1
kaotik
XoopsGTicket best practice
  • 2005/7/18 17:31

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


When should XoopsGTicket be used? On all php pages, only admin?

Is this the correct code to use:

if ( ! $xoopsGTicket->check() ) {
    
redirect_header(XOOPS_URL.'/',3,$xoopsGTicket->getErrors());
  }


Thanks

2
kaotik
Re: XoopsGTicket best practice
  • 2005/7/19 11:25

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


bump

3
Dave_L
Re: XoopsGTicket best practice
  • 2005/7/20 21:20

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Which version of XOOPS?

My understanding is that the XoopsGTicket class was written by GIJOE, and Mithrandir adopted it into the XoopsSecurity class for XOOPS >= 2.0.10.

So if you're using XOOPS >= 2.0.10, then you should be using this instead:

if (!$GLOBALS['xoopsSecurity']->check()) {
   
redirect_header(XOOPS_URL.'/',3,$GLOBALS['xoopsSecurity']->getErrors());
}


The check should be used when processing any form that could "cause bad things to happen" if someone spoofed the form. In particular, this applies to any processing that modifies the database.

If in doubt, it's best to perform the check.

One exception I made in a module is for a form that simply filters the output displayed on a page. No harm can come from spoofing that form, so I decided there was no need to have a security token.

P.S. If you want to retain downward compatibility with earlier versions of XOOPS, you can do this:

if (is_object($GLOBALS['xoopsSecurity']) and !$GLOBALS['xoopsSecurity']->check()) {
   
redirect_header(XOOPS_URL.'/',3,$GLOBALS['xoopsSecurity']->getErrors());
}

4
krobi
Re: XoopsGTicket best practice
  • 2005/7/20 22:29

  • krobi

  • Quite a regular

  • Posts: 290

  • Since: 2003/12/21


so i only have to type in these at any place?

Quote:
if (is_object($GLOBALS['xoopsSecurity']) and !$GLOBALS['xoopsSecurity']->check()) {
redirect_header(XOOPS_URL.'/',3,$GLOBALS['xoopsSecurity']->getErrors());
}


did you have a example of code, where i (for example) can look at how its the best way to include and use the xoopticket system.

and most important how can i check if the xoopsticket system is working right?
Developer of PD-Modules like PD-Downloads and PD-Links.
Webmaster of Power-Dreams.com

5
Dave_L
Re: XoopsGTicket best practice
  • 2005/7/21 1:36

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


There is documentation on using it here: https://xoops.org/modules/news/article.php?storyid=2212

To test it, you can place the token in a manually created form, rather than using the fifth parameter in the XoopsForm class constructor:

in .php file:

$xoopsTpl->assign('krobi_token'$GLOBALS['xoopsSecurity']->getTokenHTML());


in template:

<{$krobi_token}>


The Smarty tag will normally be expanded to something like this:

<input type='hidden' name='XOOPS_TOKEN_REQUEST' id='XOOPS_TOKEN_REQUEST' value='2dcc99c46c39437a5b8af0cc68619797' />


For testing purposes, you could replace the Smarty tag in the template with a hardcoded HTML tag, and make up a fake value:

<input type='hidden' name='XOOPS_TOKEN_REQUEST' id='XOOPS_TOKEN_REQUEST' value='12345678123456781234567812345678' />


Then your token check will fail when processing the submitted form, since the submitted form field value will not match the session field.

6
krobi
Re: XoopsGTicket best practice
  • 2005/7/21 1:56

  • krobi

  • Quite a regular

  • Posts: 290

  • Since: 2003/12/21


thx for that infos

i have another question

Quote:
1) Add a 5th parameter to the XoopsForm-derived class constructor - true for adding a token and false (default) for not using the token system in this form


okay when i have added this 5th parameter and set it to true, then i use the token system - okay.

but what could i do to make the module also compatible for older XOOPS version?
Developer of PD-Modules like PD-Downloads and PD-Links.
Webmaster of Power-Dreams.com

7
Dave_L
Re: XoopsGTicket best practice
  • 2005/7/21 2:06

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Quote:
but what could i do to make the module also compatible for older XOOPS version?


Adding the fifth parameter to the XoopsForm constructor won't hurt anything with XOOPS < 2.0.10; the parameter will be ignored.

My "P.S." a few posts up covers downward-compatibility for checking the token during form processing.

8
krobi
Re: XoopsGTicket best practice
  • 2005/7/21 2:18

  • krobi

  • Quite a regular

  • Posts: 290

  • Since: 2003/12/21


thx for your infos, i have justed tested it with pd-downloads seems to work - cool (so a new feature )

okay its good that there will be no problems with older XOOPS version regarding that 5th parameters.
Developer of PD-Modules like PD-Downloads and PD-Links.
Webmaster of Power-Dreams.com

9
krobi
Re: XoopsGTicket best practice
  • 2005/7/21 18:38

  • krobi

  • Quite a regular

  • Posts: 290

  • Since: 2003/12/21


hey i have another question regarding the token system

how can i make a token on this
Quote:
its a example code, but we have some of them - and i think it would be good to have a token everytime sql things will change when you click on such a link.

but i had no success to make a token for such a link.
hope you understand and have solution for that - would be great.
Developer of PD-Modules like PD-Downloads and PD-Links.
Webmaster of Power-Dreams.com

10
Mithrandir
Re: XoopsGTicket best practice

<a href='index.php?op=Download&lid=" . $lid . "&t=".$GLOBALS['xoopsSecurity']->createToken()."'>" . $imagearray['editimg'] . "a>


and on the receiving end:

$token_valid $GLOBALS['xoopsSecurity']->check(true$_REQUEST['t']);
//perform actions based on whether the token is valid or not
"When you can flatten entire cities at a whim, a tendency towards quiet reflection and seeing-things-from-the-other-fellow's-point-of-view is seldom necessary."

Cusix Software

Login

Who's Online

409 user(s) are online (291 user(s) are browsing Support Forums)


Members: 0


Guests: 409


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits