The Arcive of Official vBulletin Modifications Site.

drpeppper · #1 12-11-2010, 10:39 AM

I have set up a dynamic PHP page that includes a custom form like this from which I want to use the input field's value for a database query search:

Code:

$search_output .= '<form name="medal_search" action="' . $searchURL . '" method="post">';
  $search_output .= '<label for="medal_search_player">Spieler suchen (Name oder SteamID eingeben):</label>';
  $search_output .= '<input name="medal_search_player" type="text" value="' . $playerSearchString . '" />';
  $search_output .= '<input id="medal_search_token" name="securitytoken" value="' . vb::$vbulletin->userinfo[securitytoken] . '" type="hidden" />';
  $search_output .= '<input name="do" value="process" type="hidden" />';
$search_output .= '<input type="submit" value="Suchen..." />';  
  $search_output .= '</form>';

I pretty soon realised that $_POST and $_GET are not working so I tried using this which works but always gives me an empty variable inside the dynamic PHP:

Code:

vB::$vbulletin->input->clean_gpc('p', 'medal_search_player', TYPE_STR);

When I move this line of code into a new plugin it works though. So here's the code from the plugin I created:

Code:

$medalStatsSearchVars = array(
  'medal_search_player' => vB::$vbulletin->input->clean_gpc('p', 'medal_search_player', TYPE_STR),
  'name' => vB::$vbulletin->input->clean_gpc('g', 'name', TYPE_STR),
  'steamid' => vB::$vbulletin->input->clean_gpc('g', 'steamid', TYPE_STR)
);

vB_Template::preRegister('vbcms_content_phpeval_page', array('medalStatsSearchVars' => $medalStatsSearchVars));
echo $medalStatsSearchVars['medal_search_player'] . '|' . $medalStatsSearchVars['name'];

... the echo is just for testing and it correctly displays the value but it's still not working inside the dynamic PHP page no matter how I try to access it. Note that I preregistered the variable for the template that is used by dynamic PHP content. I've tried to use it with the following hooks: vbcms_phpeval_populate_start, global_start, init_startup (this last one crashes the whole system) but I just can't get it to display the variable inside the dynamic PHP content. I've tried this but the vars are always empty:

Code:

$medalStatsSearchVars['medal_search_player']
$vbulletin->GPC['medal_search_player']

This is really frustrating and I hope someone can point me into the right direction with this problem here.

Andreas · #2 12-11-2010, 11:01 AM

First of all:
Never use strings from user input in output directly -> Cross Site Scripting.

What's in the twmplate (vbcms_content_phpeval_page) you are trying to output?

It needs to be smth. like

Code:

Player Name: {vb:raw medalStatsSearchVars.medal_search_player}

drpeppper · #3 12-11-2010, 03:45 PM

Quote:

Originally Posted by Andreas

First of all:
Never use strings from user input in output directly -> Cross Site Scripting.

What's in the twmplate (vbcms_content_phpeval_page) you are trying to output?

It needs to be smth. like

Code:

Player Name: {vb:raw medalStatsSearchVars.medal_search_player}

Thanks for your answer. I'm not using the user input directly and that template is a default vB4 template used for dynamic PHP content. I had no intention to change said template but I guess I might have to create a new one based on it.

To make this situation more clear: I created a new article and selected dynamic PHP content which uses said template, then I pasted my PHP code into that article and that's where I want to use the variables. The code format that you posted is only usable in a HTML template if I'm not mistaken?

Andreas · #4 12-26-2010, 05:59 AM

Quote:

Thanks for your answer. I'm not using the user input directly

You do:

PHP Code:


			
$medalStatsSearchVars = array(
  'medal_search_player' => vB::$vbulletin->input->clean_gpc('p', 'medal_search_player', TYPE_STR),
  'name' => vB::$vbulletin->input->clean_gpc('g', 'name', TYPE_STR),
  'steamid' => vB::$vbulletin->input->clean_gpc('g', 'steamid', TYPE_STR)
);

vB_Template::preRegister('vbcms_content_phpeval_page', array('medalStatsSearchVars' => $medalStatsSearchVars));
echo $medalStatsSearchVars['medal_search_player'] . '|' . $medalStatsS

With this code you end up with having direct user input available in template variable $medalStatsSearchVars['medal_search_player'], $medalStatsSearchVars['name'] and $medalStatsSearchVars['steamid'].

You can't put any custom variables into template vbcms_content_phpeval_page without customizign it (or creating a new one).

The only variable that is their for your ot use is $outut:

PHP Code:


			
/**The php code goes here. It can have as much php as you like,
but it should end with setting the variable $output.
e.g.
$something = $somefunction();
$something2 = $somefunction2();
...
**/
$output = "Hello World<br />";

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.07583 seconds Memory Usage 2,212KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (6)bbcode_code (2)bbcode_php (2)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (4)post_thanks_box (4)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (4)post_thanks_postbit_info (4)postbit (4)postbit_onlinestatus (4)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!