According to this link...

https://www.vbulletin.com/docs/html/codestandards_gpc

...it states that "Do not use $_GET / $_POST / $_REQUEST etc. variables in templates." But I need to use it in the templates for something I need to achieve.

Why do they say don't use $_GET etc? Is it a security risk or something?

Jon

You dont ever need to use them in a template.
They are just variables, so you can easily use something else.

In that case, how do I check for being on register.php?do=addmember then? I need to check to see if addmember is there.

In a PM discussion I mentioned to Jon that I thought it was because those variables haven't been "cleaned" and so they could contain anything and wouldn't be safe to include directly in the output. I'm sure that part's true. But I thought they would be OK to use in a condition (for instance in the headinclude template when the 'do' variable isn't in $vbulletin->GPC yet). Otherwise you'd need a plugin to create another variable. But I wasn't sure so Jon wisely decided to ask if anyone else knows.

Lets imagine the variable is 'dirty'. If you had this...

<if condition="$_GET['do']=='register'">
run code
</if>

...to my mind there is no danger of code injection so long as I just use the $_GET['do'] to check a condition. Correct me if I'm wrong. It would be different if I was storing the data from the GET into a variable for output.

Is this right?

You are technically correct, thats not the point. :)

The standards are designed to prevent you accidently forgetting this. If you never use them in templates, there can never be an issue.

It also states "The only direct access to these variables is with $_POST['do'] and $_GET['do']"

For the reason why it shouldn't be used in templates, I, personally, believe is because you should be doing those checks in the PHP code.

Paul makes a good point, I didn't notice that that was from the coding standards. So it's not claiming that there's necessarily any problem, just that the vb coding standards say not to do it.

For the reason why it shouldn't be used in templates, I, personally, believe is because you should be doing those checks in the PHP code.

OK, but here's a sorta related question: if someone here asks how they can do something, and they could do it by adding a few lines to a template but it involves using $_GET['do'] in a condition, should they be told to write a plugin because it's the "right" way to do it?

OK, but here's a sorta related question: if someone here asks how they can do something, and they could do it by adding a few lines to a template but it involves using $_GET['do'] in a condition, should they be told to write a plugin because it's the "right" way to do it?

Same thing can be said about any coding standard. Indent vs. not indenting, proper variable, constant, function naming, etc.,.

It all comes down to the purpose and hassle. I don't recommend editing the default register template, but instead finding the do branch in a plugin then calling your own template: That way it's easier to manage and upgrade.

But if he simply wants to add a few lines and the whole situation would indeed be a lot easier to just do it in the template then by all means do it even if vB coding standards says not to. If he was making a mod to be released to vB.org then I'd say he should do it the right way.

Same thing can be said about any coding standard. Indent vs. not indenting, proper variable, constant, function naming, etc.,.

It all comes down to the purpose and hassle. I don't recommend editing the default register template, but instead finding the do branch in a plugin then calling your own template: That way it's easier to manage and upgrade.

But if he simply wants to add a few lines and the whole situation would indeed be a lot easier to just do it in the template then by all means do it even if vB coding standards says not to. If he was making a mod to be released to vB.org then I'd say he should do it the right way.


That's pretty much my feeling exactly, but I was wondering what other people thought about it. I think when people are making small mods for themselves it's not very important, so I usually go for the easiest solutions.

Anyway, sorry for hijacking Jon's thread.

Well, for what its worth my $_GET conditional is doing the job and my scripts are working, with a big thanks to kh99 for his help on this.

Yes, I do like Pandemikk's idea of having my own template call from the do branch, but my vbulletin skills are fairly limited, even though I've learned a lot over the past few days in my quest to get something non-standard done.