almost... the only thing that might halt you is I mentioned there needs to be some sanitizing on the GET and POST of $com_itemid, for security.

I only mentioned this in words, the code is up to you... It was already being secured in XOOPS using intval, but you would have to take off the intval()s to get the - to work.


For your specific purpose, its suggested that you only allow numbers and -



honestly, If I were you, I wouldnt try this hack without backing up the site files.

Its not exactly straight forward... you really need to be a programmer. I dont reccommend it unless you are brave.


The main point is that it IS possible.


take it easy,

Quote:

completely... the whole value of the XOOPS comments system is that its already used for news, articles, downloads and many other modules.. and its best to keep comments in one unified system rather than having each module have its own comments in several different places.

What you mentioned would be the thing to do... it needs to support regular numeric IDs lke it already does, so that it works with all other modules, but then, as you mentioned, detect if the com_itemid is called 'param' and if so, require it to contain a - or set it to 0.

would be something like: (after previous mentioned hack)

if ($com_itemName == "param" && !preg_match("/\-/",$com_itemid)) $com_itemid = 0;

something like that...

Well, thats certainly possible. you would simply need to hack the XOOPS comments syem to allow numbers and - only and then only allow comments when param contains a -

hacking the core XOOPS is not highly recommended, since it makes upgrades alot stickier.


If you can use a module like WarDick suggested, then thats a preferred solution over hacking the core.


The hack I mentioned, you would still need to add - support.



Best Regards,

Are the IDs only numeric with a - in it... do they always look like the example you posted?

If so you might be able to use a variation of the XOOPS comments hack I made last night.

xoops comments hack


For security you should only allow numbers and dashes on any GET or POST of the com_itemid.

Best Regards,

I sent you a Private Message... check your inbox :)

Cheers,

BTW- it looks like a nice site! :)

I just cannot get into it since I only speak english

But the design is very cool :)


Cheers,

Well, number one, until you can identify the exact eploit such as using your access_logs, then you cannot assume that XOOPS is the problem.

You need to look at the access logs around the time your site was hacked.

Also, if you do assume, then assume your server was hacked, not XOOPS.

Once they hack your server, then they can edit stuff like your XOOPS site, but this doesnt mean they got in through XOOPS.


Also, if you are worried about security, then you really need to keep up with the latest version of XOOPS.

At this point, if they did get in through XOOPS, then it would be your fault, for not running the latest stable version (XOOPS 2.0.13a)


Who runs your server? Whats OS is it? Is it shared hosting?



Good Luck,

_Dan

Well, without any details, it looks like they hacked your server.. not xoops, but this is just a guess...

Also, why dont you ask them? they left their email address for you.


Best Regards,

Well I continued on and hacked the XOOPS comments system to add alphanumeric support for the itemid

also found an old thread with two other module developers having this same problem.


Here is the alphanumeric comments hack:

here


Cheers,

wow, old thread :)

I have just run into this same problem.

My module identifies the items with an alphanumeric ID, and I really wanted to use the xoopsComments system.

But was stopped when I found out xoops_comments com_itemid must be a numeric value only.

So i dug more into the XOOPS comments system and changed every part that forces $com_itemid or $item_id to be numeric only.


Here is what i did to hack the comments system to handle alphanumeric instead of only numeric:




-------------------------------------------

1. In comment_new.php, comment_view.php and comment_post.php (make sure to look at the include/ versions of these as well) anywhere you see a intval($com_itemid) or intval($_GET['com_itemid']), take off the intval function. For security, anytime your PHP is grabbing com_itemid from a GET or POST, you should use something like ctype_alnum() to validate the incoming data and set it to 0 if its not alphanumeric or numeric only.

2. if you see this: if ($com_itemid > 0)
should change to: if ($com_itemid)

3. In the database under table prefix_xoopscomments
edit the field called com_itemid type and change from mediumint(8) to varchar(32)

4. in kernel/comment.php: change this line in function &getByItemId()

$criteria->add(new Criteria('com_itemid', intval($item_id)));

remove the intval function

ditto for function &getCountByItemId()
as well as function &getTopComments()

5. in kernel/comment.php: edit: $this->initVar('com_itemid', XOBJ_DTYPE_INT, 0, false); (around line73) to be this:

$this->initVar('com_itemid', XOBJ_DTYPE_OTHER, null, true, 32);


and also change these lines in insert() function to this:
(not: changed where it inserts com_itemid with %u to %s and added the single quotes on them. for both insert and update)


if ($comment->isNew()) {
$com_id = $this->db->genId('xoopscomments_com_id_seq');
$sql = sprintf("INSERT INTO %s (com_id, com_pid, com_modid, com_icon, com_title, com_text, com_created, com_modified, com_uid, com_ip, com_sig, com_itemid, com_rootid, com_status, com_exparams, dohtml, dosmiley, doxcode, doimage, dobr) VALUES (%u, %u, %u, %s, %s, %s, %u, %u, %u, %s, %u, %s, %u, %u, %s, %u, %u, %u, %u, %u)", $this->db->prefix('xoopscomments'), $com_id, $com_pid, $com_modid, $this->db->quoteString($com_icon), $this->db->quoteString($com_title), $this->db->quoteString($com_text), $com_created, $com_modified, $com_uid, $this->db->quoteString($com_ip), $com_sig, $this->db->quoteString($com_itemid), $com_rootid, $com_status, $this->db->quoteString($com_exparams), $dohtml, $dosmiley, $doxcode, $doimage, $dobr);
} else {
$sql = sprintf("UPDATE %s SET com_pid = %u, com_icon = %s, com_title = %s, com_text = %s, com_created = %u, com_modified = %u, com_uid = %u, com_ip = %s, com_sig = %u, com_itemid = %s, com_rootid = %u, com_status = %u, com_exparams = %s, dohtml = %u, dosmiley = %u, doxcode = %u, doimage = %u, dobr = %u WHERE com_id = %u", $this->db->prefix('xoopscomments'), $com_pid, $this->db->quoteString($com_icon), $this->db->quoteString($com_title), $this->db->quoteString($com_text), $com_created, $com_modified, $com_uid, $this->db->quoteString($com_ip), $com_sig, $this->db->quoteString($com_itemid), $com_rootid, $com_status, $this->db->quoteString($com_exparams), $dohtml, $dosmiley, $doxcode, $doimage, $dobr, $com_id);
}





done.
-------------------------------------------




This hack should add alphanumeric support for XOOPS comments com_itemid



Hope this helps someone.


************
Unless XOOPS adds alphanumeric support for comments system itemid, then this will need to be hacked on any site that installs a module that might need alphanum support.


What can we get this into the core? I think it will really improve the current XOOPS comments system, while still being compatible with existing sites.
************



Best Regards,