Security Token issue in new area not discussed in this forum

[WNxWakko]

I am trying to put a form into a custom BBCODE that searches a custom field6. I have my reasons but am looking for help to make this work.



I have tried so many different suggestion that I found searching VB and vbmods forums.



When I put the below into a BBCODE and use that code in a post, I get "Your submission could not be processed because a security token was invalid."

Code:

<form action="memberlist.php?do=getall" method="post">

<input type="hidden" name="s" value="$session[sessionhash]" />

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

<input type="hidden" name="do" value="getall" />

<input type="text" class="bginput" name="field6" value="" size="25" maxlength="100" />

<input type="submit" class="button" value="Search Now" accesskey="s" />

  </form>

I have tried all of the following as well with no success,

Code:

<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />

<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />

Code:

<input type="hidden" name="s" value="$session[sessionhash]" />

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Oddly, this one works in a nonvb page but not in a post of course because it has PHP code in it.

Code:

<?php

require_once('./Forum/global.php'); 

?>

 

<form action="/Forum/memberlist.php?do=getall" method="post">

<input type="hidden" name="s" value="" />

<input type="hidden" name="securitytoken" value="<?php echo($vbulletin->userinfo['securitytoken']); ?>" /> 

<input type="hidden" name="do" value="getall" />

<input type="text" class="bginput" name="field6" value="" size="25" maxlength="100" />

<input type="submit" class="button" value="Search Now" accesskey="s" />

  </form>

Is there something special or different that needs to be stated in the security token here that would allow this search box of a custom field to work in a post using a BBCODE?

[kh99]

I think your problem may be that the result of a bbcode replacement is html but not a template, so you can't include variables. (To check that that's your problem, view the html source of the page and if you see

Code:

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

then that's the problem).

What to do about it - I'm not sure. You could use a plugin on one of the hooks in the bbcode code (like maybe bbcode_parse_complete) do your own search and replace.
For instance, use "__SECURITYTOKEN__" in your bbocde

Code:

<input type="hidden" name="securitytoken" value="__SECURITYTOKEN__" />

and then in the plugin

Code:

$text = str_replace('__SECURITYTOKEN__', $bbuserinfo[securitytoken], $text) ;

but I haven't tried it so be prepared to debug.

Of course that's not a perfect solution because __SECURITYTOKEN__ could conceivably show up in a post for some other reason, but it's the best I could do off the top of my head.

[WNxWakko]

You are right, when viewing the HTML, I see exactly what you said I would.

I've tried what you suggested below and still no luck. Any ideas?

[kh99]

Oh...try adding "global $vbulletin;" to the start of the plugin code ETA: ...and change bbuserinfo to vbulletin->userinfo,

so that the code is:

Code:

global $vbulletin;
$text = str_replace('__SECURITYTOKEN__', $vbulletin->userinfo[securitytoken], $text) ;

If that doesn't work, view the html source again and see what the hidden value looks like.

ETA: OK, I went and tried it and this seems to work. One thing I'm not sure about is that there's a bbcode_parse_complete_precache hook a little before the one we're using, and it's before the post is cached (as the name suggests). I'm not sure what the implications are of using one over the other. I thought I'd use post-cache so the token doesn't get cached, but I haven't studied the code.

[WNxWakko]

Seems though your code worked. I am past the token issue I think.

Although now when I enter something in the search box I get this VB message,

"vBulletin Message
Invalid Action Specified "

what is interesting is the URL I see in the browser bar is,
inlinemod.php?threadid=604440&p=


I should see it goto the memberlist.php so it can search custom field6. Any ideas if this is still token related or perhaps searching a field from a post needs additional plugin coding.

The source code view of the thread that has this shows the following,

Code:

<form action="memberlist.php?do=getall" method="post">
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="securitytoken" value="1283032473-228842d7329277b18921e7cc4c16e4474aa5243d" />
<input type="hidden" name="do" value="getall" />
<input type="text" class="bginput" name="field6" value="" size="25" maxlength="100" />
<input type="submit" class="button" value="Search Now" accesskey="s" />
  </form>

One more thing to point out that is odd. This works in the preview thread screen, but not after you actually post it.

[kh99]

I'm not sure if it's the only problem, but it looks like that part has the same problem with $session[sessionhash] not getting replaced.

[Lynne]

See if you have the same problem as a regular user. You, an admin or moderator, will have a problem because you are putting a form inside a form (inline moderation).

[WNxWakko]

Interesting. Regular users can use the form without any issue. It seems that only Admins/Moderators cannot use it.

Any idea how to get around this?

[Lynne]

There is no way around it unless you turn off inline moderation. You can't have forms within forms and inline moderation, where you can select the posts and then do something with them at the bottom of the page, is a big form.

[WNxWakko]

Hmm, not even possible to embed forms in forms. That seems like a flaw in the code design of forms somewhere. lol

I am very appreciative of all the help given here. Its just to bad it comes to a halt over this feature. If there is any other tricks around this, I'm all ears.