PDA

View Full Version : Custom Form in Custom Page - Security Token Missing Error - Help


EquinoxWorld
07-07-2011, 03:46 AM
Hello everyone I am currently trying to use a form to submit a image url to a database table I created. Then I would use this image url to print the images with a separate script. The script I am using to submit the image URL is the following: (filename: nominate.php)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<basefont face="Arial">
</head>
<body>

<?php
require_once('./global.php');

define('CSRF_PROTECTION', true);

if (!isset($_POST['submit'])) {
// form not submitted
?>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
Image URL to Nominate: <input type="text" name="imgurl">
<input type="submit" name="submit">
</form>

<?php
require_once('./global.php');

define('CSRF_PROTECTION', true);
}
else {
// form submitted
// set server access variables
$host = "localhost";
$user = "xxxxx";
$pass = "xxxxx";
$db = "xxxxx";

// get form input
// check to make sure it's all there
// escape input values for greater safety
$imgurl = empty($_POST['imgurl']) ? die ("ERROR: Enter a imgurl") : mysql_escape_string($_POST['imgurl']);

// open connection
$connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!");

// select database
mysql_select_db($db) or die ("Unable to select database!");

// create query
$query = "INSERT INTO oftw_nominations (imgurl) VALUES ('$imgurl')";

// execute query
$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());

// print message with ID of inserted record
echo "New image Nominated!";

// close connection
mysql_close($connection);
}
?>

This works fine and submits the image URL into my database table I specified( I can verify this going into phpmyadmin) if I just go to the php file from the URL itself like so:

http://mysite.com/nominate.php

Although when I try to use this php file in a plug in then calling the plug in in one of my custom template it shows perfectly but when submitting it gives me this error:

Your submission could not be processed because a security token was invalid.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

This is the plug i I am using to call the script.

ob_start();
require_once('nominate.php');
$oftw_nominate = ob_get_contents();
ob_end_clean();
vB_Template::preRegister('OFTW_NOMINATIONS',array( 'oftw_nominate' => $oftw_nominate));

Then use the following to insert it into my OFTW_NOMINATIONS template:

{vb:raw oftw_nominate}

But when I submit the URL I get the security token error...

If anyone has ANY ideas or any info please let us know. I would appreciate anyone's feedback as I am stumped so far and can't get passed this error. Thank you for your time.

P.S.: The script I am using to print the nominations is:

<?php
require_once('./global.php');

$result = $db->query_read("SELECT * FROM oftw_nominations");

if (mysql_num_rows($result) > 0) {
// yes
// print them one after another
echo "<table cellpadding=10 border=1>";
while($row = mysql_fetch_row($result)) {
echo "<tr>";
echo "<td><center><img src =".$row[1]."></center></td>";
echo "</tr>";
}
echo "</table>";
}
else {
// no
// print status message
echo "No rows found!";
}



?>

Which works perfect calling it via plug-in and using vb:raw in the template. Just need the help with the security token upon submissions issue in nominate.php :( .

--------------- Added 1310047305 at 1310047305 ---------------

OK Got it...I think. This is what I did. I took out the form from the php file and placed in the template like so:


<form action="nominate.php" method="post">
Image URL to Nominate: <input type="text" name="imgurl">
<input type="submit" name="submit">
</form>


And I am using this to write the URL into the database:


<?php

require_once('./global.php');

define('CSRF_PROTECTION', true);

if (!isset($_POST['submit'])) {


// form not submitted
}
else {
// form submitted
// get form input
// check to make sure it's all there
// escape input values for greater safety
$imgurl = empty($_POST['imgurl']) ? die ("ERROR: Enter a imgurl") : mysql_escape_string($_POST['imgurl']);

// create query
$db->query_write("INSERT INTO oftw_nominations (imgurl) VALUES ('$imgurl')");

// print message with ID of inserted record
echo "New image Nominated!";

header( "refresh:2; url=http://development.aniworlds.net/oftw_nominations.php" );

// close connection
mysql_close($connection);
}
?>

And this to print them in the same template:

<?php
require_once('./global.php');

$result = $db->query_read("SELECT * FROM oftw_nominations");

if (mysql_num_rows($result) > 0) {
// yes
// print them one after another
echo "<table cellpadding=10 border=1>";
while($row = mysql_fetch_row($result)) {
echo "<tr>";
echo "<td><center><img src =".$row[1]."></center></td>";
echo "</tr>";
}
echo "</table>";
}
else {
// no
// print status message
echo "No rows found!";
}
?>


It all works PERFECT. Question is ; is this ok? I mean is this the RIGHT way to do what I want to do?? It works perfect I just want to make sure I don't have any vulnerabilities.