Need help on custom plugin.

[MrBeastlymfe]

On my site I am making a pastebin page so users can store text files on there if needed. And when trying to submit a paste, I get an error saying a security token is missing. I would like if someone could post the coding into mine, I wouldn't know where to put it in. I don't have a XML I'm just adding a custom page. Here is the code.

Code:

<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);


// #################### DEFINE IMPORTANT CONSTANTS #######################


define('THIS_SCRIPT', 'Paste');
define('CSRF_PROTECTION', true);  
// change this depending on your filename


// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array();


// get special data templates from the datastore
$specialtemplates = array();


// pre-cache templates used by all actions
$globaltemplates = array('Paste',
);


// pre-cache templates used by specific actions
$actiontemplates = array();


// ######################### REQUIRE BACK-END ############################
// if your page is outside of your normal vb forums directory, you should change directories by uncommenting the next line
// chdir ('/path/to/your/forums');
require_once('./global.php');


// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################


$navbits = construct_navbits(array('' => 'Paste Bin'));
$navbar = render_navbar_template($navbits);


// ###### YOUR CUSTOM CODE GOES HERE #####
$pagetitle = 'Pastebin Script';








$paste = htmlentities($_POST['paste']);
$vbulletin->input->clean_array_gpc('p', array(
     'sub' => TYPE_NOHTML)
    );

$name = md5($_POST['name']);
$title = $_POST['name'];
$dir = getcwd();
$rand = rand(1,200);
$save = "$name$rand.html";
$all = "<center>Name of paste:<h3>$title</h3><hr /><br /></center><pre> $paste </pre>";


if(isset($sub)){
    if(!empty($title) && !empty($paste)){
        file_put_contents("$dir/$save", $all , FILE_APPEND);
        echo "<footer>View your paste: <a href=" . $save . ">$title</a></footer>";
        }
    else{
        echo "<script>alert('Please fill in all the fields.');</script>";
        }
}






// ###### NOW YOUR TEMPLATE IS BEING RENDERED ######


$templater = vB_Template::create('Paste');
$templater->register_page_templates();
$templater->register('navbar', $navbar);
$templater->register('pagetitle', $pagetitle);
print_output($templater->render());


?>

[Sarteck]

What's your "Paste" template got in it? Chances are that you forgot to add the needed security token.

In whatever <form> you have, be sure to add the tag
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />

Some advice, though. Don't access $_POST, $_GET, or $_REQUEST directly. Instead of:

PHP Code:

$title = $_POST['name']; 


use

PHP Code:

$title = $vbulletin->input->clean_gpc('p', 'name', TYPE_STR); 


And stuff like that. vBulletin's cleaning functions make it so that you don't have to worry about data being "bad" or of a type you don't want.

[MrBeastlymfe]

Quote:

Originally Posted by Sarteck

What's your "Paste" template got in it? Chances are that you forgot to add the needed security token.

In whatever <form> you have, be sure to add the tag
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />

Some advice, though. Don't access $_POST, $_GET, or $_REQUEST directly. Instead of:

PHP Code:

$title = $_POST['name']; 


use

PHP Code:

$title = $vbulletin->input->clean_gpc('p', 'name', TYPE_STR); 


And stuff like that. vBulletin's cleaning functions make it so that you don't have to worry about data being "bad" or of a type you don't want.

Here's the template, so where would I put the security token? Sorry for the trouble.

Code:

$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
$headinclude
<title>$vboptions[bbtitle]</title>
</head>
<body>

$header
$navbar
<!-- Custom Code Start Here -->
<?php
$paste = htmlentities($_POST['paste']);
$sub = $_POST['sub'];
$name = md5($_POST['name']);
$title = $vbulletin->input->clean_gpc('p', 'name', TYPE_STR);
$dir = getcwd();
$rand = rand(1,200);
$save = "$name$rand.html";
$all = "<center>Name of paste:<h3>$title</h3><hr /><br /></center><pre> $paste </pre>";

if(isset($sub)){
	if(!empty($title) && !empty($paste)){
		file_put_contents("$dir/$save", $all , FILE_APPEND);
		echo "<footer>View your paste: <a href=" . $save . ">$title</a></footer>";
		}
	else{
		echo "<script>alert('Please fill in all the fields.');</script>";
		}
}
?>
<html>
<head>
<style type="text/css">
.inputForm
{
-moz-border-radius:5px; 
-webkit-border-radius: 5px; 
-khtml-border-radius: 5px; 
border-radius: 5px;
}
textarea
{
-moz-border-radius:5px; 
-webkit-border-radius: 5px;
-khtml-border-radius: 5px; 
border-radius: 5px; 
}
</style>
</head>
<body>
<body bgcolor="#F5F5F5">
<center>
<form action="" method="post" align="center">
Title of Paste:<input type="text" class="inputForm" name="name">
<br />
<textarea id=text name="paste" rows=30 cols=68 onload="fade()"></textarea>
<br />
<input type="submit" name="sub">
</center>
</form>
<!-- / Custom Code Ends here -->
$footer
</body>
</html>

[Sarteck]

Anywhere after <form action="" method="post" align="center"> and before </form> would do fine. Or at least would get rid of the error for the security token. :3