PDA

View Full Version : vB4 - Trouble using variables from custom form in dynamic PHP page


drpeppper
12-11-2010, 10:39 AM
I have set up a dynamic PHP page that includes a custom form like this from which I want to use the input field's value for a database query search:


$search_output .= '<form name="medal_search" action="' . $searchURL . '" method="post">';
$search_output .= '<label for="medal_search_player">Spieler suchen (Name oder SteamID eingeben):</label>';
$search_output .= '<input name="medal_search_player" type="text" value="' . $playerSearchString . '" />';
$search_output .= '<input id="medal_search_token" name="securitytoken" value="' . vb::$vbulletin->userinfo[securitytoken] . '" type="hidden" />';
$search_output .= '<input name="do" value="process" type="hidden" />';
$search_output .= '<input type="submit" value="Suchen..." />';
$search_output .= '</form>';


I pretty soon realised that $_POST and $_GET are not working so I tried using this which works but always gives me an empty variable inside the dynamic PHP:


vB::$vbulletin->input->clean_gpc('p', 'medal_search_player', TYPE_STR);


When I move this line of code into a new plugin it works though. So here's the code from the plugin I created:


$medalStatsSearchVars = array(
'medal_search_player' => vB::$vbulletin->input->clean_gpc('p', 'medal_search_player', TYPE_STR),
'name' => vB::$vbulletin->input->clean_gpc('g', 'name', TYPE_STR),
'steamid' => vB::$vbulletin->input->clean_gpc('g', 'steamid', TYPE_STR)
);

vB_Template::preRegister('vbcms_content_phpeval_pa ge', array('medalStatsSearchVars' => $medalStatsSearchVars));
echo $medalStatsSearchVars['medal_search_player'] . '|' . $medalStatsSearchVars['name'];
... the echo is just for testing and it correctly displays the value but it's still not working inside the dynamic PHP page no matter how I try to access it. Note that I preregistered the variable for the template that is used by dynamic PHP content. I've tried to use it with the following hooks: vbcms_phpeval_populate_start, global_start, init_startup (this last one crashes the whole system) but I just can't get it to display the variable inside the dynamic PHP content. I've tried this but the vars are always empty:


$medalStatsSearchVars['medal_search_player']
$vbulletin->GPC['medal_search_player']


This is really frustrating and I hope someone can point me into the right direction with this problem here.

Andreas
12-11-2010, 11:01 AM
First of all:
Never use strings from user input in output directly -> Cross Site Scripting.

What's in the twmplate (vbcms_content_phpeval_page) you are trying to output?

It needs to be smth. like

Player Name: {vb:raw medalStatsSearchVars.medal_search_player}

drpeppper
12-11-2010, 03:45 PM
First of all:
Never use strings from user input in output directly -> Cross Site Scripting.

What's in the twmplate (vbcms_content_phpeval_page) you are trying to output?

It needs to be smth. like

Player Name: {vb:raw medalStatsSearchVars.medal_search_player}


Thanks for your answer. I'm not using the user input directly and that template is a default vB4 template used for dynamic PHP content. I had no intention to change said template but I guess I might have to create a new one based on it.

To make this situation more clear: I created a new article and selected dynamic PHP content which uses said template, then I pasted my PHP code into that article and that's where I want to use the variables. The code format that you posted is only usable in a HTML template if I'm not mistaken?

Andreas
12-26-2010, 05:59 AM
Thanks for your answer. I'm not using the user input directly
You do:


$medalStatsSearchVars = array(
'medal_search_player' => vB::$vbulletin->input->clean_gpc('p', 'medal_search_player', TYPE_STR),
'name' => vB::$vbulletin->input->clean_gpc('g', 'name', TYPE_STR),
'steamid' => vB::$vbulletin->input->clean_gpc('g', 'steamid', TYPE_STR)
);

vB_Template::preRegister('vbcms_content_phpeval_pa ge', array('medalStatsSearchVars' => $medalStatsSearchVars));
echo $medalStatsSearchVars['medal_search_player'] . '|' . $medalStatsS

With this code you end up with having direct user input available in template variable $medalStatsSearchVars['medal_search_player'], $medalStatsSearchVars['name'] and $medalStatsSearchVars['steamid'].


You can't put any custom variables into template vbcms_content_phpeval_page without customizign it (or creating a new one).

The only variable that is their for your ot use is $outut:


/**The php code goes here. It can have as much php as you like,
but it should end with setting the variable $output.
e.g.
$something = $somefunction();
$something2 = $somefunction2();
...
**/
$output = "Hello World<br />";