Quick TutorialThis quick tutorial will help any modwriter to code in such a way that all YaBB essential routines and security are used and variables are passed in the correct way.
File HandlingMost functions with YaBB will include some form of file handling, like reading, writing, appending to a file.
As a YaBB was written as a multi user BBS you can imagine that the same file can be touched or opened by several users at the same time.
To prevent file corruption on simultanious writing/opening of files, YaBB uses it's own file locking subroutine to avoid this.
So instead of using open and close you should use
fopen and
fclose in your mod, ivoking the file handling with the proper locking.
Also be aware that if you create new files which are linked to a user you should also add routines to delete these files if the user is deleted.
Don't forget the admin power options for user deletion !!
So there are more then one place the
unlink command is used.
Check
this thread for all the places files are deleted !!
(thanks Shoeb for pointing this out to me)
Calling your new subroutines/functionsIf your function is just a "blind" routine not fed by any user input in urls or forms, the proper way to call it is just using
&yourroutine;.
Any other function/routine where variables are passed for whatever reason should be passed using the
action= command and are controlled from the YaBB main script. It's a bad thing calling these kind of routines directly as the readform security check is bypassed making it vulnerable for flooding or hacking.
Passing Variables to a scriptVariables are passed to scripts which process them in two manners which both need a different approach in recalling the variables into the handling script.
1. Through url hyperlinks on the screen (GET)normally written like
<a href="$cgi;action=$someaction;variable=$variable....">action text</a>The script called is based on the value of
action= and YaBB.pl/cgi will redirect to the correct pl/subroutine.
The variables passed should be read using the $INFO variable, like
my $variable = $INFO{'variable'};2. Through form input fields on the screen (POST)normally written like
<form action="$cgi;action=$someaction;variable=$variable...." method="POST"> ... your form ...</form>The script called is based on the value of
action= and YaBB.pl/cgi will redirect to the correct pl/subroutine.
The variables passed should be read using the $FORM variable, like
my $variable = $FORM{'variable'};If you mix up these two variables and use the latest security fix the variables will NOT be passed and your code will not work !!
The use of proper html 4.01 in your codeAs SP1.1 itsself already has quite a few html 4.01 incompatibilities the use of html 4.01 compliant code is a big plus !!
This means that html tags are never in caps, so it's
<br>, <hr> <form... and NOT
<BR>, <HR> and <FORM...Things like <select> options should be closed like this:
<option>Your option</option>.All variables/actions inside a html tag should be inside double quotes, so it's
type="input", name="username" or
name="$username" if you have dynamic variables inside the html.
If you have trouble with double quotes interfering, try
$yymain .=qq~<your html with "vars..">~; instead of
$yymain .="<yourhtml with 'vars...'>"; as single quotes are not fully compliant with html 4.01 (allthough they do work in most browsers)
Especially the border, width, size, cellspacing, cellpadding are often abused without double quotes in table definitions.
So it's
border="0", cellpadding="4", cellspacing="1", width="100%", size="1".
One last hint !
Try to use percentual widths in tables so your output will adapt to other screen resolutions more easily.