Hello ,

i used this code in my plugin in hook : misc_start
this is a form to do insert on database



// this VAR $order on while loop and i print it on a template
$order = '<td class="alt2">
<form action="misc.php?do=points_usergift&giftid='.$resultgift[giftid].'&pointgift='.$resultgift[giftpoints].'" method="post">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="do" value="points_usergift" />
<input type="submit" class="button" value="submit" />
</form></td>';


if ($_REQUEST['do'] == 'points_usergift')
{
if($vbulletin->userinfo['user_points'] > $_POST["pointgift"])
{
eval(standard_error(fetch_error('points_nopermissi on')));
}else{
$db->query_write("INSERT INTO " . TABLE_PREFIX . " points_usergift
(giftid,userid,dateline)
VALUES
('".$_POST['giftid']."','".$vbulletin->userinfo['userid']."','".TIMENOW."')
");
eval(print_standard_redirect('points_addredirect', 1,1));
}
}


i think something is missing about session , and i think if i put a form in a template will be working good but i want but it on a plugin
This error appears

Your submission could not be processed because a security token was invalid.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

I think you need to change the string so that the variables are evaluated, like this:
$order = '<td class="alt2">
<form action="misc.php?do=points_usergift&giftid='.$resultgift[giftid].'&pointgift='.$resultgift[giftpoints].'" method="post">
<input type="hidden" name="s" value="'.$session[sessionhash].'" />
<input type="hidden" name="securitytoken" value="'.$bbuserinfo[securitytoken].'" />
<input type="hidden" name="do" value="points_usergift" />
<input type="submit" class="button" value="submit" />
</form></td>';

(the changes are around $session[sessionhash] and $bbuserinfo[securitytoken]).

Also, is that the entire plugin code? If so, you should really check $_REQUEST['do'], otherwise you will interfere with other functions in misc.php (but maybe you only posted part of the plugin).

I think you need to change the string so that the variables are evaluated, like this:
$order = '<td class="alt2">
<form action="misc.php?do=points_usergift&giftid='.$resultgift[giftid].'&pointgift='.$resultgift[giftpoints].'" method="post">
<input type="hidden" name="s" value="'.$session[sessionhash].'" />
<input type="hidden" name="securitytoken" value="'.$bbuserinfo[securitytoken].'" />
<input type="hidden" name="do" value="points_usergift" />
<input type="submit" class="button" value="submit" />
</form></td>';

(the changes are around $session[sessionhash] and $bbuserinfo[securitytoken]).

Also, is that the entire plugin code? If so, you should really check $_REQUEST['do'], otherwise you will interfere with other functions in misc.php (but maybe you only posted part of the plugin).

thanks brother , Do you think is very logical, but unfortunately it did not work.
Do you have other suggestions?
And Do not worry about $_REQUEST['do'] code, I'm quite sure that there's no problem with any another php code . Only problem in form code .:up:

this the outpot :
<input type="hidden" name="securitytoken" value="">
if it read the value will be working good

-----------------

okay now i think it working good ,
<input type="hidden" name="securitytoken" value="'.$vbulletin->userinfo[securitytoken].'" />

output :
<input type="hidden" name="securitytoken" value="1427652798-6a37957adfc30da0463f00be052e3848a2225666">

thanks brother , You provide good help here

Oh, right, I should have remembered that $session and $bbuserinfo only work in templates.

Oh, right, I should have remembered that $session and $bbuserinfo only work in templates.

Yeah Me too, thank you my dear brother :up: