MyBB Community Forums

MyBB Community Forums > Extensions > Plugins > Plugin Development > MyBB input PHP
Full Version: MyBB input PHP
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

marcus123

2014-09-06, 03:03 PM
I am trying to create a simple input that will then be verified by PHP code.

HTML
<form method="post" >

<input type="submit" name="test" value="test" />

<input type="hidden" name="my_post_key" value="{$mybb->post_code}" />

</form>

PHP
if($mybb->input['test'])

                {

                  //do stuff
                }


Do I need to use: <input type="hidden" name="my_post_key" value="{$mybb->post_code}" />

TheGarfield

2014-09-06, 05:50 PM
Yes you do, because otherwise I could use the identity of any user on your forum to perm the intended action. It's called CSRF exploit for Cross-site request forgery

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Moreover, when you receive the form, you need to verify that the received my_post_key is valid, 

if(isset($mybb->input["test"], $mybb->input["my_post_key"])) {
    // I verify that the post key is valid
    verify_post_check($mybb->input["my_post_key"]);

    // now I perform my action
}

marcus123

2014-09-06, 06:34 PM
WOW you know a few things about PHP Smile
Thanks so much very appreciate this Smile
P.S. What if post key is not valid should I add some error?
Is it enough for the link below to to this??

<a  href=\"showthread.php?action=test&tid={$thread['tid']}&my_post_key={$mybb->post_code}\">testing link</a>


if($mybb->input['action'] == "test"){
            verify_post_check($mybb->input['my_post_key']);
}

TheGarfield

2014-09-06, 07:49 PM
verify_post_check will actually trigger an error if the post key isn't valid, and won't run the code that comes after that.
If you don't want that to happen, you can set the second parameter to true :

if(verify_post_check($mybb->input['my_post_key'], true)) {
   // my_post_key isn't valid
}
else {
  // my_post_key is valid
}

Next time I advise you to read more source code, it's your BEST answer Big Grin

marcus123

2014-09-06, 07:56 PM
How can I test if
verify_post_check($mybb->input['my_post_key']);
 will trigger error?

I mean any code that I will run and check if it actually triggers an error?

TheGarfield

2014-09-06, 08:03 PM
Ok let's read its source code :

function verify_post_check($code, $silent=false)
{
	global $lang;
	if(generate_post_check() != $code)
	{
		if($silent == true)
		{
			return false;
		}
		else
		{
			if(defined("IN_ADMINCP"))
			{
				return false;
			}
			else
			{
				error($lang->invalid_post_code);
			}
		}
	}
	else
	{
		return true;
	}
}

the error function there, triggers the error in question.
Now if you take 10 seconds to read the code, you will notice that IF you pass the second parameter as TRUE, the function WILL NOT trigger any error, instead it will return TRUE if the post code is valid, FALSE if invalid.

But if you don't set any second parameter, and unless you are in the Admin CP, the function WILL trigger the error.

To sum up :

This won't trigger any error :

$is_valid = verify_post_check($mybb->input['my_post_key'], true);

if($is_valid) {
  // my action goes here
}
else {
  // probably a CSRF attack detected, don't do anything
}

This will trigger an error :

verify_post_check($mybb->input['my_post_check']);
// my action goes here

marcus123

2014-09-06, 08:09 PM
Wow thank you so much really!

I went and used Firebug to alter key and YES it says "Authorization code mismatch. Are you accessing this function correctly? Please go back and try again."

[SOLVED] Many thanks to @TheGarfield

dragonexpert

2014-09-09, 01:12 PM
Also instead of using if(isset($mybb->input['test'])) you should really use if($mybb->request_method == "post"). This makes sure the page was accessed with POST instead of GET. If this isn't used someone with malicious intent could manually navigate to an url and it would accept it if they had the correct value for my_post_key.

Secondly, if you are letting the user fill out a field, make sure you add the required attribute. Browser validation is faster than server validation.

Ex. 
<input name="myinput" type="text" required="required" />

Euan T

2014-09-09, 01:29 PM
Note that you should still use server validation as well as browser validation. It's easy to remove the required tag in-browser and not all browsers support it.

marcus123

2014-09-09, 03:22 PM
Man this is harder that I initially thought?

Here is my complete code please feel free to give me your advices

$plugins->add_hook('global_start', 'cookielaw_global_start');
$plugins->add_hook('global_end', 'cookielaw_global_error');



function cookielaw_global_error()
{
	global $mybb;
	if(isset($mybb->input["Accept"]) && isset($mybb->cookies['mybb']['cookielaw']))
	{
	error("You already accepted cookies on this site!");
}
}

function cookielaw_global_start()
{
	global $mybb, $templates, $cookielaw;
	
	
	if(!isset($mybb->cookies['mybb']['cookielaw']))
	{
	eval("\$cookielaw = \"".$templates->get("cookielaw_header")."\";");
	
	}

	if(isset($mybb->input["Accept"], $mybb->input["my_post_key"]))
				{
					verify_post_check($mybb->input["my_post_key"]);
					my_setcookie('mybb[cookielaw]', '1');
					header('Location: '.$_SERVER['HTTP_REFERER']);
				}
	

	}


<form method="post" >
<input type="submit" name="Accept" value="Accept" />
<input type="hidden" name="my_post_key" value="{$mybb->post_code}" />
</form>
MyBB Community Forums > Extensions > Plugins > Plugin Development > MyBB input PHP