Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 08-27-2010, 08:25 PM
WNxWakko's Avatar
WNxWakko WNxWakko is offline
 
Join Date: Apr 2003
Location: Paradise, Texas
Posts: 309
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Security Token issue in new area not discussed in this forum

I am trying to put a form into a custom BBCODE that searches a custom field6. I have my reasons but am looking for help to make this work.



I have tried so many different suggestion that I found searching VB and vbmods forums.



When I put the below into a BBCODE and use that code in a post, I get "Your submission could not be processed because a security token was invalid."



Code:
<form action="memberlist.php?do=getall" method="post">

<input type="hidden" name="s" value="$session[sessionhash]" />

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

<input type="hidden" name="do" value="getall" />

<input type="text" class="bginput" name="field6" value="" size="25" maxlength="100" />

<input type="submit" class="button" value="Search Now" accesskey="s" />

  </form>


I have tried all of the following as well with no success,

Code:
<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />

<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />


Code:
<input type="hidden" name="s" value="$session[sessionhash]" />

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />


Oddly, this one works in a nonvb page but not in a post of course because it has PHP code in it.



Code:
<?php

require_once('./Forum/global.php'); 

?>

 

<form action="/Forum/memberlist.php?do=getall" method="post">

<input type="hidden" name="s" value="" />

<input type="hidden" name="securitytoken" value="<?php echo($vbulletin->userinfo['securitytoken']); ?>" /> 

<input type="hidden" name="do" value="getall" />

<input type="text" class="bginput" name="field6" value="" size="25" maxlength="100" />

<input type="submit" class="button" value="Search Now" accesskey="s" />

  </form>


Is there something special or different that needs to be stated in the security token here that would allow this search box of a custom field to work in a post using a BBCODE?
Reply With Quote
  #2  
Old 08-27-2010, 09:54 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think your problem may be that the result of a bbcode replacement is html but not a template, so you can't include variables. (To check that that's your problem, view the html source of the page and if you see

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
then that's the problem).

What to do about it - I'm not sure. You could use a plugin on one of the hooks in the bbcode code (like maybe bbcode_parse_complete) do your own search and replace.
For instance, use "__SECURITYTOKEN__" in your bbocde

Code:
<input type="hidden" name="securitytoken" value="__SECURITYTOKEN__" />
and then in the plugin

Code:
$text = str_replace('__SECURITYTOKEN__', $bbuserinfo[securitytoken], $text) ;
but I haven't tried it so be prepared to debug.

Of course that's not a perfect solution because __SECURITYTOKEN__ could conceivably show up in a post for some other reason, but it's the best I could do off the top of my head.
Reply With Quote
  #3  
Old 08-28-2010, 04:21 PM
WNxWakko's Avatar
WNxWakko WNxWakko is offline
 
Join Date: Apr 2003
Location: Paradise, Texas
Posts: 309
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You are right, when viewing the HTML, I see exactly what you said I would.

I've tried what you suggested below and still no luck. Any ideas?
Reply With Quote
  #4  
Old 08-28-2010, 04:50 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Oh...try adding "global $vbulletin;" to the start of the plugin code ETA: ...and change bbuserinfo to vbulletin->userinfo,

so that the code is:

Code:
global $vbulletin;
$text = str_replace('__SECURITYTOKEN__', $vbulletin->userinfo[securitytoken], $text) ;
If that doesn't work, view the html source again and see what the hidden value looks like.

ETA: OK, I went and tried it and this seems to work. One thing I'm not sure about is that there's a bbcode_parse_complete_precache hook a little before the one we're using, and it's before the post is cached (as the name suggests). I'm not sure what the implications are of using one over the other. I thought I'd use post-cache so the token doesn't get cached, but I haven't studied the code.
Reply With Quote
  #5  
Old 08-28-2010, 08:56 PM
WNxWakko's Avatar
WNxWakko WNxWakko is offline
 
Join Date: Apr 2003
Location: Paradise, Texas
Posts: 309
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Seems though your code worked. I am past the token issue I think.

Although now when I enter something in the search box I get this VB message,

"vBulletin Message
Invalid Action Specified "

what is interesting is the URL I see in the browser bar is,
inlinemod.php?threadid=604440&p=


I should see it goto the memberlist.php so it can search custom field6. Any ideas if this is still token related or perhaps searching a field from a post needs additional plugin coding.

The source code view of the thread that has this shows the following,

Code:
<form action="memberlist.php?do=getall" method="post">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="1283032473-228842d7329277b18921e7cc4c16e4474aa5243d" />
<input type="hidden" name="do" value="getall" />
<input type="text" class="bginput" name="field6" value="" size="25" maxlength="100" />
<input type="submit" class="button" value="Search Now" accesskey="s" />
  </form>
One more thing to point out that is odd. This works in the preview thread screen, but not after you actually post it.
Reply With Quote
  #6  
Old 08-28-2010, 09:36 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm not sure if it's the only problem, but it looks like that part has the same problem with $session[sessionhash] not getting replaced.
Reply With Quote
  #7  
Old 08-28-2010, 09:57 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

See if you have the same problem as a regular user. You, an admin or moderator, will have a problem because you are putting a form inside a form (inline moderation).
Reply With Quote
  #8  
Old 08-29-2010, 12:13 AM
WNxWakko's Avatar
WNxWakko WNxWakko is offline
 
Join Date: Apr 2003
Location: Paradise, Texas
Posts: 309
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Interesting. Regular users can use the form without any issue. It seems that only Admins/Moderators cannot use it.

Any idea how to get around this?
Reply With Quote
  #9  
Old 08-29-2010, 01:41 AM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

There is no way around it unless you turn off inline moderation. You can't have forms within forms and inline moderation, where you can select the posts and then do something with them at the bottom of the page, is a big form.
Reply With Quote
  #10  
Old 08-29-2010, 04:47 AM
WNxWakko's Avatar
WNxWakko WNxWakko is offline
 
Join Date: Apr 2003
Location: Paradise, Texas
Posts: 309
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hmm, not even possible to embed forms in forms. That seems like a flaw in the code design of forms somewhere. lol

I am very appreciative of all the help given here. Its just to bad it comes to a halt over this feature. If there is any other tricks around this, I'm all ears.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:26 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05499 seconds
  • Memory Usage 2,266KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (9)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete