vb.org Archive - Using vb:raw in templates

Page 2 of 2

Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB4 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=252)

- - Using vb:raw in templates (https://vborg.vbsupport.ru/showthread.php?t=313961)

Scanu

08-30-2014 01:50 PM

PHP Code:


		
			
$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);
$do = $vbulletin->GPC['do'];
if (!isset($do))
$do = 1; //default value

if ($do == 1) {

}
if ($do == 2) {

}
if ($do == 3) {

}
if ($do == 4) {

}

cellarius

08-30-2014 02:22 PM

Quote:

Originally Posted by Black Snow (Post 2513117)

Your link doesn't show how to use $vbulletin->input->clean_array_gpc when requesting a page. Could you show me an example?

Of course it does.

Quote:

Cleaning Superglobal Arrays

By Superglobal, I mean $_POST, $_GET, $_REQUEST and so on. These arrays are created automaticly by PHP and contain the user-sent input. They are referenced in the vBulletin Input Cleaner by nice short single letter names. These are:
p - $_POST
g - $_GET
r - $_REQUEST
s - $_SERVER
e - $_ENV
c - $_COOKIE
f - $_FILES

and so on.

Black Snow

09-01-2014 10:53 AM

Quote:

Originally Posted by Scanu (Post 2513125)

PHP Code:


		
			
$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);
$do = $vbulletin->GPC['do'];
if (!isset($do))
$do = 1; //default value

if ($do == 1) {

}
if ($do == 2) {

}
if ($do == 3) {

}
if ($do == 4) {

}

Thanks for the example. Makes me understand more now.

--------------- Added [DATE]1409646066[/DATE] at [TIME]1409646066[/TIME] ---------------

Quote:

Originally Posted by Scanu (Post 2513125)

PHP Code:


		
			
$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);
$do = $vbulletin->GPC['do'];
if (!isset($do))
$do = 1; //default value

if ($do == 1) {

}
if ($do == 2) {

}
if ($do == 3) {

}
if ($do == 4) {

}

I tried doing this but it won't work if I access the info.php page without the query on the end of the URL:

Code:

$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);

$do = $vbulletin->GPC['do'];

if (!isset($do))

//default value

$do = "siterules";





//Use as http:/site.com/info.php?do=siterules

if ($do == "siterules") {

$pagetitle = 'General Site Rules';

$templater = vB_Template::create('siterules');

$templater->register_page_templates();

$templater->register('navbar', $navbar);

$templater->register('pagetitle', $pagetitle);

$templater->register('custom_nav', $custom_nav);

print_output($templater->render());

exit;

}

Scanu

09-02-2014 12:11 PM

Quote:

Originally Posted by Black Snow (Post 2513340)

Thanks for the example. Makes me understand more now.

--------------- Added [DATE]1409646066[/DATE] at [TIME]1409646066[/TIME] ---------------

I tried doing this but it won't work if I access the info.php page without the query on the end of the URL:

Code:

$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);

$do = $vbulletin->GPC['do'];

if (!isset($do))

//default value

$do = "siterules";





//Use as http:/site.com/info.php?do=siterules

if ($do == "siterules") {

$pagetitle = 'General Site Rules';

$templater = vB_Template::create('siterules');

$templater->register_page_templates();

$templater->register('navbar', $navbar);

$templater->register('pagetitle', $pagetitle);

$templater->register('custom_nav', $custom_nav);

print_output($templater->render());

exit;

}

Try replacing this

PHP Code:


		
			
$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);

$do = $vbulletin->GPC['do'];

if (!isset($do))

//default value

$do = "siterules";

With this

PHP Code:


		
			
if (!isset($_REQUEST['do'])

$_REQUEST['do'] = 'siterules';

$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);

$do = $vbulletin->GPC['do'];

Black Snow

09-02-2014 12:45 PM

Quote:

Originally Posted by Scanu (Post 2513469)

Try replacing this

PHP Code:


		
			
$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);

$do = $vbulletin->GPC['do'];

if (!isset($do))

//default value

$do = "siterules";

With this

PHP Code:


		
			
if (!isset($_REQUEST['do'])

$_REQUEST['do'] = 'siterules';

$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);

$do = $vbulletin->GPC['do'];

Thanks for helping. I still get a blank page.

Scanu

09-02-2014 01:13 PM

I can't see anything wrong now, and I don't have time right now to test it
Maybe this code could make a difference

PHP Code:


		
			
[PHP]
$vbulletin->input->clean_gpc('r', 'do', TYPE_STR); 
$do = $vbulletin->GPC['do'];
if (!isset($_REQUEST['do']) 
$do = 'siterules';

[/PHP]

kh99	09-02-2014 01:16 PM

There is a $vbulletin->GPC_exists[] array, so you could try this:

Code:

$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);

if ($vbulletin->GPC_exists['do'])

   $do = $vbulletin->GPC['do'];

else

   $do = "siterules";



// etc

Another thing you could do is just make 'siterules' the default 'else':

Code:

$vbulletin->input->clean_gpc('r', 'do', TYPE_STR);

$do = $vbulletin->GPC['do'];



if ($do == 'something')

{

 // something

}

else if ($do == 'somethingelse')

{

// something else

}

else // default to siterules

{

  // siterules

}

BTW, I'm not a php expert so I'm not going to argue with what's correct and what's "evil", but I would say that there was nothing actually wrong with what you originally had (as far as introducing vulnerabilities), and in fact the vb scripts do it that way (just for the 'do' variable).

All times are GMT. The time now is 09:52 PM.

Page 2 of 2

Show 40 post(s) from this thread on one page

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01054 seconds Memory Usage 1,772KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (4)bbcode_code_printable (8)bbcode_php_printable (6)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (7)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: