Firefox PHP

<b>[code] Who's Online</b>

Posted by <b>Vulpes</b> 
Sune
Re: &lt;b&gt;[code] Who's Online&lt;/b&gt;
February 04, 2004 08:35PM
I use it with joy on 3.4.4 but i'm missing a small feature. How would I go about also showing the IP if the person looking were a Moderator??
Sune
Re: &lt;b&gt;[code] Who's Online&lt;/b&gt;
February 04, 2004 10:13PM
I found out myself. In the file whoisonline.php you must correct the following lines.

After the line;
<TD><FONT color="<?PHP echo $table_header_font_color; ?>" nowrap>Name</FONT></TD>

you insert;
<? if(!empty($phorum_user['moderator'])){ ?>
<TD><FONT color="<?PHP echo $table_header_font_color; ?>" nowrap>IP</FONT></TD>
<? } ?>

and then you replace;
echo "<td nowrap bgcolor=$cell_color_1>$rec[username]</td><td width=\"100%\">$rec[forum]</td>";

wiht;
if(!empty($phorum_user['moderator'])){
echo "<td nowrap bgcolor=$cell_color_1>$rec[ip]</td>";
}
echo "<td width=\"100%\">$rec[forum]</td>";
Re: [code] Who's Online
March 05, 2004 01:44AM
I don't have guest on my forum but when people are looking at the forum they always been marked like guest.
hey,

nice script, it worked out in 3.2.3, but now i have 3.4.6 and it does not show the username very often. its just blank... : [www.swedengate.de]

anyone with an idea ?
thanks, christoph
Security Issue !
May 21, 2004 11:29PM
There's a security issue with this script.

The time you log in, phorum stores your account name and encrypted password in the URL. If you don't have cookies enabled, this data is encoded in the URL the whole time you use phorum.
The Who's Online Script shows links regardless of any sensitive account data within the url. Risk is that another user may access the board with the same rights as the compromised user.

There's a quick solution to this: The $REQUEST_URI must be filtered.

Sample code (quick'n dirty):
--------------------
// Reverse search of strrchr.
// Phorum Request URI is coded in a way like:
// .../read.php?f=4&i=39186&t=38996&phorum_uriauth=.... (f, i, t, phorum_uriauth)
// Authentification variable is the rightmost part and can be easily cut off

function strrrchr($haystack,$needle)
{
// Returns everything before $needle (inclusive).
return substr($haystack,0,strpos($haystack,$needle));
}

// defines new variable $uri
$uri = $REQUEST_URI;

// Checks for Passwordinfo in URI
if (strstr ($uri, "&phorum_uriauth") != FALSE){
// Removes critical part
$uri = strrrchr ($uri, "&phorum_uriauth");
}
$pagename=get_location($PHP_SELF,$uri,$title,$ForumName);
------------------

I am sure there are more elegant or effective solutions. But this should work and provide a quick fix.
Re: [code] Who's Online
June 03, 2004 10:44PM
I have the same problem for a few weeks now.
It worked well before, but now...?!

Anything to do with the cookies?!
Hi all,

I really like this hack and used it for some time in previous version of phorum. Now I upgraded it to latest 3.4.8a version and the who's online hack seemed to stop working. As you write, all I saw was list of Guests. I have modified callscript.php so it does'n use cookies anymore and I made some more modifications (it doesnt show the link to the who is online table to non logged visitors).

Enjoy, Rossez

Here is the callscript.php code (may be a bit dirty):
---------------------------------
<?
if(strlen($phorum_user['id'])>0){
$whoisuser="<a href=\"profile.php?id=$phorum_user[id]\" class=\"topmed\">$phorum_user[name]</a>";
}else{
$whoisuser="Guest";
}
$IP=$REMOTE_ADDR;
?>
<br>
<?
if ($whoisuser!="Guest") {
echo "Logged as ".$whoisuser." :: <a href=\"whoisonline.php?f=".$f."\" class='topmed'>Who's Online</a>";
} else {
echo "Welcome Guest";
}
?>
<?PHP
$ssql="SELECT username FROM whosonline where ip='record'";
$q->query($DB, $ssql);
$record=$q->getrow();
$pagename=get_location($PHP_SELF,$REQUEST_URI,$title,$ForumName);
$justlogged = strpos($pagename, "phorum_uriauth=");
if ($justlogged>0){$pagename="";}
if ($whoisuser!="Guest") {
echo "<font color =white>(".get_whosonline($IP, $whoisuser, $pagename)." now/".$record['username']." max)";
} else {
echo "<font color =white> :: ".get_whosonline($IP, $whoisuser, $pagename)." users online (".$record['username']." max)";
}
?>
</font>
Rossez
Security issue...
June 05, 2004 03:13PM
Oh I forgot to mention that the modification of callscript.php (above) solves the security hole with just logged users sessions.
Great (dirty:) work,
all fine again!!
keyo
Re: &lt;b&gt;[code] Who's Online&lt;/b&gt;
June 10, 2004 11:57PM
that last hack is great, but how do i make it so that the whoisonline shows the peoples usernames and not their 'real' names, thanks!
I may answer.
The usernem is saved in a field in the database called 'username'

just replace name -> username here
$phorum_user[name] -> $phorum_user[username]
keyo
Re: &lt;b&gt;[code] Who's Online&lt;/b&gt;
June 15, 2004 01:24AM
cheers kicker rock, that did the trick!
Sorry, you do not have permission to post/reply in this forum.