Re: XoopsGTicket best practice [Q and A] - XOOPS Web Application System

1

XoopsGTicket best practice

2005/7/18 17:31
kaotik
Just can't stay away
Posts: 861
Since: 2004/2/19

When should XoopsGTicket be used? On all php pages, only admin?

Is this the correct code to use:


if ( ! $xoopsGTicket->check() ) {

    redirect_header(XOOPS_URL.'/',3,$xoopsGTicket->getErrors());

  }

Thanks

www.kaotik.biz

2

Re: XoopsGTicket best practice

2005/7/19 11:25
kaotik
Just can't stay away
Posts: 861
Since: 2004/2/19

bump

www.kaotik.biz

3

Re: XoopsGTicket best practice

2005/7/20 21:20
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

Which version of XOOPS?

My understanding is that the XoopsGTicket class was written by GIJOE, and Mithrandir adopted it into the XoopsSecurity class for XOOPS >= 2.0.10.

So if you're using XOOPS >= 2.0.10, then you should be using this instead:


if (!$GLOBALS['xoopsSecurity']->check()) {

   redirect_header(XOOPS_URL.'/',3,$GLOBALS['xoopsSecurity']->getErrors());

}

The check should be used when processing any form that could "cause bad things to happen" if someone spoofed the form. In particular, this applies to any processing that modifies the database.

If in doubt, it's best to perform the check.

One exception I made in a module is for a form that simply filters the output displayed on a page. No harm can come from spoofing that form, so I decided there was no need to have a security token.

P.S. If you want to retain downward compatibility with earlier versions of XOOPS, you can do this:


if (is_object($GLOBALS['xoopsSecurity']) and !$GLOBALS['xoopsSecurity']->check()) {

   redirect_header(XOOPS_URL.'/',3,$GLOBALS['xoopsSecurity']->getErrors());

}

4

Re: XoopsGTicket best practice

2005/7/20 22:29
krobi
Quite a regular
Posts: 290
Since: 2003/12/21

so i only have to type in these at any place?

Quote:

if (is_object($GLOBALS['xoopsSecurity']) and !$GLOBALS['xoopsSecurity']->check()) {
redirect_header(XOOPS_URL.'/',3,$GLOBALS['xoopsSecurity']->getErrors());
}

did you have a example of code, where i (for example) can look at how its the best way to include and use the xoopticket system.

and most important how can i check if the xoopsticket system is working right?

Developer of PD-Modules like PD-Downloads and PD-Links.
Webmaster of Power-Dreams.com

5

Re: XoopsGTicket best practice

2005/7/21 1:36
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

There is documentation on using it here:https://xoops.org/modules/news/article.php?storyid=2212

To test it, you can place the token in a manually created form, rather than using the fifth parameter in the XoopsForm class constructor:

in .php file:


$xoopsTpl->assign('krobi_token', $GLOBALS['xoopsSecurity']->getTokenHTML());

in template:


<{$krobi_token}>

The Smarty tag will normally be expanded to something like this:


<input type='hidden' name='XOOPS_TOKEN_REQUEST' id='XOOPS_TOKEN_REQUEST' value='2dcc99c46c39437a5b8af0cc68619797' />

For testing purposes, you could replace the Smarty tag in the template with a hardcoded HTML tag, and make up a fake value:


<input type='hidden' name='XOOPS_TOKEN_REQUEST' id='XOOPS_TOKEN_REQUEST' value='12345678123456781234567812345678' />

Then your token check will fail when processing the submitted form, since the submitted form field value will not match the session field.

6

Re: XoopsGTicket best practice

2005/7/21 1:56
krobi
Quite a regular
Posts: 290
Since: 2003/12/21

thx for that infos

i have another question

Quote:

1) Add a 5th parameter to the XoopsForm-derived class constructor - true for adding a token and false (default) for not using the token system in this form

okay when i have added this 5th parameter and set it to true, then i use the token system - okay.

but what could i do to make the module also compatible for older XOOPS version?

Developer of PD-Modules like PD-Downloads and PD-Links.
Webmaster of Power-Dreams.com

7

Re: XoopsGTicket best practice

2005/7/21 2:06
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

Quote:

but what could i do to make the module also compatible for older XOOPS version?

Adding the fifth parameter to the XoopsForm constructor won't hurt anything with XOOPS < 2.0.10; the parameter will be ignored.

My "P.S." a few posts up covers downward-compatibility for checking the token during form processing.

8

Re: XoopsGTicket best practice

2005/7/21 2:18
krobi
Quite a regular
Posts: 290
Since: 2003/12/21

thx for your infos, i have justed tested it with pd-downloads seems to work - cool

(so a new feature

)

okay its good that there will be no problems with older XOOPS version regarding that 5th parameters.

Developer of PD-Modules like PD-Downloads and PD-Links.
Webmaster of Power-Dreams.com

9

Re: XoopsGTicket best practice

2005/7/21 18:38
krobi
Quite a regular
Posts: 290
Since: 2003/12/21

hey i have another question regarding the token system

how can i make a token on this
Quote:

<a href='index.php?op=Download&lid=" . $lid . "'>" . $imagearray['editimg'] . "</a>

its a example code, but we have some of them - and i think it would be good to have a token everytime sql things will change when you click on such a link.

but i had no success to make a token for such a link.
hope you understand and have solution for that - would be great.

Developer of PD-Modules like PD-Downloads and PD-Links.
Webmaster of Power-Dreams.com

10

Re: XoopsGTicket best practice

2005/7/21 19:06
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21


<a href='index.php?op=Download&lid=" . $lid . "&t=".$GLOBALS['xoopsSecurity']->createToken()."'>" . $imagearray['editimg'] . "</a>

and on the receiving end:


$token_valid = $GLOBALS['xoopsSecurity']->check(true, $_REQUEST['t']);

//perform actions based on whether the token is valid or not

"When you can flatten entire cities at a whim, a tendency towards quiet reflection and seeing-things-from-the-other-fellow's-point-of-view is seldom necessary."

Cusix Software

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

XoopsGTicket best practice

Re: XoopsGTicket best practice

Re: XoopsGTicket best practice

Re: XoopsGTicket best practice

Re: XoopsGTicket best practice

Re: XoopsGTicket best practice

Re: XoopsGTicket best practice

Re: XoopsGTicket best practice

Re: XoopsGTicket best practice

Re: XoopsGTicket best practice

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}