PHP-direct eval problems [Solved]

[janaf]

This is an old issue that I have left for some time. I hoped updates would solve things :-) It has not, so far...

I have a php-direct eval code here:
http://www.41hz.com/forums/content.php?253-TSdb

It works sometimes....

1)))
It works fine as is but only if I turn OFF vb caching for the whole site ( I havethe cache timeout set to 0 for the php-direct eval content, but it does not seem to do it...)
How can I turn off caching off for this code or for all php direct eval, but not for the rest of the site? I have tried adding to the code:

PHP Code:

$config['cache_ttl'] = 0; 


in vain

2)))
It works as long as you are not logged on to the site. If you log on to the forum / site, go to the php page, select a drop-down and hit the button you get the error message:

vBulletin Message
Your submission could not be processed because a security token was missing.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

I have tried adding, within the form, each of these (one at a time):

PHP Code:

$a.='<input type="hidden" name="securitytoken" value="vb::$vbulletin->userinfo[securitytoken]"/>';
$a.='<input type="hidden" name="securitytoken" value="$vbulletin->userinfo[securitytoken]" />'; 


... but still get the "...security token was missing..." message when logged in (only).

Any hints or help would be appreciated!

[Lynne]

And what is in the page source? I don't think what you wrote will work. You need to do something like this:

PHP Code:

$a.='<input type="hidden" name="securitytoken" value="'.vb::$vbulletin->userinfo[securitytoken].'"/>'; 


[janaf]

Thanks Lynne!

That took care of the security token issue.

I will get back with the code for the dropdown / caching-issue. My code is now quite long, split on several files but I can reproduce the same problem with a simple dropdown form.

Jan

--------------- Added [DATE]1302609805[/DATE] at [TIME]1302609805[/TIME] ---------------

Here is a sample code:

PHP Code:

$myname = vB::$vbulletin->input->clean_gpc('r', 'me', TYPE_STR);
$a='<form action="" method="POST">';
$a.='<select name="me">';
$a.='<option value="noname" >[Name]</option>';
$a.='<option value="Jan" ';
if ($myname=="Jan"){
    $a.=' selected="selected" ';
}
$a.='>Jan</option>';
$a.='<option value="Lynne"';
if ($myname=="Lynne"){
    $a.=' selected="selected" ';
}
$a.='>Lynne</option>';
$a.='</select>';
$a.='<input type="hidden" name="securitytoken" value="'.vb::$vbulletin->userinfo[securitytoken].'"/>';
$a.='<br><input type="submit" value="   Submit   " />';
$a.='</form>';
$output=$a; 


If caching is disabled in ACP: / Settings / Options .../ Disable Content Caching = Yes then this code works as I would expect, ie the selected name is marked Selected and shown by the dropdow.

But if the caching option set to No in ACP then $myname does not contain a return value after submittig the form, so the code will not work.

I have set Cache Refresh Time = 0 (and tried -1 and 1 as well) for this php direct evaluation page content itself, but it does not seem to make any difference.

[Lynne]

Where is me, or $myname, being defined?

[janaf]

The posted code is all there is. First line to last.

$myname declared on the first row (only)
me is the name of the dropdown, third row (select name="me"), posted back to the same page (action="")

Yes, I am pretty new at php....

[Lynne]

There is no variable called "me" in default vbulletin. If that is the only code you have, then yes, it isn't going to work because "me" is not defined. You need to pass it to the code somehow.

[janaf]

I have been reading up all I can and as far as I understand from these:

http://www.vbulletin.com/docs/html/m...estandards_gpc
http://www.vbulletin.com/forum/showt...itional-fields
https://vborg.vbsupport.ru/showthread.php?t=98047

then this one-line (only), php direct eval code should work, readig POST variables or REQUEST data by calling from the browser: .../content.php?434-mytest&me=Jan

PHP Code:

$output = vB::$vbulletin->input->clean_gpc('r', 'me', TYPE_STR); 


It DOES work; reads REQUEST data and outputs the name (Jan) to the browser. But it only works here if vB caching is disabled.

So if I misunderstood, can someone suggest a method for reading POST variables that does work?

[Lynne]

Ah, I see now. You hit the Submit and it gets passed (I don't know why I didn't see that). Perhaps write plugin to disable caching for that page? I'm not sure what hook location to use - go into debug mode and you'll get a list of all the hooks used on that page and you can go through some of them that way.

[Boofo]

How would you disable caching, though?

[Lynne]

He's talking about the option in AdminCP > Settings > Options > server settings > Disable Content Caching . So, I was thinking you would set that option to 1 for that page. I honestly don't know if that would work or not though.

hook location - init_startup:

PHP Code:

if ($_POST['me'])
{
$vbulletin->options['nocache'] = 1;
} 


I think that would work.