't php and gives an error. Is there another way to run that on my server?

**djr33** · 09-24-2006, 06:20 AM

Well, alright. I did some more searching, and I've found the part where it's converted. That's the good news. The bad news is that it's not just a function, but rather a search and replace and a complex one at that.

If you can help me figure out what this does, and immitate it on a smaller scale for a password, that would be great.

On the index.php page, before anything else, there is this line:

PHP Code:


$ibforums->input      = $std->parse_incoming();

Which calls the function parse_incoming() found on functions.php:

PHP Code:


/*-------------------------------------------------------------------------*/
    // Makes incoming info "safe"              
    /*-------------------------------------------------------------------------*/
    
    function parse_incoming()
    {
        global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_CLIENT_IP, $REQUEST_METHOD, $REMOTE_ADDR, $HTTP_PROXY_USER, $HTTP_X_FORWARDED_FOR;
        $return = array();
        
        if( is_array($HTTP_GET_VARS) )
        {
            while( list($k, $v) = each($HTTP_GET_VARS) )
            {
                if( is_array($HTTP_GET_VARS[$k]) )
                {
                    while( list($k2, $v2) = each($HTTP_GET_VARS[$k]) )
                    {
                        $return[$k][ $this->clean_key($k2) ] = $this->clean_value($v2);
                    }
                }
                else
                {
                    $return[$k] = $this->clean_value($v);
                }
            }
        }
        
        // Overwrite GET data with post data
        
        if( is_array($HTTP_POST_VARS) )
        {
            while( list($k, $v) = each($HTTP_POST_VARS) )
            {
                if ( is_array($HTTP_POST_VARS[$k]) )
                {
                    while( list($k2, $v2) = each($HTTP_POST_VARS[$k]) )
                    {
                        $return[$k][ $this->clean_key($k2) ] = $this->clean_value($v2);
                    }
                }
                else
                {
                    $return[$k] = $this->clean_value($v);
                }
            }
        }
        
        //----------------------------------------
        // Sort out the accessing IP
        // (Thanks to Cosmos and schickb)
        //----------------------------------------
        
        $addrs = array();
        
        foreach( array_reverse( explode( ',', $HTTP_X_FORWARDED_FOR ) ) as $x_f )
        {
            $x_f = trim($x_f);
            
            if ( preg_match( '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $x_f ) )
            {
                $addrs[] = $x_f;
            }
        }
        
        $addrs[] = $_SERVER['REMOTE_ADDR'];
        $addrs[] = $HTTP_PROXY_USER;
        $addrs[] = $REMOTE_ADDR;
        
        //header("Content-type: text/plain"); print_r($addrs); print $_SERVER['HTTP_X_FORWARDED_FOR']; exit();
        
        $return['IP_ADDRESS'] = $this->select_var( $addrs );
                                                 
        // Make sure we take a valid IP address
        
        $return['IP_ADDRESS'] = preg_replace( "/^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/", "\\1.\\2.\\3.\\4", $return['IP_ADDRESS'] );
        
        $return['request_method'] = ( $_SERVER['REQUEST_METHOD'] != "" ) ? strtolower($_SERVER['REQUEST_METHOD']) : strtolower($REQUEST_METHOD);
        
        return $return;
    }

That, as is shown in the first line of code, is then the value in $index.

Now, in Usercp.php, where the actual password change is executed,

PHP Code:


$pass = trim($ibforums->input['pass']);
//lines ommitted
$md5_pass = md5($pass);
//insert into database, etc.

So, what I need is to be able to immitate this.

I know that the parse_incoming() function takes all incoming data-- get, post, cookies, sessions, etc.-- and converts it to a "safe" format. I also understand that it returns this as an array, which is later stored into the $ibforums->input array.

I need to do the same conversion, but with a value, $password, instead of all incoming data, and return the "safe" version of that $password.

Thanks for any help.

Among other things, one thing I really don't understand is preg_replace()... what is this? It replaces based on patterns, as it says on php.net, but how the heck does the first parameter work?

Also, if any of the functions in the parse_incoming() function aren't standard, I can find them for you in the source of one of the pages. I haven't checked all of them yet.

EDIT: Ok, as I thought, some of those are custom functions. Here's one--

PHP Code:


function clean_value($val)
    {
        global $ibforums;
        
        if ($val == "")
        {
            return "";
        }
        
        $val = str_replace( " ", " ", $val );
        
        if ( $ibforums->vars['strip_space_chr'] )
        {
            $val = str_replace( chr(0xCA), "", $val );  //Remove sneaky spaces
        }
        
        $val = str_replace( "&"            , "&amp;"         , $val );
        $val = str_replace( "<!--"         , "<!--"  , $val );
        $val = str_replace( "-->"          , "-->"       , $val );
        $val = preg_replace( "/<script/i"  , "<script"   , $val );
        $val = str_replace( ">"            , "&gt;"          , $val );
        $val = str_replace( "<"            , "&lt;"          , $val );
        $val = str_replace( "\""           , "&quot;"        , $val );
        $val = preg_replace( "/\n/"        , "<br>"          , $val ); // Convert literal newlines
        $val = preg_replace( "/\\\$/"      , "$"        , $val );
        $val = preg_replace( "/\r/"        , ""              , $val ); // Remove literal carriage returns
        $val = str_replace( "!"            , "!"         , $val );
        $val = str_replace( "'"            , "'"         , $val ); // IMPORTANT: It helps to increase sql query safety.
        
        // Ensure unicode chars are OK
        
        if ( $this->allow_unicode )
        {
            $val = preg_replace("/&amp;#([0-9]+);/s", "&#\\1;", $val );
        }
        
        // Strip slashes if not already done so.
        
        if ( $this->get_magic_quotes )
        {
            $val = stripslashes($val);
        }
        
        // Swop user inputted backslashes
        
        $val = preg_replace( "/\\\(?!&amp;#|\?#)/", "\", $val ); 
        
        return $val;
    }

**blm126** · 09-24-2006, 06:26 AM

$std->clean_value That is the function doing the real work.You can ignore the regular expressions(preg_*) for what you want.

**djr33** · 09-24-2006, 06:33 AM

Ok, right. Sorry, for some reason, I thought there was more to the parse_incoming function.

As for clean_value, how can I ignore the preg_replace functions? They're doing a lot, right? I just don't quite understand what they're doing....

**blm126** · 09-24-2006, 12:19 PM

in clean value, yes the preg_replace functions are important, but in parse_incoming they just validate the IP address. If you are connecting the to the forum software just use that function(by passing in the values to check) if not copy and paste to the rescue. Remeber though you should handle slashes yourself and remove that part from the function, and probably the unicode part also.

**djr33** · 09-24-2006, 01:08 PM

I can just copy the function. That's easy. But I'd also like to know what it's doing (mainly the preg_replace, but, I've looked at the other thread about regular expressions, and I'm beginning to understand).

Right, I meant the preg_replace functions in clean_value.

As for slashes/unicode.... wouldn't I need those for it to match? The password needs to match the password on the forum, so it would need those parts, I'd think.

I guess at this point, I get what's going on, but just wanted to check because I don't know what is going on in some of that function, to be sure it wasn't doing anything I wouldn't expect (though not sure what that would be).

Thanks.

**blm126** · 09-24-2006, 02:55 PM

Yes you do need to handle slashes/unicode the same way,but you won't have access to the config variables to check so you may need to hardcode what it should do.

**djr33** · 09-24-2006, 09:44 PM

Ah, ok, right.

Thanks.

**djr33** · 10-04-2006, 03:27 AM

$val = preg_replace( "/\\\(?!&#|\?#)/", "\", $val );

How is this line valid? "\" means escape the quote... so the string would never end... right???

EDIT: Nevermind. The board is stripping things from the code. Now I get it.

Thread: character conversion -- what function is this??

Thread Tools

Search Thread

Bookmarks

Bookmarks

Posting Permissions