Hello everyone I am currently trying to use a form to submit a image url to a database table I created. Then I would use this image url to print the images with a separate script. The script I am using to submit the image URL is the following: (filename: nominate.php)
PHP Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<basefont face="Arial">
</head>
<body>
<?php
require_once('./global.php');
define('CSRF_PROTECTION', true);
if (!isset($_POST['submit'])) {
// form not submitted
?>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
Image URL to Nominate: <input type="text" name="imgurl">
<input type="submit" name="submit">
</form>
<?php
require_once('./global.php');
define('CSRF_PROTECTION', true);
}
else {
// form submitted
// set server access variables
$host = "localhost";
$user = "xxxxx";
$pass = "xxxxx";
$db = "xxxxx";
// get form input
// check to make sure it's all there
// escape input values for greater safety
$imgurl = empty($_POST['imgurl']) ? die ("ERROR: Enter a imgurl") : mysql_escape_string($_POST['imgurl']);
// open connection
$connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!");
// select database
mysql_select_db($db) or die ("Unable to select database!");
// create query
$query = "INSERT INTO oftw_nominations (imgurl) VALUES ('$imgurl')";
// execute query
$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
// print message with ID of inserted record
echo "New image Nominated!";
// close connection
mysql_close($connection);
}
?>
This works fine and submits the image URL into my database table I specified( I can verify this going into phpmyadmin) if I just go to the php file from the URL itself like so:
http://mysite.com/nominate.php
Although when I try to use this php file in a plug in then calling the plug in in one of my custom template it shows perfectly but when submitting it gives me this error:
Quote:
Your submission could not be processed because a security token was invalid.
If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.
|
This is the plug i I am using to call the script.
PHP Code:
ob_start();
require_once('nominate.php');
$oftw_nominate = ob_get_contents();
ob_end_clean();
vB_Template::preRegister('OFTW_NOMINATIONS',array('oftw_nominate' => $oftw_nominate));
Then use the following to insert it into my OFTW_NOMINATIONS template:
Code:
{vb:raw oftw_nominate}
But when I submit the URL I get the security token error...
If anyone has ANY ideas or any info please let us know. I would appreciate anyone's feedback as I am stumped so far and can't get passed this error. Thank you for your time.
P.S.: The script I am using to print the nominations is:
PHP Code:
<?php
require_once('./global.php');
$result = $db->query_read("SELECT * FROM oftw_nominations");
if (mysql_num_rows($result) > 0) {
// yes
// print them one after another
echo "<table cellpadding=10 border=1>";
while($row = mysql_fetch_row($result)) {
echo "<tr>";
echo "<td><center><img src =".$row[1]."></center></td>";
echo "</tr>";
}
echo "</table>";
}
else {
// no
// print status message
echo "No rows found!";
}
?>
Which works perfect calling it via plug-in and using vb:raw in the template. Just need the help with the security token upon submissions issue in nominate.php
.
--------------- Added [DATE]1310047305[/DATE] at [TIME]1310047305[/TIME] ---------------
OK Got it...I think. This is what I did. I took out the form from the php file and placed in the template like so:
HTML Code:
<form action="nominate.php" method="post">
Image URL to Nominate: <input type="text" name="imgurl">
<input type="submit" name="submit">
</form>
And I am using this to write the URL into the database:
PHP Code:
<?php
require_once('./global.php');
define('CSRF_PROTECTION', true);
if (!isset($_POST['submit'])) {
// form not submitted
}
else {
// form submitted
// get form input
// check to make sure it's all there
// escape input values for greater safety
$imgurl = empty($_POST['imgurl']) ? die ("ERROR: Enter a imgurl") : mysql_escape_string($_POST['imgurl']);
// create query
$db->query_write("INSERT INTO oftw_nominations (imgurl) VALUES ('$imgurl')");
// print message with ID of inserted record
echo "New image Nominated!";
header( "refresh:2; url=http://development.aniworlds.net/oftw_nominations.php" );
// close connection
mysql_close($connection);
}
?>
And this to print them in the same template:
PHP Code:
<?php
require_once('./global.php');
$result = $db->query_read("SELECT * FROM oftw_nominations");
if (mysql_num_rows($result) > 0) {
// yes
// print them one after another
echo "<table cellpadding=10 border=1>";
while($row = mysql_fetch_row($result)) {
echo "<tr>";
echo "<td><center><img src =".$row[1]."></center></td>";
echo "</tr>";
}
echo "</table>";
}
else {
// no
// print status message
echo "No rows found!";
}
?>
It all works PERFECT. Question is ; is this ok? I mean is this the RIGHT way to do what I want to do?? It works perfect I just want to make sure I don't have any vulnerabilities.