Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #11  
Old 02-25-2015, 01:11 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

OK, then for the password check part you'd want something like:
PHP Code:
if ($_POST['do'] == 'confirmpassword')
{
       
$vbulletin->input->clean_array_gpc('p', array(
        
'currentpassword'        => TYPE_STR
    
));
    if (
md5(md5($vbulletin->GPC['currentpassword']).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password'])
    {
       
exec_header_redirect('yes.php');
    }
    else
    {
       
exec_header_redirect('no.php');
    }


I haven't studied the overall approach so I can't say this is going to work, but the password checking part should be close to correct.

BTW, I used clean_array_gpc above even though it's cleaning only one input (there is a function to do a single input) because I figure you might have other fields to check. If not, it doesn't really hurt anything.
Reply With Quote
  #12  
Old 02-25-2015, 01:29 PM
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Location: USA
Posts: 647
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ive made some changes to the template:
HTML Code:
$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
<title>$vboptions[bbtitle]</title>
$headinclude
</head>
<body>
$header
$navbar
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=$vboptions[simpleversion]"></script>

<form action="ext.php?do=confirmpassword" method="post" onsubmit="hash_passwords(currentpassword, currentpassword_md5)">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
<input type="hidden" name="currentpassword_md5" />
<input type="password" class="bginput" name="currentpassword" size="50" maxlength="50" />
	<div style="margin-top:$stylevar[cellpadding]px">
		<input type="submit" class="button" value="$vbphrase[save_changes]" accesskey="s" />
	</div>
</form>

$footer
</body>
</html>
im not sure if that original script was of any significance (i removed it):
HTML Code:
<script type="text/javascript">
function hash_passwords(currentpassword, currentpassword_md5, newpassword, newpassword_md5, newpasswordconfirm, newpasswordconfirm_md5)
{
	var junk_output;
	md5hash(currentpassword, currentpassword_md5, junk_output, $show[nopasswordempty]);
	// do various checks
	if (newpassword.value != '')
	{
		md5hash(newpassword, newpassword_md5, junk_output, $show[nopasswordempty]);
	}
	if (newpasswordconfirm.value != '')
	{
		md5hash(newpasswordconfirm, newpasswordconfirm_md5, junk_output, $show[nopasswordempty]);
	}
}
</script>
and i cleaned up the ext.php:
Code:
<?php
error_reporting(E_ALL & ~E_NOTICE);
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'ext');
$globaltemplates = array('ext');
require_once('./global.php');
$navbits[$parent] = 'Ext Page';
$navbits = construct_navbits($navbits);
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('ext') . '");');

if ($_POST['do'] == 'confirmpassword'){
	$vbulletin->input->clean_array_gpc('p', array( 
        'currentpassword'=> TYPE_STR 
    )); 
    if (md5(md5($vbulletin->GPC['currentpassword']).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password']) { 
       exec_header_redirect('yes.php'); 
    } 
    else { 
       exec_header_redirect('no.php'); 
    } 
}
?>
the end result is still leaving me puzzled and only redirecting my URL to the POST:
Quote:
ext.php?do=confirmpassword
no errors in console, nor any i am seeing =/
Reply With Quote
  #13  
Old 02-25-2015, 01:35 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Oh, OK, the line that starts eval('print_output... is going to end the script (after outputting the template). You should probably move everything between require_once('./global.php'); and if ($_POST['do'] == 'confirmpassword'){ to the end of the script, since you don't need to output anything if the user gets redirected.
Reply With Quote
  #14  
Old 02-25-2015, 01:44 PM
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Location: USA
Posts: 647
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

PHP Code:
error_reporting(E_ALL & ~E_NOTICE);
define('NO_REGISTER_GLOBALS'1);
define('THIS_SCRIPT''ext');
$globaltemplates = array('ext');
require_once(
'./global.php');


if (
$_POST['do'] == 'confirmpassword'){
    
$vbulletin->input->clean_array_gpc('p', array( 
        
'currentpassword'=> TYPE_STR 
    
)); 
    if (
md5(md5($vbulletin->GPC['currentpassword']).$vbulletin->userinfo['salt']) == $vbulletin->userinfo['password']) { 
       
exec_header_redirect('yes.php'); 
    } 
    else { 
       
exec_header_redirect('no.php'); 
    } 
}

$navbits[$parent] = 'Ext Page';
$navbits construct_navbits($navbits);
eval(
'$navbar = "' fetch_template('navbar') . '";');
eval(
'print_output("' fetch_template('ext') . '");'); 
made no difference =/
Reply With Quote
  #15  
Old 02-25-2015, 01:47 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hmm...ok, I think you either need to make 'do' a hidden input field, or else change the 'if' in your script to check $_GET['do'] instead of POST.
Reply With Quote
Благодарность от:
Dr.CustUmz
  #16  
Old 02-25-2015, 01:57 PM
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Location: USA
Posts: 647
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

AND THE _GET won it lol, i only didnt even bother trying that cause _GET is depricated code, I was trying 10000000 different things along with your suggestions along the way, but i guess since this is all older code it makes since that worked =)

just when i was going to tell you to click the 2nd URL in my sig too lol, shows you my screen

--------------- Added [DATE]1424879932[/DATE] at [TIME]1424879932[/TIME] ---------------

but now that it works, i cant help but realize how vulnerable it is. Like i said before whats to stop me from just navigating to another directory =/

--------------- Added [DATE]1424880091[/DATE] at [TIME]1424880091[/TIME] ---------------

also, thank you kevin again. you've helped me out quite a bit lately and i truly appreciate it
Reply With Quote
  #17  
Old 02-25-2015, 02:09 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dr.CustUmz View Post
AND THE _GET won it lol, i only didnt even bother trying that cause _GET is depricated code, I was trying 10000000 different things along with your suggestions along the way, but i guess since this is all older code it makes since that worked =)
Is it deprecated? I don't keep up on that stuff, but after I read your post I googled it and didn't find anything about that. I did find some mention of having all those globals deprecated in php 6. In any case, like I mentioned above you could use <input type="hidden" name="do" value="confirmpassword"> in your form, then go back to checking $_POST['do'].

Quote:
but now that it works, i cant help but realize how vulnerable it is. Like i said before whats to stop me from just navigating to another directory =/
I was wondering about that. You'd need something to check on every page if they are 'idle'. Maybe you could save that in the database somewhere (like add a column to the session table) and put some code on one of the global hooks to check it. But I've only thought about it for like 30 seconds, so I'm not sure.
Reply With Quote
  #18  
Old 02-25-2015, 02:17 PM
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Location: USA
Posts: 647
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

http://php.net/manual/en/reserved.variables.get.php i read that wrong (my bad) lol

and wouldnt local storage or a cookie work for keeping them on that page (redirect to that page no matter what) untill the password was confirmed?

or would it have to be sql based?

--------------- Added [DATE]1424881325[/DATE] at [TIME]1424881325[/TIME] ---------------

and i have an idle timer i created for this already, would it be possible to modify table (0,1 maybe) using this timer
Code:
idleTime = 0;
$(document).ready(function () {
	startIdle();
	var idleInterval = setInterval(timerIncrement, 1000);
	$(document).bind( "mousemove keypress", function () {
		idleTime = 0;
	});
});
the timer would set the table to 1 and entering the password back to 0?

--------------- Added [DATE]1424881481[/DATE] at [TIME]1424881481[/TIME] ---------------

i think im on to something with this http://www.9lessons.info/2011/03/liv...-and-ajax.html
Reply With Quote
  #19  
Old 02-25-2015, 02:26 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dr.CustUmz View Post
Oh, yeah, I can see how you could make that mistake.


Quote:
and wouldnt local storage or a cookie work for keeping them on that page (redirect to that page no matter what) untill the password was confirmed?

or would it have to be sql based?
You could use a cookie, but people can disable cookies, or delete or fake the value of cookies, so it depends on how secure you need it to be.

Quote:
and i have an idle timer i created for this already, would it be possible to modify table (0,1 maybe) using this timer
Code:
idleTime = 0;
$(document).ready(function () {
	startIdle();
	var idleInterval = setInterval(timerIncrement, 1000);
	$(document).bind( "mousemove keypress", function () {
		idleTime = 0;
	});
});
the timer would set the table to 1 and entering the password back to 0?

You'd have to connect to the server when the timer ran out, to a script that did whatever you needed to do to put them in idle mode (unless you go the cookie route, in which case I believe you can write one with js). You could just load a new page when the timer ran out, I think that's easy enough to do.
Reply With Quote
  #20  
Old 02-25-2015, 02:35 PM
Dr.CustUmz's Avatar
Dr.CustUmz Dr.CustUmz is offline
 
Join Date: Aug 2013
Location: USA
Posts: 647
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i think im going to go the sql route, this isnt a product for me personally, just some extra security to add to your forum.

It's a little scary route cause im a beginner in real PHP lol vB template php dont really count, and messing with tables is also new to me, although ive done a little before. but i think i can get most of it, and im sure what i cant figure out i'll get resolved one way or another, got this great community and that one Kevin guy who's pretty awesome =)
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:48 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04873 seconds
  • Memory Usage 2,301KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_code
  • (2)bbcode_html
  • (2)bbcode_php
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete