Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 Programming Discussions
FAQ Community Calendar Today's Posts Search

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 07-07-2011, 03:46 AM
EquinoxWorld EquinoxWorld is offline
 
Join Date: Nov 2009
Location: Naples
Posts: 354
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Custom Form in Custom Page - Security Token Missing Error - Help

Hello everyone I am currently trying to use a form to submit a image url to a database table I created. Then I would use this image url to print the images with a separate script. The script I am using to submit the image URL is the following: (filename: nominate.php)

PHP Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> 
<basefont face="Arial"> 
</head> 
<body> 

<?php 
require_once('./global.php');

define('CSRF_PROTECTION'true);

if (!isset(
$_POST['submit'])) { 
// form not submitted 
?> 
    <form action="<?=$_SERVER['PHP_SELF']?>" method="post"> 
    <input type="hidden" name="s" value="{vb:raw session.sessionhash}" />
    <input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
    Image URL to Nominate: <input type="text" name="imgurl"> 
    <input type="submit" name="submit">
    </form> 

<?php 
require_once('./global.php');

define('CSRF_PROTECTION'true);

else { 
// form submitted 
// set server access variables 
    
$host "localhost"
    
$user "xxxxx"
    
$pass "xxxxx"
    
$db "xxxxx"
     
// get form input 
    // check to make sure it's all there 
    // escape input values for greater safety 
    
$imgurl = empty($_POST['imgurl']) ? die ("ERROR: Enter a imgurl") : mysql_escape_string($_POST['imgurl']);

    
// open connection 
    
$connection mysql_connect($host$user$pass) or die ("Unable to connect!"); 
     
    
// select database 
    
mysql_select_db($db) or die ("Unable to select database!"); 
     
    
// create query 
    
$query "INSERT INTO oftw_nominations (imgurl) VALUES ('$imgurl')"
     
    
// execute query 
    
$result mysql_query($query) or die ("Error in query: $query. ".mysql_error()); 
     
    
// print message with ID of inserted record 
    
echo "New image Nominated!"
     
    
// close connection 
    
mysql_close($connection); 

?>
This works fine and submits the image URL into my database table I specified( I can verify this going into phpmyadmin) if I just go to the php file from the URL itself like so:

http://mysite.com/nominate.php

Although when I try to use this php file in a plug in then calling the plug in in one of my custom template it shows perfectly but when submitting it gives me this error:

Quote:
Your submission could not be processed because a security token was invalid.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.
This is the plug i I am using to call the script.
PHP Code:
ob_start();
  require_once(
'nominate.php');
  
$oftw_nominate ob_get_contents();
ob_end_clean();
vB_Template::preRegister('OFTW_NOMINATIONS',array('oftw_nominate' => $oftw_nominate)); 
Then use the following to insert it into my OFTW_NOMINATIONS template:

Code:
{vb:raw oftw_nominate}
But when I submit the URL I get the security token error...

If anyone has ANY ideas or any info please let us know. I would appreciate anyone's feedback as I am stumped so far and can't get passed this error. Thank you for your time.

P.S.: The script I am using to print the nominations is:

PHP Code:
<?php 
require_once('./global.php');

$result $db->query_read("SELECT * FROM oftw_nominations"); 

if (
mysql_num_rows($result) > 0) { 
    
// yes 
    // print them one after another 
    
echo "<table cellpadding=10 border=1>"
    while(
$row mysql_fetch_row($result)) { 
        echo 
"<tr>"
        echo 
"<td><center><img src =".$row[1]."></center></td>"
        echo 
"</tr>"
    } 
    echo 
"</table>"

else { 
    
// no 
    // print status message 
    
echo "No rows found!"




?>
Which works perfect calling it via plug-in and using vb:raw in the template. Just need the help with the security token upon submissions issue in nominate.php .

--------------- Added [DATE]1310047305[/DATE] at [TIME]1310047305[/TIME] ---------------

OK Got it...I think. This is what I did. I took out the form from the php file and placed in the template like so:

HTML Code:
<form action="nominate.php" method="post">
Image URL to Nominate: <input type="text" name="imgurl"> 
<input type="submit" name="submit">
</form> 
And I am using this to write the URL into the database:

PHP Code:
<?php 

require_once('./global.php');

define('CSRF_PROTECTION'true);

if (!isset(
$_POST['submit'])) { 


// form not submitted 

else { 
// form submitted 
// get form input 
    // check to make sure it's all there 
    // escape input values for greater safety 
    
$imgurl = empty($_POST['imgurl']) ? die ("ERROR: Enter a imgurl") : mysql_escape_string($_POST['imgurl']);
     
    
// create query 
    
$db->query_write("INSERT INTO oftw_nominations (imgurl) VALUES ('$imgurl')");
     
    
// print message with ID of inserted record 
    
echo "New image Nominated!";
    
    
header"refresh:2; url=http://development.aniworlds.net/oftw_nominations.php" );
     
    
// close connection 
    
mysql_close($connection); 

?>
And this to print them in the same template:

PHP Code:
<?php 
require_once('./global.php');

$result $db->query_read("SELECT * FROM oftw_nominations"); 

if (
mysql_num_rows($result) > 0) { 
    
// yes 
    // print them one after another 
    
echo "<table cellpadding=10 border=1>"
    while(
$row mysql_fetch_row($result)) { 
        echo 
"<tr>"
        echo 
"<td><center><img src =".$row[1]."></center></td>"
        echo 
"</tr>"
    } 
    echo 
"</table>"

else { 
    
// no 
    // print status message 
    
echo "No rows found!"

?>
It all works PERFECT. Question is ; is this ok? I mean is this the RIGHT way to do what I want to do?? It works perfect I just want to make sure I don't have any vulnerabilities.
Reply With Quote
 


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:41 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06508 seconds
  • Memory Usage 2,368KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_code
  • (1)bbcode_html
  • (5)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete