May 30, 2011

security issue with regular expressions

Ok, yii fixed it's security issue with regular expressions in validators I was worried about.

It comes out that serious php applications use regular expressions as a tool for checking user input, not paying attention to the documented limitations.

Everyone around talks about sql injections, but when it comes to regular expressions, you need to explain this even to the authors of the framework.

In fact, I like how Qiang closes bugs in yii in minutes, most important is make him notice them :)

May 10, 2011

XenForo integration

Hi, here I will share some ideas on how to integrate XenForo with a custom PHP web site.

A few words about Xenforo internal structure.
It has its own MVC framework, using selected modules from Zend Framework.
It does not follow any coding standards. You can find SQL in controllers and lots of undocumentes functions. It is a big heap of garbage with lots of hidden rocks.

It uses the VBulletin approach for templates, and CSS. The templates use an XML-based markup and reside in the database. When XenForo shows a page, it fetches the templates from the database, compiles them int the native php/xml code and executes with eval().
This makes lots of problems to debug and find which template contains the required part of the page, but it allows editing the templates from the forum admin are.
Same with CSS. When the page loads, it fetches all styles for a page from a database, merges them and sends to a browser in a single request.

Additionally to the templates XenForo got helpers - the idea is borrowed from ZF. Helpers are PHP scripts with HTML that render some parts of the pages, but they reside in files, not in DB.

The first thing that may help know more about database calls and files included is to add the line "$config['debug'] = 1;" in library/config.php and call the page of your interest with GET-parameter ?_debug=1

Lets assume the forum is installed in the folder "forum" of our application.
XenForo framework is initialized by 3 lines:

XenForo_Application::initialize('forum/library', __DIR__.'/forum');

You can see this lines in the entry script of the forum (forum/index.php)

Our first task is to integrate sessions - to make the forum recognize the visitor.
In XenForo the sessions are stored in the database, in table xf_session. It does not use internal PHP sessions at all.
The forum operates with sessions through the XenForo_Session class (library/XenForo/Session.php)
The easiest way to activate and update session is to call

$session = new XenForo_Session();
The call "save()" is required to update the timestamp mark of the last user activity, because the session is checked for the delay before being opened (in the "where" clause of the query).

To set the user ID of the session you can call $session->changeUserId(1);

(2 be continued)