The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Using securitytoken to protect ajax requests
I wanted to use the security token to protect an ajax request.
So I submitted the token with the ajax post request from a vbulletin page to my custom page. HTML Code:
<script type="text/javascript"><!-- $(document).ready(function(){ $("#nudge_icon").click(function(){ $.ajax({ url: '/nudge.php', type: 'POST', async: true, dataType: 'text', data: ({'from' : '$bbuserinfo[userid]', 'to' : '$userinfo[userid]', 'securitytoken':'$bbuserinfo[securitytoken]'}), success: function(data) { alert(data); }, error: function(data) { alert(data); } }); }); });//--> </script> And I defined CSRF_PROTECTION as true (don't know if that is even necessary). I then make a comparison like this: PHP Code:
I assume a new token is generated when the global.php is called? How can I use a securitytoken check on an ajax request? |
#2
|
|||
|
|||
I don't understand security tokens, but I noticed that there's a function in includes/functions.php called verify_security_token(), and it seems to be called with $vbulletin->userinfo['securitytoken_raw'] as one of the parameters, so maybe you could use that function and/or use 'securitytoken_raw'.
|
#3
|
|||
|
|||
Do you have any idea how can i can i made ajax request ?
|
#4
|
|||
|
|||
If you use the function kh99 referenced it should be easy to do.
verify_security_token($_POST['securitytoken'], $userinfo['securitytoken_raw']) should return true if it is a match, false if not. |
#5
|
||||
|
||||
All my AJAX requests in plugins never require me to manually check for CSRF. It's always done automatically.
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|