vb.org Archive - Why doesn't the GPC resolve "do" anymore for HTML form links in 3.7?

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)

- - Why doesn't the GPC resolve "do" anymore for HTML form links in 3.7? (https://vborg.vbsupport.ru/showthread.php?t=177466)

Why doesn't the GPC resolve "do" anymore for HTML form links in 3.7?

I tried asking this question in the 3.7 troubleshooting section and was shot down for asking a programming question. Is this a bug or is this a new design feature for 3.7?

We use "do" in links in HTML forms on our site. This used to be able to be pulled via the GPC class in 3.6.8 and prior, in 3.7 it does not work:

Sample HTML:

Code:

<?php

/*======================================================================*\

|| #################################################################### ||

|| #################################################################### ||

\*======================================================================*/

// ####################### SET PHP ENVIRONMENT ###########################

error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################

define('THIS_SCRIPT', 'testsubmit');

// ################### PRE-CACHE TEMPLATES AND DATA ######################

// get special phrase groups

$phrasegroups = array('fronthelp');

// get special data templates from the datastore

$specialtemplates = array();

// pre-cache templates used by all actions

$globaltemplates = array(

 'test_template'

);

// pre-cache templates used by specific actions

$actiontemplates = array();

// ######################### REQUIRE BACK-END ############################

require_once('./global.php');

 

$vbulletin->input->clean_array_gpc('r', array(

 'do' => TYPE_NOHTML,

 'myaction' => TYPE_NOHTML

));

$ot_do=$vbulletin->GPC['do'];

$ot_myaction = $vbulletin->GPC['myaction'];

echo "Do: $ot_do<br>";

echo "Request Do: " . $_REQUEST['do'] . "<br>";

echo "MyAction: $ot_myaction";

eval('print_output("' . fetch_template('test_template') . '");');

?>

Sample Template:

Code:

<form action="testsubmit.php?myaction=myactionval&do=testdoval" method="post">

   <input maxlength=255 name=mytextval size=60>

   <input type="submit" class="button" name="sbutton" value="Send"/>

</form>

What release candidate are you running?

Also, what is the output of your echo statements? This could possible be the result of the CSRF protocol...

I'm running release candidate 4.

If I submit the form by clicking the button I get (click on picture to make them readable):

https://vborg.vbsupport.ru/external/2008/04/10.jpg

If I copy the link from the above submitted form into another IE window and just hit "go" I get:

https://vborg.vbsupport.ru/external/2008/04/11.jpg

That's why it appears to be just the "do" variable and only if that variable is passed via an html form.

Scuzzy

Add this to the debug:

var_dump($vbulletin->GPC);

Submitted:

https://vborg.vbsupport.ru/external/2008/04/6.jpg

Cutting and pasting link into another window and hitting "go":

https://vborg.vbsupport.ru/external/2008/04/7.jpg

"do" doesn't appear in the array in the submitted form, but "myaction" does...

Scuzzy

--------------- Added [DATE]1209461230[/DATE] at [TIME]1209461230[/TIME] ---------------

I attempted to add the CSRF protection to this form to see if that was the problem.

New code:

Code:

<?php

/*======================================================================*\

|| #################################################################### ||

|| #################################################################### ||

\*======================================================================*/



// ####################### SET PHP ENVIRONMENT ###########################

error_reporting(E_ALL & ~E_NOTICE);



// #################### DEFINE IMPORTANT CONSTANTS #######################

define('THIS_SCRIPT', 'testsubmit');

define('CSRF_PROTECTION', true);  



// ################### PRE-CACHE TEMPLATES AND DATA ######################

// get special phrase groups

$phrasegroups = array('fronthelp');



// get special data templates from the datastore

$specialtemplates = array();



// pre-cache templates used by all actions

$globaltemplates = array(

        'test_template'



);



// pre-cache templates used by specific actions

$actiontemplates = array();



// ######################### REQUIRE BACK-END ############################

require_once('./global.php');





$vbulletin->input->clean_array_gpc('r', array(

        'do' => TYPE_NOHTML,

        'myaction' => TYPE_NOHTML

));



$ot_do=$vbulletin->GPC['do'];

$ot_myaction = $vbulletin->GPC['myaction'];



echo "Do: $ot_do<br>";

echo "Request Do: " . $_REQUEST['do'] . "<br>";

echo "MyAction: $ot_myaction";



echo "<br>**** GPC Var Dump ****<br>";

var_dump($vbulletin->GPC);

echo "<br>**********************<br>";



eval('print_output("' . fetch_template('test_template') . '");');



?>

New Template:

Code:

<form action="testsubmit.php?myaction=myactionval&do=testdoval" method="post">

   <input maxlength=255 name=mytextval size=60>

   <input type="submit" class="button" name="sbutton" value="Send"/>

<input type="hidden" name="s" value="$session[sessionhash]" />

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

</form>

I logged into my forum, then ran this script.

Before submit:
https://vborg.vbsupport.ru/external/2008/04/8.jpg

After submit:
https://vborg.vbsupport.ru/external/2008/04/9.jpg

Scuzzy

PHP Code:


		
			
$vbulletin->input->clean_array_gpc('r', array(
    'do' => TYPE_NOHTML,
    'myaction' => TYPE_NOHTML
));

If you submit it from a form, it is a POST variable, not a REQUEST, so try:

PHP Code:


		
			
$vbulletin->input->clean_array_gpc('p', array(
    'do' => TYPE_NOHTML,
    'myaction' => TYPE_NOHTML
));

Quote:

Originally Posted by Marco van Herwaarden (Post 1502155)

PHP Code:


		
			
$vbulletin->input->clean_array_gpc('r', array(

    'do' => TYPE_NOHTML,

    'myaction' => TYPE_NOHTML

));

If you submit it from a form, it is a POST variable, not a REQUEST, so try:

PHP Code:


		
			
$vbulletin->input->clean_array_gpc('p', array(

    'do' => TYPE_NOHTML,

    'myaction' => TYPE_NOHTML

));

I didn't do this because it's really being passed as a post variable, because it's part of the link itself. However, I'm willing to try anything. :) I did try this, and get the same results:

New Code:

Code:

<?php

/*======================================================================*\

|| #################################################################### ||

|| #################################################################### ||

\*======================================================================*/



// ####################### SET PHP ENVIRONMENT ###########################

error_reporting(E_ALL & ~E_NOTICE);



// #################### DEFINE IMPORTANT CONSTANTS #######################

define('THIS_SCRIPT', 'testsubmit');

define('CSRF_PROTECTION', true);  



// ################### PRE-CACHE TEMPLATES AND DATA ######################

// get special phrase groups

$phrasegroups = array('fronthelp');



// get special data templates from the datastore

$specialtemplates = array();



// pre-cache templates used by all actions

$globaltemplates = array(

        'test_template'



);



// pre-cache templates used by specific actions

$actiontemplates = array();



// ######################### REQUIRE BACK-END ############################

require_once('./global.php');





$vbulletin->input->clean_array_gpc('r', array(

        'do' => TYPE_NOHTML,

        'myaction' => TYPE_NOHTML

));







$ot_do=$vbulletin->GPC['do'];

$ot_myaction = $vbulletin->GPC['myaction'];





$vbulletin->input->clean_array_gpc('p', array(

        'do' => TYPE_NOHTML,

        'myaction' => TYPE_NOHTML

));





$ot_do2=$vbulletin->GPC['do'];

$ot_myaction2 = $vbulletin->GPC['myaction'];





echo "Do From R: $ot_do<br>";

echo "MyAction From R: $ot_myaction<br>";

echo "Do From P: $ot_do2<br>";

echo "MyAction From P: $ot_myaction2<br>";



echo "Request Do: " . $_REQUEST['do'] . "<br>";



echo "<br>**** GPC Var Dump ****<br>";

var_dump($vbulletin->GPC);

echo "<br>**********************<br>";



eval('print_output("' . fetch_template('test_template') . '");');



?>

Before submit:
https://vborg.vbsupport.ru/external/2008/04/4.jpg

After submit:
https://vborg.vbsupport.ru/external/2008/04/5.jpg

What seems really odd to me is that myaction shows up as a post variable.

I have discussed this issue with our developers and it seems that this might be due to a change made during the latest CSRF patch. We are now discussing how to prevent side effects like this.

Advice for now is to submit it as a hidden input variable and also send the sessionhash and securitytoken.

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (5)bbcode_code_printable (4)bbcode_php_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (8)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01024 seconds Memory Usage 1,764KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (5)bbcode_code_printable (4)bbcode_php_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (8)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: