think tank forum

ttf development » ttf has revisions! r127

lucas's avatar
16 years ago
link
lucas
i ❤ demo
okay, trunk has an edit feature and an improved archive feature.

in addition, ttf stores all changes to posts, user profiles, and user titles as revisions!

these features must be rigorously tested. if you can join in on the testing, please do. otherwise i'll build some php scripts and brute force some possible vulnerabilities.
lucas's avatar
16 years ago
link
lucas
i ❤ demo
already found a bug:

i tried to add this to the bottom of a post:

/ / \\ \\ \ \ " " ' ' \" \" \' \' hahaha


and it added it fine to ttf_post, and it added this to ttf_revision:
a:2:{i:0;s:6:"124-7.";i:1;s:68:"124+7.

/ / \\ \\ \ \ " " ' ' \" \" \' \' hahaha";}


but when trying to edit the post again, the build HEAD rev isn't correct. it doesn't reflect this last line.
maple's avatar
16 years ago
link
maple
i like large datasets
i noticed if i edit, the old text doesnt show up in the textbox. its just blank. although it looks like you may already have the code in place on line 46-63 of editpost.php but its just commented out.

is that right?
maple's avatar
16 years ago
link
maple
i like large datasets
fucking rad btw
lucas's avatar
16 years ago
link
lucas
i ❤ demo
the old text should show up.. can you give me info to replicate this?
maple's avatar
16 years ago
link
maple
i like large datasets
this is in my test environment, bet everything is setup right (as far as i can tell). i made all the sql changes and what not. im fairly drunk and watching the Stars game so i may be missing somehting. ill check it out.
lucas's avatar
16 years ago
link
lucas
i ❤ demo
haha, okay

obviously the problem lies within clean()ing serialize()d diff()s.

the annoying thing is that when i research this on the web, noone cleans their serialize() strings before putting them into a mysql_query(). but i think the joke's on them--one single quote in the serialized array and their shit is busted.

example:
http://www.devshed.com/c/a/PHP/Working-with-M … -in-PHP/3/
lucas's avatar
16 years ago
link
lucas
i ❤ demo
this seems to be the problem:
http://bugs.php.net/bug.php?id=19945

they say to just run mysql_real_escape_string() on the serialized array, which i am!
maple's avatar
16 years ago
link
maple
i like large datasets
hey when i was trying to fix the cookies the other i found this on the php site. thought it might interest you.

http://us2.php.net/setcookie

"Cookies names can be set as array names and will be available to your PHP scripts as arrays but separate cookies are stored on the users system. Consider explode() to set one cookie with multiple names and values. It is not recommended to use serialize() for this purpose, because it can result in security holes."
lucas's avatar
16 years ago
link
lucas
i ❤ demo
shit.. thanks for the info.

i made a script to check out putting serialized shit into the database. seems to work fine with my example script:

<?php

$dbms_host = "localhost";
$dbms_user = "root";
$dbms_pass = "";
$dbms_db   = "wlw";

header("Content-type: text");

if (!($dbms_cnx = @mysql_connect($dbms_host, $dbms_user, $dbms_pass))) die("connect error");
if (!mysql_select_db($dbms_db)) die("select_db error");
if (!mysql_query("SET NAMES 'utf8'")) die("set names error");
$sql = "CREATE TABLE IF NOT EXISTS `fresh` ( ".
       "    `id` smallint(6) NOT NULL auto_increment, ".
       "    `array` text collate utf8_unicode_ci NOT NULL, ".
       "    PRIMARY KEY  (`id`) ".
       ") ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci";
if (!mysql_query($sql)) die("couldn't create table");

include "../ttf/include_diff.php";

echo "******";
/////////////////////////////////////////////////
$string_a = "my name is larz\r\n\"i am for reelz\"\r\nhere is more / / \\ \\ \\\\ \\\\ \" \" \' \' \\\" \\\" \\\' \\\'\r\ni like the girls with the boom\r\ni once got busy in a burger king bathroom!";
$string_b = "my name is larz\r\ni am for tru\r\n\r\ni like the girls with the boom\r\ni once got busy in a burger king drivethru!";
$diff = serialize(diff($string_a, $string_b));
$patched = patch($string_a, unserialize($diff));
$unpatched = unpatch($string_b, unserialize($diff));
echo "\n\n*string a:*\n\n";
echo $string_a;
echo "\n\n*string b:*\n\n";
echo $string_b;
echo "\n\n*diff:*\n\n";
echo $diff;
echo "\n\n*patched string a:*\n\n";
echo $patched;
echo "\n\n*unpatched string b:*\n\n";
echo $unpatched;
/////////////////////////////////////////////////

$cleandiff = mysql_real_escape_string($diff);
echo "\n\n*clean diff:*\n\n";
echo $cleandiff;

$sql = "INSERT INTO fresh SET array='$cleandiff'";
if (!$result = mysql_query($sql)) die("insert error");
$id = mysql_insert_id();

$sql = "SELECT array FROM fresh WHERE id='$id'";
if (!$result = mysql_query($sql)) die("select error");
list($mysqldiff) = mysql_fetch_row($result);
mysql_free_result($result);

echo "\n\n*mysql diff:*\n\n";
echo $mysqldiff;

$mysqlpatched = patch($string_a, unserialize($mysqldiff));

echo "\n\n*mysql patched string a:*\n\n";
echo $mysqlpatched;

echo "\n\n****** TESTING ******\n\n";

if ($mysqldiff == $diff) {
    echo "original diff and mysql diff ARE identical.\n\n";
} else {
    echo "original diff and mysql diff ARE NOT identical.\n\n";
};

if ($mysqlpatched == $patched) {
    echo "patched string a and mysql patched string a ARE identical.\n\n";
} else {
    echo "patched string a and mysql patched string a ARE NOT identical.\n\n";
};

if (is_array(unserialize($diff))) {
    echo "original diff WAS serialized into an array.\n\n";
} else {
    echo "original diff WAS NOT serialized into an array.\n\n";
};

if (is_array(unserialize($mysqldiff))) {
    echo "mysql diff WAS serialized into an array.\n\n";
} else {
    echo "mysql diff WAS NOT serialized into an array.\n\n";
};

mysql_close();

?>
lucas's avatar
16 years ago
link
lucas
i ❤ demo
it gives me these results, btw:

original diff and mysql diff ARE identical.

patched string a and mysql patched string a ARE identical.

original diff WAS serialized into an array.

mysql diff WAS serialized into an array.

lucas's avatar
16 years ago
link
lucas
i ❤ demo
MAGIC QUOTES! BLAST!
lucas's avatar
16 years ago
link
lucas
i ❤ demo
YES! it runs like a champ!

now i just gotta try to break it with UTF-8.

god, i hope multibyte characters don't break it.
lucas's avatar
16 years ago
link
lucas
i ❤ demo
i've been trying to break it with multibyte characters, and i can't.

i think we're good. amazing.
phi_'s avatar
16 years ago
link
phi_
... and let the Earth be silent after ye.
Amazing! I'm lovin' it.
lucas's avatar
16 years ago
link
lucas
i ❤ demo
okay, r130 cleans it all up and gets it working.

still need one more commit with the following:
=> outputbody() preformatting
=> revision.php to browse item history
=> versioning for forum taglines

one of the best things about versioning is that post formatting will be stored in ttf_post. so whe you view a thread, it doesn't have to format all those posts on the fly. nny will love this because he can then easily add code to his posts without it being run through a formatting function.
lucas's avatar
16 years ago
link
lucas
i ❤ demo
got most of revision.php done (it just needs diff highlighting):
http://www.thinktankforums.com/images/rev_thread.png
http://www.thinktankforums.com/images/rev_post.png
http://www.thinktankforums.com/images/rev_title.png

i'm scared to put this feature up live. it means mangling the database considerably.
lucas's avatar
16 years ago
link
lucas
i ❤ demo
r134 adds:
=> outputbody() preformatting
=> revision.php to browse item history

remaining work:
=> highlighting in revision.php

it's looking really good and stable. utf-8 still worries me, though.
lucas's avatar
16 years ago
link
lucas
i ❤ demo
i just busted it with utf-8. man, this is NOT going to be fun to debug.
lucas's avatar
16 years ago
link
lucas
i ❤ demo
here's how to replicate:

1. create a post with text in it ("blah blah").

2. edit the post and add this utf box to the end:
╔══════════╗
║          ║
║ box time ║
║          ║
╚══════════╝


3. edit it again and take out some of the box characters.

4. edit it again--it shouldn't let you ("patching error").

it seems that each of those box drawing characters are the size of 5 ascii characters. larz gotta learn up on utf, now:
http://www.php.net/mbstring
lucas's avatar
16 years ago
link
lucas
i ❤ demo
one of the multi byte safe functions that php lacks is serialize/unserialize.
http://bugs.php.net/bug.php?id=40080

this might take a while, now.
dannyp's avatar
13 years ago
link
dannyp
dʎuuɐp
Wondering if anyone considered commenting for revisions? With wiki's and most other versioning systems allow a comment to be either invisible on display or a separate comments field in the version history.

I know it would be useful to note what revision was made!
lucas's avatar
13 years ago
link
lucas
i ❤ demo
yeah, i like the idea. i don't know how often it would be used, though.