This is a read-only archive of the old Scratch 1.x Forums.
Try searching the current Scratch discussion forums.

#326 2012-05-24 03:36:01

sparks
Community Moderator
Registered: 2008-11-05
Posts: 1000+

Re: Block Files

Thanks, Rookwood. Code security is something I've never really looked into. I'm too trusting by half  tongue

@blob8108: You should be able to log in to the admin page on the library site now  smile  And don't worry, the work is very informal, people do what they can and spend what time they wish on it so no sweat if you can't do much!

I made the changes you suggest but the code still seems to give the same error.

You can now view and change the code for remoteBlockUploader.php on the site, but here's the code for everyone else too:

Code:

<?php
/*
<name>
remoteBlockUploader.php
</name>
<created>
created: 20 May 2012
</created>
<function>
Allows Dreamod's block mod to connect and upload blocks
</function>
<contributors>
sparks
</contributors>
*/

/*
* *** CHANGELOG ***
* Add your name, the date and time (including timezone!), and a short description of your changes
* at the top of the list here each time you modify this file so that the changes can be tracked.
* Don't forget to add your name to the contributors list above if it isn't there already!
* Example:
* - Changed something - NoOne, 1/1/70 00:00 GMT

* - added page to editable pages list. Currently this code always gives the error "SQLConnectionError" - Sparks, 21/5/12 10:40 GMT

* - added missing mysql_query($query) and added real escaping to query strings. The code still gives a connection error - Sparks 24/5/12 8:47 GMT
*/

include("connect.php"); //connect to the SQL database
if(isset($_POST['username']) && isset ($_POST['password']) && isset($_POST['comment']) && isset($_POST['block'])){     //check to make sure that all required variables are being received.
    $usernameStatus = trim(file_get_contents("http://scratch.mit.edu/api/authenticateuser?username=" . $_POST['username'] . "&password=" . $_POST['password'])); //use the Scratch API to determine the username and password status.
    if($usernameStatus  != 'false'){ //check to make sure that the username exists and the password is correct.
    $username = mysql_real_escape_string($_POST['username']);
    $comment = mysql_real_escape_string($_POST['comment']);
        ###############################################################
        //PARSE DATA FROM BLOCK FILE
        $code = mysql_real_escape_string($_POST['block']);
        $startPos = strpos($code, "getNewestBlock") + 22; //locate the spec within the block file
        $loopCount = 0;
        while ($loopCount < 4){
            $startPos = strpos ($code, "'", $startPos + 1);
            $loopCount ++;
        }
        $category = substr($code, $startPos + 1, strlen($code) - $startPos + 1);
        $carryOnCode = $category;
        $endPos = strpos($category, "'");
        $category = substr($category, 0, $endPos);
        #######category gained##############
        $loopCount = 0;
        while ($loopCount < 4){
            $startPos = strpos ($code, "'", $startPos + 1);
            $loopCount ++;
        }
        $blockSpec = substr($code, $startPos + 1, strlen($code) - $startPos + 1);
        $carryOnCode = $blockSpec;
        $endPos = strpos($blockSpec, "'");
        $blockSpec = substr($blockSpec, 0, $endPos);
        #####blockspec gained.#################
        $startPos = strpos($carryOnCode, "#") + 1;
        $type = substr($carryOnCode, $startPos, 1);
        ####type gained#####################
        
        ##############################################################
        //check whether the blockspec already exists
        $result = mysql_query("SELECT * FROM `blocks` WHERE name = '$blockspec' LIMIT 1;");
        $exists = mysql_num_rows($result) > 0;
        if($exists){ //if the block already exists
            echo "blockAlreadyExists"; //echo a "block already exists" message.
        }
        if(!$exists){ //if the block doesn't exists yet, add it.
            $query = "INSERT INTO `blocks` VALUES ('', '$blockSpec', '$type', 'category', '$code', '$username', '$username', '$comment', 'unapproved', '', 'Scratch')"; //insert block values for id, spec, type, category, code, creator, sharer, comment, status, application.
            mysql_query($query);
        }
        //due to the terrible SQL connection, the code now checks the database to see if the block has appeared.
        $result = mysql_query("SELECT * FROM `blocks` WHERE name = '$blockspec' LIMIT 1;");
        $exists = mysql_num_rows($result) > 0;
        if($exists){ //the block was added
         echo "success"; //echo a success message;
        }
        if(!$exists){ //if the block can't be found,
            echo "SQLConnectionError"; //echo an SQL connection error,
        }
        
    }
    if($usernameStatus == 'false'){ //there's a problem with the username or password!
        echo "wrongUsernameOrPass"; //echo a "wrong username or password" message.
    }
}
else{ //one or more required variables are missing from the action!
    echo "missingArgs"; //echo a "missing arguments" message.
}
?>

Last edited by sparks (2012-05-24 03:48:49)


http://img541.imageshack.us/img541/7563/scratchbetabanner.png

Offline

 

#327 2012-05-24 05:51:39

blob8108
Scratcher
Registered: 2007-06-25
Posts: 1000+

Re: Block Files

Good morning, all!  big_smile

@Sparks: I had a play with the code — rearranged things to be clearer, reformatted it and it seems to work for me now! I got "success" on uploading a couple of random blocks, and "block already exists" the second time, which seems right. Could you check they're getting into the database and are well-formatted?

The slashes/double-slashes thing still needs testing, I think.

@Dreamod: I finally managed to download the newest Block Importer; seems to work beautifully. I just had to tweak uploadBlock to POST to "remoteBlockUploader.php" rather than "postPing.php"  smile  [Also there's some weird error messages when I try to import a block; maybe the included block files are from an older version, or something? I dunno.]

Hope that helps y'all!  smile


Things I've made: kurt | scratchblocks2 | this cake

Offline

 

#328 2012-05-24 09:24:56

sparks
Community Moderator
Registered: 2008-11-05
Posts: 1000+

Re: Block Files

Looks like I got two blocks in the database! It looks like the name and the category have been swapped round though as well as a few other problems.

block id = 12
name = control
type = (
category = hide cursor

code = 'From MIT Squeak 0.9.4 (June 1, 2003) [No updates present.] on 24 May 2012 at 10:44:23 am'!

!ScriptableScratchMorph methodsFor: 'control'!
hideCursor
    World activeHand showTemporaryCursor: ((Form extent: 1 @ 1 depth: 32)
            fillColor: Color transparent)
! !
!CustomBlockSpecsDictionary class methodsFor: 'blocks'!
getNewestBlock
    ^ #('All' 'control' ('hide cursor' #- #hideCursor))! !

creator = blob8108

sharer = blob8108

comment = hide cursor

status = unapproved

colour =

application = Scratch

As you can see, the type hasn't loaded properly either, the PHP code filters it out of the blockspec so it looks like it grabbed the wrong character? Colour should be empty - it's only used for Panther blocks.

id = 13
name = other ops
type = (
category = broadcast $Even
code = 'From MIT Squeak 0.9.4 (June 1, 2003) [No updates present.] on 24 May 2012 at 10:48:08 am'!

!ScriptableScratchMorph methodsFor: 'other ops' stamp: 'jm 6/23/2004 10:05'!
broadcast: name
    "Broadcast the given event name with zero as its argument."

    self broadcast: name withArgument: 0.
! !
!CustomBlockSpecsDictionary class methodsFor: 'blocks'!
getNewestBlock
    ^ #('All' 'control' ('broadcast $Event$' #- #broadcast:))! !

creator = blob8108
sharer = blob8108
comment = Broadcast the given event name with zero as its argument.
status = unapproved
colour =
application = Scratch

The name got cut out on that one, since it's in the category slot and that's limited to 15 characters.

That problem should be easy enough to fix, just swap the variable input order to the INSERT query round but getting the type to display properly will take more fiddling.

Here's a screenshot (in colour!):

http://img827.imageshack.us/img827/3825/capturepsb.png

Is 5000 to low a limit for the code space?


http://img541.imageshack.us/img541/7563/scratchbetabanner.png

Offline

 

#329 2012-05-24 10:30:01

rookwood101
Scratcher
Registered: 2011-07-29
Posts: 500+

Re: Block Files

sparks wrote:

Is 5000 to low a limit for the code space?

I would set the row type to text as it can pretty much hold as much of what you want as you want.


http://i.imgur.com/zeIZW.png

Offline

 

#330 2012-05-24 11:40:58

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

I tried uploading a block (with the comment 'sql test') and it said 'upload succesful'. It seems to work now.

Offline

 

#331 2012-05-24 11:46:16

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

@Sparks: It seems you have trouble parsing the block spec, no? Well, the Scratch has a built in block spec parser and I can send those items separately in addition to the other items.
Username
Password
Comment
Block File
Category
Type
Block Name
I'll get to work with the extra arguments. Ok?

Offline

 

#332 2012-05-24 12:05:56

blob8108
Scratcher
Registered: 2007-06-25
Posts: 1000+

Re: Block Files

rookwood101 wrote:

sparks wrote:

Is 5000 to low a limit for the code space?

I would set the row type to text as it can pretty much hold as much of what you want as you want.

This is a good idea. Or is the correct field type "LONGTEXT"? I can't remember...  tongue

dreamod wrote:

@Sparks: It seems you have trouble parsing the block spec, no? Well, the Scratch has a built in block spec parser and I can send those items separately in addition to the other items.
...
I'll get to work with the extra arguments. Ok?

This is also a good idea.  smile

sparks wrote:

Looks like I got two blocks in the database! It looks like the name and the category have been swapped round though as well as a few other problems.

As you can see, the type hasn't loaded properly either, the PHP code filters it out of the blockspec so it looks like it grabbed the wrong character? Colour should be empty - it's only used for Panther blocks.
...
That problem should be easy enough to fix, just swap the variable input order to the INSERT query round but getting the type to display properly will take more fiddling.

Awesome!  smile  At least it worked.  tongue  The screenshot is useful, I think.

I do think having dreamod's code send all the things is probably easier than trying to parse Squeak code in PHP.

And I think you'll have to fix the query, as I don't understand your table structure...  tongue

Last edited by blob8108 (2012-05-24 12:06:55)


Things I've made: kurt | scratchblocks2 | this cake

Offline

 

#333 2012-05-24 12:13:41

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

Ok, I have the new args working. Here are the key names in order:
username
password
comment
block
category
type
block name
Tell me when you update it.

Offline

 

#334 2012-05-24 16:40:34

Greenatic
Scratcher
Registered: 2009-05-03
Posts: 1000+

Re: Block Files

Debug time!

First, one recommendation:  On the Help menu, add an option that displays a window containing all of the standard block args, such as $Number$.

The glitch I'm having: When using a custom arg in the command spec, I get the error: "Message not understood: at:ifAbsent:".

Offline

 

#335 2012-05-25 02:55:52

blob8108
Scratcher
Registered: 2007-06-25
Posts: 1000+

Re: Block Files

dreamod wrote:

Ok, I have the new args working.
...
Tell me when you update it.

Have you also updated the Block Importer? I need something to test with, you see  smile

@Sparks: does getting the category, type, etc. from the POST sound ok? Obviously it would then be technically possible for a user to POST data with fields like blockspec that didn't match the block file. But that'd be okay, would it not?


Things I've made: kurt | scratchblocks2 | this cake

Offline

 

#336 2012-05-25 04:46:36

sparks
Community Moderator
Registered: 2008-11-05
Posts: 1000+

Re: Block Files

blob8108 wrote:

dreamod wrote:

Ok, I have the new args working.
...
Tell me when you update it.

Have you also updated the Block Importer? I need something to test with, you see  smile

@Sparks: does getting the category, type, etc. from the POST sound ok? Obviously it would then be technically possible for a user to POST data with fields like blockspec that didn't match the block file. But that'd be okay, would it not?

Yes, that would be possible. I was trying to pull it from the block file because a) dreamod wasn't sending anything else an b) to reduce the number of POST variables being sent (should be faster and less likely to lose anything along the way IMO).


http://img541.imageshack.us/img541/7563/scratchbetabanner.png

Offline

 

#337 2012-05-25 05:32:39

blob8108
Scratcher
Registered: 2007-06-25
Posts: 1000+

Re: Block Files

sparks wrote:

blob8108 wrote:

@Sparks: does getting the category, type, etc. from the POST sound ok? Obviously it would then be technically possible for a user to POST data with fields like blockspec that didn't match the block file. But that'd be okay, would it not?

...to reduce the number of POST variables being sent (should be faster and less likely to lose anything along the way IMO).

I doubt it makes much difference in this case, to be honest — since they're such small parameters.

We should do that, then!  smile


Things I've made: kurt | scratchblocks2 | this cake

Offline

 

#338 2012-05-25 09:46:29

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

sparks wrote:

blob8108 wrote:

dreamod wrote:

Ok, I have the new args working.
...
Tell me when you update it.

Have you also updated the Block Importer? I need something to test with, you see  smile

@Sparks: does getting the category, type, etc. from the POST sound ok? Obviously it would then be technically possible for a user to POST data with fields like blockspec that didn't match the block file. But that'd be okay, would it not?

Yes, that would be possible. I was trying to pull it from the block file because a) dreamod wasn't sending anything else an b) to reduce the number of POST variables being sent (should be faster and less likely to lose anything along the way IMO).

The user doesn't fill in the block name or category etc. The block importer takes it directly from the block (not file). When you upload a block the block is uploading its self, basically. So it sends it's own information. So don't worry about false information, the only for that to happen is through hacks.

Offline

 

#339 2012-05-25 10:52:20

blob8108
Scratcher
Registered: 2007-06-25
Posts: 1000+

Re: Block Files

dreamod wrote:

The user doesn't fill in the block name or category etc. The block importer takes it directly from the block (not file). When you upload a block the block is uploading its self, basically. So it sends it's own information. So don't worry about false information, the only for that to happen is through hacks.

You're correct!  smile  But the point is that anyone could POST data to that URL from any program — they don't have to use your Block Importer at all; or they can modify the Squeak code, as you point out. So from the server's point of view, the data can't be trusted to be correct.

Can you update the Block Importer to the new version, with the new args? The latest version still has the URL set to "postPing.php"...  tongue


Things I've made: kurt | scratchblocks2 | this cake

Offline

 

#340 2012-05-25 10:59:05

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

blob8108 wrote:

dreamod wrote:

The user doesn't fill in the block name or category etc. The block importer takes it directly from the block (not file). When you upload a block the block is uploading its self, basically. So it sends it's own information. So don't worry about false information, the only for that to happen is through hacks.

You're correct!  smile  But the point is that anyone could POST data to that URL from any program — they don't have to use your Block Importer at all; or they can modify the Squeak code, as you point out. So from the server's point of view, the data can't be trusted to be correct.

Can you update the Block Importer to the new version, with the new args? The latest version still has the URL set to "postPing.php"...  tongue

Ok, I'll update it. I don't know if you know this or not, but when a block gets uploaded it has to be approved by a librarian before it is added for everybody to see, this is one reason one.
All they have to do to test the block is to import the block file, and check that the parameters are the same, or look inside the block file.

Offline

 

#341 2012-05-25 11:07:10

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

@blob8108 Ok, I updated it. And I managed to work my way around the \\ = \ glitch/feature. I used a little math and tried using \\\\ and sure enough it resulted in the desired \\. So now the patch is completely up to date and perfect.

@Greenatic: I couldn't find your arg morph glitch but I did add the reference guide for arg morphs.

Offline

 

#342 2012-05-25 11:48:35

blob8108
Scratcher
Registered: 2007-06-25
Posts: 1000+

Re: Block Files

@Dreamod — I got this error: http://i.imgur.com/nR7oL.png


Things I've made: kurt | scratchblocks2 | this cake

Offline

 

#343 2012-05-25 12:02:11

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

blob8108 wrote:

@Dreamod — I got this error:

That's weird. The reason is because a symbol apparently got removed when I uploaded the patch. The \\ got removed making a syntax error since there is a # (Symbol) without a string. Basically it wants to define a symbol that to nil (or NULL). nonetheless, I will fix it.

Offline

 

#344 2012-05-25 12:09:58

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

Try it now.

Offline

 

#345 2012-05-25 12:37:36

blob8108
Scratcher
Registered: 2007-06-25
Posts: 1000+

Re: Block Files

dreamod wrote:

Try it now.

I had to replace the line "self halt." with "URL _ 'http://blocks.scratchr.org/remoteBlockUploader.php'.", but it seems to work now  smile  I'll have a play with the PHP...


Things I've made: kurt | scratchblocks2 | this cake

Offline

 

#346 2012-05-25 12:49:23

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

Oh, whoops. the self halt, is an almost essential debugger tool. It stops the program and let's you inspect instance variables and how the code has been executed. I had to do that a lot to debug the uploading code. I guess I just left it there.  smile

Offline

 

#347 2012-05-25 13:03:50

blob8108
Scratcher
Registered: 2007-06-25
Posts: 1000+

Re: Block Files

Neat!  smile  No worries  tongue

I updated the PHP now!  big_smile  Have a try (:


Things I've made: kurt | scratchblocks2 | this cake

Offline

 

#348 2012-05-25 13:06:28

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

blob8108 wrote:

Neat!  smile  No worries  tongue

I updated the PHP now!  big_smile  Have a try (:

I tried uploading a test block I got 'block already exists'. Did you upload one by the name of 'test block'?
full block spec: ('All' 'control' ('test block' #- #testBlock))

Offline

 

#349 2012-05-25 13:26:29

blob8108
Scratcher
Registered: 2007-06-25
Posts: 1000+

Re: Block Files

dreamod wrote:

blob8108 wrote:

Neat!  smile  No worries  tongue

I updated the PHP now!  big_smile  Have a try (:

I tried uploading a test block I got 'block already exists'. Did you upload one by the name of 'test block'?
full block spec: ('All' 'control' ('test block' #- #testBlock))

Ah, that would be because I'm a moron. Changed a variable name, and forgot to update the check-y SQL query.  tongue

In conclusion: there must be a block with an empty 'name' field. How curious!

Anyway, does it work now?  smile


Things I've made: kurt | scratchblocks2 | this cake

Offline

 

#350 2012-05-25 13:45:27

dreamod
New Scratcher
Registered: 2012-01-22
Posts: 100+

Re: Block Files

blob8108 wrote:

dreamod wrote:

blob8108 wrote:

Neat!  smile  No worries  tongue

I updated the PHP now!  big_smile  Have a try (:

I tried uploading a test block I got 'block already exists'. Did you upload one by the name of 'test block'?
full block spec: ('All' 'control' ('test block' #- #testBlock))

Ah, that would be because I'm a moron. Changed a variable name, and forgot to update the check-y SQL query.  tongue

In conclusion: there must be a block with an empty 'name' field. How curious!

Anyway, does it work now?  smile

It doesn't work. So, how far has the website gotten? You can upload blocks, but you can't browse blocks, correct? I could write the about page. Assuming the about page is about the block library and how blocks work?

Offline

 

Board footer