php query string in an iframe

[cdj]

Is it possible to include a php query string in an iframe on vbulletin? Essentially I'm trying to embed a php page into an article/static page and be able to call variables from it. Here's what I'm trying to set the src as for the iframe.
http://www.thegamingtailgate.com/twi...?channel=cdj80
or
http://www.thegamingtailgate.com/twi...=streamerhouse

If I hardcode the channel name into the php and then put it into an iframe, everything works fine but when I change it to

PHP Code:

$_GET['channel'] 


and pass the variable, it renders a blank page in the iframe.

Am I going about this all wrong? I read this guide a bit but since I'm not a developer, I'm not sure if that's the route I need to go.


I'll readily admit that I'm not that savvy when it comes to development. I can tweak and modify something that someone else built but I certainly can't build something form scratch. That said, I was rather proud of me dissecting the Twitch API to be add extra elements that weren't originally included where I copied this code from. I'm hoping to be able to show them off dynamically.

[Zachery]

Are you sure $_GET['channel'] has the data you expect it too? Also its pretty dangerous to use the super globals without cleaning them up first, and or verifying the data from them first.

[cdj]

Quote:

Originally Posted by Zachery

Are you sure $_GET['channel'] has the data you expect it too?

Thanks for the response.

I'm fairly certain $_GET['channel'] has the correct data. If you click on the second link above, you'll see that it pulls in that Twitch channel that I'm passing. Here's the full line:

PHP Code:

$channelName = htmlspecialchars($_GET['channel'], ENT_QUOTES); 


I'm then utilitizing the $channelName elsewhere in the code to pull in what I need. Here's the sample code that I started with... I've expanded it a great deal since then.

http://www.incendiarymedia.org/twitch/status.php

PHP Code:

<?php
+
$channelName = htmlspecialchars($_GET['channel'], ENT_QUOTES);
+
$clientId = '';++++++++++++ // Register your application and get a client ID at http://www.twitch.tv/settings?section=applications
$online = 'online.png';++++ // Set online image here
$offline = 'offline.png';++ // Set offline image here
$json_array = json_decode(file_get_contents('https://api.twitch.tv/kraken/streams/'.strtolower($channelName).'?client_id='.$clientId), true);
+
if ($json_array['stream'] != NULL) {
++++$channelTitle = $json_array['stream']['channel']['display_name'];
++++$streamTitle = $json_array['stream']['channel']['status'];
++++$currentGame = $json_array['stream']['channel']['game'];
+
++++echo "$channelTitle is <img src='$online' alt='Online' /> playing $currentGame";
} else {
++++echo "$channelName is <img src='$offline' alt='Offline' />";
}
+
?>

Quote:

Also its pretty dangerous to use the super globals without cleaning them up first, and or verifying the data from them first.

Can you give me further insight? Again, I'm completely self-taught when it comes to PHP, etc. so I don't know exactly what you mean. Are you referring to that in regards to vbulletin or any PHP code that uses query string?

[Simon Lloyd]

If you don't escape your strings ($db->escape_string($vbulletin->GPC['MYRESULT']) or clean your raw result ($vbulletin->input->clean_array_gpc(....etc)) it leaves the possibility for someone to inject code on the back of the "live" string, take a look at some php manuals like http://php.net/manual/en/function.my...ape-string.php or the vbulletin API docs.

[cdj]

Quote:

Originally Posted by Simon Lloyd

If you don't escape your strings ($db->escape_string($vbulletin->GPC['MYRESULT']) or clean your raw result ($vbulletin->input->clean_array_gpc(....etc)) it leaves the possibility for someone to inject code on the back of the "live" string, take a look at some php manuals like http://php.net/manual/en/function.my...ape-string.php or the vbulletin API docs.

But does that apply if I'm only embedding the php page into an iframe rather than using direct code on the page? On my static page article on CMS, I have:

HTML Code:

<iframe src="http://www.thegamingtailgate.com/twitchstream.php?channel=streamerhouse" frameborder="0" seamless width="100%" height="800px"></iframe>

[kh99]

The way you're currently using $_GET['channel'] and $channelName, I don't think you have to worry about escaping it. In fact, I think htmlspecialchars is all you want to do because it's being used in a url, and only as part of one so no one can pass it an arbitrary file name.

If the frame is coming up blank it seems likely that there's a syntax error, but I don't see any in what you posted (except all the '+' chars, but I assume those are tabs or something).

[cdj]

Quote:

Originally Posted by kh99

The way you're currently using $_GET['channel'] and $channelName, I don't think you have to worry about escaping it. In fact, I think htmlspecialchars is all you want to do because it's being used in a url, and only as part of one so no one can pass it an arbitrary file name.

If the frame is coming up blank it seems likely that there's a syntax error, but I don't see any in what you posted (except all the '+' chars, but I assume those are tabs or something).

Yes, those are only because of the copy/paste from the reference website... they're not in the actual php file.

So in essence what you're saying is that php with a query string, inside an iframe, on a vbulletin CMS static page should work.

If that's the case, I'll continue to play with it and see if I can find where the invalid syntax is but I can't imagine why it would work hard coded but wouldn't work as a query string. I suppose in the end if anyone think it might help, I can paste the entire code that I'm using to see if there's something I'm missing.

[kh99]

If the script is working when the channel name is hard coded, then I don't see why it wouldn't work with $_GET.

I tried the script you posted and it works for me. I named it test.php then went to test.php?channel=streamerhouse and I got "StreamerHouse is Online playing Grand Theft Auto V ".

[cdj]

Looks like it was actually working all along... just that vBulletin wouldn't render it properly after creating/editing the static page. However, if I just go to the static page URL directly, it does load properly. I've also found that if you click Apply and then Close, it will also render properly.

Strange but at least everything is working properly now.