Scratch

Thanks, Rookwood. Code security is something I've never really looked into. I'm too trusting by half 

@blob8108: You should be able to log in to the admin page on the library site now    And don't worry, the work is very informal, people do what they can and spend what time they wish on it so no sweat if you can't do much!

I made the changes you suggest but the code still seems to give the same error.

You can now view and change the code for remoteBlockUploader.php on the site, but here's the code for everyone else too:

<?php
/*
<name>
remoteBlockUploader.php
</name>
<created>
created: 20 May 2012
</created>
<function>
Allows Dreamod's block mod to connect and upload blocks
</function>
<contributors>
sparks
</contributors>
*/

/*
* *** CHANGELOG ***
* Add your name, the date and time (including timezone!), and a short description of your changes
* at the top of the list here each time you modify this file so that the changes can be tracked.
* Don't forget to add your name to the contributors list above if it isn't there already!
* Example:
* - Changed something - NoOne, 1/1/70 00:00 GMT

* - added page to editable pages list. Currently this code always gives the error "SQLConnectionError" - Sparks, 21/5/12 10:40 GMT

* - added missing mysql_query($query) and added real escaping to query strings. The code still gives a connection error - Sparks 24/5/12 8:47 GMT
*/

include("connect.php"); //connect to the SQL database
if(isset($_POST['username']) && isset ($_POST['password']) && isset($_POST['comment']) && isset($_POST['block'])){     //check to make sure that all required variables are being received.
    $usernameStatus = trim(file_get_contents("http://scratch.mit.edu/api/authenticateuser?username=" . $_POST['username'] . "&password=" . $_POST['password'])); //use the Scratch API to determine the username and password status.
    if($usernameStatus  != 'false'){ //check to make sure that the username exists and the password is correct.
    $username = mysql_real_escape_string($_POST['username']);
    $comment = mysql_real_escape_string($_POST['comment']);
        ###############################################################
        //PARSE DATA FROM BLOCK FILE
        $code = mysql_real_escape_string($_POST['block']);
        $startPos = strpos($code, "getNewestBlock") + 22; //locate the spec within the block file
        $loopCount = 0;
        while ($loopCount < 4){
            $startPos = strpos ($code, "'", $startPos + 1);
            $loopCount ++;
        }
        $category = substr($code, $startPos + 1, strlen($code) - $startPos + 1);
        $carryOnCode = $category;
        $endPos = strpos($category, "'");
        $category = substr($category, 0, $endPos);
        #######category gained##############
        $loopCount = 0;
        while ($loopCount < 4){
            $startPos = strpos ($code, "'", $startPos + 1);
            $loopCount ++;
        }
        $blockSpec = substr($code, $startPos + 1, strlen($code) - $startPos + 1);
        $carryOnCode = $blockSpec;
        $endPos = strpos($blockSpec, "'");
        $blockSpec = substr($blockSpec, 0, $endPos);
        #####blockspec gained.#################
        $startPos = strpos($carryOnCode, "#") + 1;
        $type = substr($carryOnCode, $startPos, 1);
        ####type gained#####################
        
        ##############################################################
        //check whether the blockspec already exists
        $result = mysql_query("SELECT * FROM `blocks` WHERE name = '$blockspec' LIMIT 1;");
        $exists = mysql_num_rows($result) > 0;
        if($exists){ //if the block already exists
            echo "blockAlreadyExists"; //echo a "block already exists" message.
        }
        if(!$exists){ //if the block doesn't exists yet, add it.
            $query = "INSERT INTO `blocks` VALUES ('', '$blockSpec', '$type', 'category', '$code', '$username', '$username', '$comment', 'unapproved', '', 'Scratch')"; //insert block values for id, spec, type, category, code, creator, sharer, comment, status, application.
            mysql_query($query);
        }
        //due to the terrible SQL connection, the code now checks the database to see if the block has appeared.
        $result = mysql_query("SELECT * FROM `blocks` WHERE name = '$blockspec' LIMIT 1;");
        $exists = mysql_num_rows($result) > 0;
        if($exists){ //the block was added
         echo "success"; //echo a success message;
        }
        if(!$exists){ //if the block can't be found,
            echo "SQLConnectionError"; //echo an SQL connection error,
        }
        
    }
    if($usernameStatus == 'false'){ //there's a problem with the username or password!
        echo "wrongUsernameOrPass"; //echo a "wrong username or password" message.
    }
}
else{ //one or more required variables are missing from the action!
    echo "missingArgs"; //echo a "missing arguments" message.
}
?>

Last edited by sparks (2012-05-24 03:48:49)

Looks like I got two blocks in the database! It looks like the name and the category have been swapped round though as well as a few other problems.

block id = 12
name = control
type = (
category = hide cursor

code = 'From MIT Squeak 0.9.4 (June 1, 2003) [No updates present.] on 24 May 2012 at 10:44:23 am'!

!ScriptableScratchMorph methodsFor: 'control'!
hideCursor
    World activeHand showTemporaryCursor: ((Form extent: 1 @ 1 depth: 32)
            fillColor: Color transparent)
! !
!CustomBlockSpecsDictionary class methodsFor: 'blocks'!
getNewestBlock
    ^ #('All' 'control' ('hide cursor' #- #hideCursor))! !

creator = blob8108

sharer = blob8108

comment = hide cursor

status = unapproved

colour =

application = Scratch

As you can see, the type hasn't loaded properly either, the PHP code filters it out of the blockspec so it looks like it grabbed the wrong character? Colour should be empty - it's only used for Panther blocks.

id = 13
name = other ops
type = (
category = broadcast $Even
code = 'From MIT Squeak 0.9.4 (June 1, 2003) [No updates present.] on 24 May 2012 at 10:48:08 am'!

!ScriptableScratchMorph methodsFor: 'other ops' stamp: 'jm 6/23/2004 10:05'!
broadcast: name
    "Broadcast the given event name with zero as its argument."

    self broadcast: name withArgument: 0.
! !
!CustomBlockSpecsDictionary class methodsFor: 'blocks'!
getNewestBlock
    ^ #('All' 'control' ('broadcast $Event$' #- #broadcast:))! !

creator = blob8108
sharer = blob8108
comment = Broadcast the given event name with zero as its argument.
status = unapproved
colour =
application = Scratch

The name got cut out on that one, since it's in the category slot and that's limited to 15 characters.

That problem should be easy enough to fix, just swap the variable input order to the INSERT query round but getting the type to display properly will take more fiddling.

Here's a screenshot (in colour!):



Is 5000 to low a limit for the code space?

I tried uploading a block (with the comment 'sql test') and it said 'upload succesful'. It seems to work now.

rookwood101 wrote:

sparks wrote:

Is 5000 to low a limit for the code space?

I would set the row type to text as it can pretty much hold as much of what you want as you want.

This is a good idea. Or is the correct field type "LONGTEXT"? I can't remember... 

dreamod wrote:

@Sparks: It seems you have trouble parsing the block spec, no? Well, the Scratch has a built in block spec parser and I can send those items separately in addition to the other items.
...
I'll get to work with the extra arguments. Ok?

This is also a good idea. 

sparks wrote:

Looks like I got two blocks in the database! It looks like the name and the category have been swapped round though as well as a few other problems.

As you can see, the type hasn't loaded properly either, the PHP code filters it out of the blockspec so it looks like it grabbed the wrong character? Colour should be empty - it's only used for Panther blocks.
...
That problem should be easy enough to fix, just swap the variable input order to the INSERT query round but getting the type to display properly will take more fiddling.

Awesome!    At least it worked.    The screenshot is useful, I think.

I do think having dreamod's code send all the things is probably easier than trying to parse Squeak code in PHP.

And I think you'll have to fix the query, as I don't understand your table structure... 

Last edited by blob8108 (2012-05-24 12:06:55)

Debug time!

First, one recommendation:  On the Help menu, add an option that displays a window containing all of the standard block args, such as $Number$.

The glitch I'm having: When using a custom arg in the command spec, I get the error: "Message not understood: at:ifAbsent:".

blob8108 wrote:

dreamod wrote:

Ok, I have the new args working.
...
Tell me when you update it.

Have you also updated the Block Importer? I need something to test with, you see 

@Sparks: does getting the category, type, etc. from the POST sound ok? Obviously it would then be technically possible for a user to POST data with fields like blockspec that didn't match the block file. But that'd be okay, would it not?

Yes, that would be possible. I was trying to pull it from the block file because a) dreamod wasn't sending anything else an b) to reduce the number of POST variables being sent (should be faster and less likely to lose anything along the way IMO).

sparks wrote:

blob8108 wrote:

dreamod wrote:

Ok, I have the new args working.
...
Tell me when you update it.

Have you also updated the Block Importer? I need something to test with, you see 

@Sparks: does getting the category, type, etc. from the POST sound ok? Obviously it would then be technically possible for a user to POST data with fields like blockspec that didn't match the block file. But that'd be okay, would it not?

Yes, that would be possible. I was trying to pull it from the block file because a) dreamod wasn't sending anything else an b) to reduce the number of POST variables being sent (should be faster and less likely to lose anything along the way IMO).

The user doesn't fill in the block name or category etc. The block importer takes it directly from the block (not file). When you upload a block the block is uploading its self, basically. So it sends it's own information. So don't worry about false information, the only for that to happen is through hacks.

blob8108 wrote:

dreamod wrote:

The user doesn't fill in the block name or category etc. The block importer takes it directly from the block (not file). When you upload a block the block is uploading its self, basically. So it sends it's own information. So don't worry about false information, the only for that to happen is through hacks.

You're correct!    But the point is that anyone could POST data to that URL from any program — they don't have to use your Block Importer at all; or they can modify the Squeak code, as you point out. So from the server's point of view, the data can't be trusted to be correct.

Can you update the Block Importer to the new version, with the new args? The latest version still has the URL set to "postPing.php"... 

Ok, I'll update it. I don't know if you know this or not, but when a block gets uploaded it has to be approved by a librarian before it is added for everybody to see, this is one reason one.
All they have to do to test the block is to import the block file, and check that the parameters are the same, or look inside the block file.

@Dreamod — I got this error:

Try it now.

Oh, whoops. the self halt, is an almost essential debugger tool. It stops the program and let's you inspect instance variables and how the code has been executed. I had to do that a lot to debug the uploading code. I guess I just left it there. 

blob8108 wrote:

Neat!    No worries 

I updated the PHP now!    Have a try (:

I tried uploading a test block I got 'block already exists'. Did you upload one by the name of 'test block'?
full block spec: ('All' 'control' ('test block' #- #testBlock))

blob8108 wrote:

dreamod wrote:

blob8108 wrote:

Neat!    No worries 

I updated the PHP now!    Have a try (:

I tried uploading a test block I got 'block already exists'. Did you upload one by the name of 'test block'?
full block spec: ('All' 'control' ('test block' #- #testBlock))

Ah, that would be because I'm a moron. Changed a variable name, and forgot to update the check-y SQL query. 

In conclusion: there must be a block with an empty 'name' field. How curious!

Anyway, does it work now? 

It doesn't work. So, how far has the website gotten? You can upload blocks, but you can't browse blocks, correct? I could write the about page. Assuming the about page is about the block library and how blocks work?