Your PHP Block file code needs updated. It still uses $dbi, which is the old sql layer.

Quote:

One change in the files that i can explain is the move to phpBB's abstraction layer, those with an average knowledge of php/MySQL can perform the change themselves on files they don't want to replace because of modifications, before doing this MAKE A BACKUP OF THE FILES so you can roll back to them if anything goes wrong, here are the steps: 1-By default each function's global line includes $dbi, this must be replaced with $db, sql query lines often end with ,$dbi which should be removed. 2-sql_fetch_row or mysql_fetch_row should now be $db->sql_fetchrow 3-sql_query or mysql_query should now be $db->sql_query 4-sql_num_rows or mysql_num_rows should now be $db->sql_numrows 5-sql_fetch_array or mysql_fetch_array should now be $db->sql_fetchrow 6-sql_free_result or mysql_free_result should now be $db->sql_freeresult 7-sql_insert_id or mysql_insert_id should now be $db->sql_nextid 8-sql_close or mysql_close should now be $db->sql_close Others might apply but these are the ones i found being used. One other thing to look for are unquoted variables in sql queries, in example: $result = $db->sql_query("SELECT rid, name, url from ".$prefix."_related where tid=$topicid"); should be: $result = $db->sql_query("SELECT rid, name, url from ".$prefix."_related where tid='$topicid'"); notice $topicid was enclosed between single quotes which brings us to one other change, this particular query attempts to grab 3 values from a database table, an id, a name and a url, the id is a numerical value, there are two ways in which you can get the result of this query: The one i suggest using: $row = $db->sql_fetchrow($result); $rid = $row['rid']; $name = $row['name']; $url = $row['url']; and the one some use to reduce the amount of code: list($rid, $name, $url) = $db->sql_fetchrow($result); In the first method results are returned in the format $row['value'] in the second method they are returned in the format $value since one of the values is a number we add a php function to make sure only numbers are used, in this case we use intval(), in values that return emails & urls we can use another function, in this case stripslashes(), they would now change to: The one i suggest using: $row = $db->sql_fetchrow($result); $rid = intval($row['rid']); $name = $row['name']; $url = stripslashes($row['url']); and the one some use to reduce the amount of code: list($rid, $name, $url) = $db->sql_fetchrow($result); $rid = intval($rid); $url = stripslashes($url); There are many more functions one can use to check what gets passed through a variable but these should help make the files more secure, anyway here's one more: Let's say that from our example we know $name will have a maximum allowed character limit of 12, we can make sure that limit is not exceeded in one of several ways, in this case we'll use substr() so the above will now be: The one i suggest using: $row = $db->sql_fetchrow($result); $rid = intval($row['rid']); $name = substr("$row['name']", 0,12); $url = stripslashes($row['url']); and the one some use to reduce the amount of code: list($rid, $name, $url) = $db->sql_fetchrow($result); $rid = intval($rid); $name = substr("$name", 0,12); $url = stripslashes($url);