The Arcive of Official vBulletin Modifications Site.

Jon12345 · #1 03-29-2012, 07:14 PM

According to this link...

https://www.vbulletin.com/docs/html/codestandards_gpc

...it states that "Do not use $_GET / $_POST / $_REQUEST etc. variables in templates." But I need to use it in the templates for something I need to achieve.

Why do they say don't use $_GET etc? Is it a security risk or something?

Jon

Paul M · #2 03-29-2012, 09:14 PM

You dont ever need to use them in a template.
They are just variables, so you can easily use something else.

Jon12345 · #3 03-29-2012, 09:43 PM

In that case, how do I check for being on register.php?do=addmember then? I need to check to see if addmember is there.

kh99 · #4 03-29-2012, 10:09 PM

In a PM discussion I mentioned to Jon that I thought it was because those variables haven't been "cleaned" and so they could contain anything and wouldn't be safe to include directly in the output. I'm sure that part's true. But I thought they would be OK to use in a condition (for instance in the headinclude template when the 'do' variable isn't in $vbulletin->GPC yet). Otherwise you'd need a plugin to create another variable. But I wasn't sure so Jon wisely decided to ask if anyone else knows.

Jon12345 · #5 03-29-2012, 10:19 PM

Lets imagine the variable is 'dirty'. If you had this...

Code:

<if condition="$_GET['do']=='register'">
run code
</if>

...to my mind there is no danger of code injection so long as I just use the $_GET['do'] to check a condition. Correct me if I'm wrong. It would be different if I was storing the data from the GET into a variable for output.

Is this right?

Paul M · #6 03-29-2012, 11:01 PM

You are technically correct, thats not the point.

The standards are designed to prevent you accidently forgetting this. If you never use them in templates, there can never be an issue.

Pandemikk · #7 03-30-2012, 12:23 AM

It also states "The only direct access to these variables is with $_POST['do'] and $_GET['do']"

For the reason why it shouldn't be used in templates, I, personally, believe is because you should be doing those checks in the PHP code.

kh99 · #8 03-30-2012, 12:51 AM

Paul makes a good point, I didn't notice that that was from the coding standards. So it's not claiming that there's necessarily any problem, just that the vb coding standards say not to do it.

Quote:

Originally Posted by Pandemikk

For the reason why it shouldn't be used in templates, I, personally, believe is because you should be doing those checks in the PHP code.

OK, but here's a sorta related question: if someone here asks how they can do something, and they could do it by adding a few lines to a template but it involves using $_GET['do'] in a condition, should they be told to write a plugin because it's the "right" way to do it?

Pandemikk · #9 03-30-2012, 01:28 AM

Quote:

Originally Posted by kh99

OK, but here's a sorta related question: if someone here asks how they can do something, and they could do it by adding a few lines to a template but it involves using $_GET['do'] in a condition, should they be told to write a plugin because it's the "right" way to do it?

Same thing can be said about any coding standard. Indent vs. not indenting, proper variable, constant, function naming, etc.,.

It all comes down to the purpose and hassle. I don't recommend editing the default register template, but instead finding the do branch in a plugin then calling your own template: That way it's easier to manage and upgrade.

But if he simply wants to add a few lines and the whole situation would indeed be a lot easier to just do it in the template then by all means do it even if vB coding standards says not to. If he was making a mod to be released to vB.org then I'd say he should do it the right way.

kh99 · #10 03-30-2012, 01:48 AM

Quote:

Originally Posted by Pandemikk

Same thing can be said about any coding standard. Indent vs. not indenting, proper variable, constant, function naming, etc.,.

It all comes down to the purpose and hassle. I don't recommend editing the default register template, but instead finding the do branch in a plugin then calling your own template: That way it's easier to manage and upgrade.

But if he simply wants to add a few lines and the whole situation would indeed be a lot easier to just do it in the template then by all means do it even if vB coding standards says not to. If he was making a mod to be released to vB.org then I'd say he should do it the right way.

That's pretty much my feeling exactly, but I was wondering what other people thought about it. I think when people are making small mods for themselves it's not very important, so I usually go for the easiest solutions.

Anyway, sorry for hijacking Jon's thread.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04062 seconds Memory Usage 2,258KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_code (3)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!