vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=252)
-   -   CSRF vb4.0.3 (https://vborg.vbsupport.ru/showthread.php?t=241276)

bpr 04-26-2010 12:28 AM
CSRF vb4.0.3
 
Hi guys,
i am actually working on a little mod and i need to send a post to write something in the database.
However, I get a message about security token and whatsoever. I assumes that is meant to be the CSRF.

I was looking for it on google and here, and of course, I couldnt find anything apart from an old article from 2008.
Code:
$bbuserinfo[securitytoken]
this is obviously not working how can i get the security token into my template ?

this is not working as well:
{vb:raw bbuserinfo.securitytoken}

what can i do in my template to get this security token ?

Please help me with the .... : )


All the best,
Paul aka bpr

Lynne 04-26-2010 03:12 AM
{vb:raw bbuserinfo.securitytoken} should work if used in most templates. But, it's really hard to tell when you haven't posted any code or template name at all.

Deceptor 04-26-2010 02:08 PM
Is the security token been assigned to the correct hidden input? All user-end forms should really just have this within the <form> tags:
Code:
<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
It's what I use on several vB4 modifications and it works just fine :)

bpr 04-28-2010 01:36 AM
Hi guys,
thanks for the response,. Well you are right, I should have posted some code -.- well here we go, I got a template called - todo_add_item.

Just to explain what I am developing at the moment:
Admins and Supermods are able to add/ edit/ disable / finish items on a todo list. This todo list is for the team member of my board who can all read the list of the todos.

I was solving the problem in a badway. Because I am using Ajax with jQuery all over the website and in my developing sites I was making the securityhash global in the header flie. I was doing this by adding one mod, which is hiding all the version numbers. Anyway I did use that one in my js code - which doesnt change the fact, that I cannot use the {vb:raw session.sessionhash} in templates.

Do I have to register anything in the php files ? I mean, I was trying to add it in a navbar which I learned by following https://vborg.vbsupport.ru/showthread.php?t=228313 instructions - but also there I couldnt use this raw var.
On the other hand my php code looks identically to the test.php site which you could find here:
https://vborg.vbsupport.ru/showthread.php?t=228112
despite the fact, that I am not calling my template test and whatsoever.

HTML Code:
<script type="text/javascript">
    function addTodoItem()
    {
        var title = $('#todoTitle').val();
        var description = $('#todoDescription').val();
        var squad = $('#todoSquad').val();
        var status = $('#todoStatus').val();
        var priority = $('#todoPriority').val();
        var todo = '&do=add';
        var qrystr = 'title=' + title + '&description=' + description + '&squad=' + squad + '&status=' + status + '&priority=' + priority + todo;
        $.ajax({
            type: "POST",
            url: "/todo.php",
            data: qrystr + '&securitytoken=' + SECURITYTOKEN ,
            success: function(msg){
              $('#todomsg').html('<span class="tok">Erledigt</span>');
            }
          });
    }
</script>

<div class="todo" id="todoAddItem">
    <div id="todomsg"></div>
        <form id="todoAddForm">
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />
            <ul>
                <li><label for="todoTitle">Titel</label></li>
                <li><input type="text" id="todoTitle" name="todoTitle" /></li>
                <li><label for="todoDescription">Beschreibung</label></li>
                <li><textarea name="todoDescription" id="todoDescription"></textarea></li>
                <li><label for="todoTitle">Squad</label></li>
                <li>
                    <select id="todoSquad" name="todoSquad">
                        <option value="1">Alpha</option>
                        <option value="2">Cobra</option>
                        <option value="3">Delta</option>
                        <option value="4">Eclipse</option>
                        <option value="5">Exodus</option>
                        <option value="6">Delibos</option>
                    </select>
                </li>
                <li><label for="todoStatus">Status</label></li>
                <li>
                    <select id="todoStatus" name="todoStatus">
                        <option value="3">In Bearbeitung</option>
                        <option value="2">Keine Bearbeitung</option>
                        <option value="1">Fertig gestellt</option>
                    </select>
                </li>
                <li><label for="todoPriority">Priorit&auml;t</label></li>
                <li>
                    <select id="todoPriority" name="todoPriority">
                        <option value="1">Sehr Hoch</option>
                        <option value="2">Hoch</option>
                        <option value="3">Mittel</option>
                        <option value="4">Niedrig</option>
                    </select>
                </li>
            </ul>
            <a id="submitButton" value="Hinzuf&uuml;gen" onclick="javascript:addTodoItem();">Hinzuf&uuml;gen</a>
        </form>
        <div class="mty"></div>
</div>
Thanks for helping guys.


All times are GMT. The time now is 06:31 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01028 seconds
  • Memory Usage 1,754KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (1)bbcode_html_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (4)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete