Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 04-26-2010, 12:28 AM
bpr bpr is offline
 
Join Date: Dec 2009
Location: London
Posts: 57
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default CSRF vb4.0.3

Hi guys,
i am actually working on a little mod and i need to send a post to write something in the database.
However, I get a message about security token and whatsoever. I assumes that is meant to be the CSRF.

I was looking for it on google and here, and of course, I couldnt find anything apart from an old article from 2008.
Code:
$bbuserinfo[securitytoken]
this is obviously not working how can i get the security token into my template ?

this is not working as well:
{vb:raw bbuserinfo.securitytoken}

what can i do in my template to get this security token ?

Please help me with the .... : )


All the best,
Paul aka bpr
Reply With Quote
  #2  
Old 04-26-2010, 03:12 AM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

{vb:raw bbuserinfo.securitytoken} should work if used in most templates. But, it's really hard to tell when you haven't posted any code or template name at all.
Reply With Quote
  #3  
Old 04-26-2010, 02:08 PM
Deceptor's Avatar
Deceptor Deceptor is offline
 
Join Date: Dec 2008
Location: England
Posts: 514
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Is the security token been assigned to the correct hidden input? All user-end forms should really just have this within the <form> tags:
Code:
<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
It's what I use on several vB4 modifications and it works just fine
Reply With Quote
  #4  
Old 04-28-2010, 01:36 AM
bpr bpr is offline
 
Join Date: Dec 2009
Location: London
Posts: 57
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi guys,
thanks for the response,. Well you are right, I should have posted some code -.- well here we go, I got a template called - todo_add_item.

Just to explain what I am developing at the moment:
Admins and Supermods are able to add/ edit/ disable / finish items on a todo list. This todo list is for the team member of my board who can all read the list of the todos.

I was solving the problem in a badway. Because I am using Ajax with jQuery all over the website and in my developing sites I was making the securityhash global in the header flie. I was doing this by adding one mod, which is hiding all the version numbers. Anyway I did use that one in my js code - which doesnt change the fact, that I cannot use the {vb:raw session.sessionhash} in templates.

Do I have to register anything in the php files ? I mean, I was trying to add it in a navbar which I learned by following https://vborg.vbsupport.ru/showthread.php?t=228313 instructions - but also there I couldnt use this raw var.
On the other hand my php code looks identically to the test.php site which you could find here:
https://vborg.vbsupport.ru/showthread.php?t=228112
despite the fact, that I am not calling my template test and whatsoever.

HTML Code:
<script type="text/javascript">
    function addTodoItem()
    {
        var title = $('#todoTitle').val();
        var description = $('#todoDescription').val();
        var squad = $('#todoSquad').val();
        var status = $('#todoStatus').val();
        var priority = $('#todoPriority').val();
        var todo = '&do=add';
        var qrystr = 'title=' + title + '&description=' + description + '&squad=' + squad + '&status=' + status + '&priority=' + priority + todo;
        $.ajax({
            type: "POST",
            url: "/todo.php",
            data: qrystr + '&securitytoken=' + SECURITYTOKEN ,
            success: function(msg){
              $('#todomsg').html('<span class="tok">Erledigt</span>');
            }
          });
    }
</script>

<div class="todo" id="todoAddItem">
    <div id="todomsg"></div>
        <form id="todoAddForm">
<input type="hidden" name="securitytoken" value="{vb:raw bbuserinfo.securitytoken}" />
<input type="hidden" name="s" value="{vb:raw session.sessionhash}" />
            <ul>
                <li><label for="todoTitle">Titel</label></li>
                <li><input type="text" id="todoTitle" name="todoTitle" /></li>
                <li><label for="todoDescription">Beschreibung</label></li>
                <li><textarea name="todoDescription" id="todoDescription"></textarea></li>
                <li><label for="todoTitle">Squad</label></li>
                <li>
                    <select id="todoSquad" name="todoSquad">
                        <option value="1">Alpha</option>
                        <option value="2">Cobra</option>
                        <option value="3">Delta</option>
                        <option value="4">Eclipse</option>
                        <option value="5">Exodus</option>
                        <option value="6">Delibos</option>
                    </select>
                </li>
                <li><label for="todoStatus">Status</label></li>
                <li>
                    <select id="todoStatus" name="todoStatus">
                        <option value="3">In Bearbeitung</option>
                        <option value="2">Keine Bearbeitung</option>
                        <option value="1">Fertig gestellt</option>
                    </select>
                </li>
                <li><label for="todoPriority">Priorit&auml;t</label></li>
                <li>
                    <select id="todoPriority" name="todoPriority">
                        <option value="1">Sehr Hoch</option>
                        <option value="2">Hoch</option>
                        <option value="3">Mittel</option>
                        <option value="4">Niedrig</option>
                    </select>
                </li>
            </ul>
            <a id="submitButton" value="Hinzuf&uuml;gen" onclick="javascript:addTodoItem();">Hinzuf&uuml;gen</a>
        </form>
        <div class="mty"></div>
</div>
Thanks for helping guys.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:19 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07220 seconds
  • Memory Usage 2,212KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (1)bbcode_html
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (4)post_thanks_box
  • (4)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (4)post_thanks_postbit_info
  • (4)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete