...

View Full Version : Problem Posting Variable URL w/ PHPBB User Integration



macmonkey
09-21-2005, 03:14 PM
I've utilized the hack located at http://www.phpbbhacks.com/forums/viewtopic.php?t=4968&sid=08f70a9e348e55a015ecd2382e0331fd
which allows me to use my forum membership system accross my site allowing users to bounce in and out of the forums through my site taking advantage of PM system and other features. After including the following on the top of each page to register session variables and such -


define('IN_PHPBB', true);

$site_root_path = '/web/etc/you/'; //<-- Modify
$phpbb_root_path2 = '/phpbb2/'; //<-- Modify
$phpbb_root_path = $site_root_path . $phpbb_root_path2;
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.php');

$userdata = session_pagestart($user_ip, PAGE_INDEX);
init_userprefs($userdata);

when I try to pass a variable via url ie: http://www.mydomain.com/news.php?id=8

The 8 isn't making it to the script to be handled.

When I remove the session code block from the top of the page the news script works fine pulling "Story id 8" from the dbase and displaying.

Could this have anything to do w/ the HTTP_POST_VARS or HTTP_GET_VARS included in the common.php

any suggestions?

Thanks
jw

Fou-Lu
09-21-2005, 03:33 PM
HTTP_*_VARS are depreciated, use the _* superglobals instead.
Anyways, to start with superglobals control any type of dynamic content by request, so it could very well be.
But I'm more confused by the session block thing your referring to. Are you saying that if you comment this line out:


$userdata = session_pagestart($user_ip, PAGE_INDEX);

That it works correctly? If thats the case, you need to ensure that the function for session_pagestart() doesn't require that its arguments be complete, and that if it does it doesn't kill the script.
I say this for two reasons, one PAGE_INDEX is not a defined constant that I can see. Two, $user_ip is not defined. Now, how this will affect the user of your $_GET array, I'm not certain as I do not have the code to view.

Now, another problem is that your function may not actually exist as you see it. Try adding error_reporting(E_ALL) to the top and see if it declares the function as non-existant. If it does, your problem is simple - one of your included pages is attempting to include or call another page which is not been specified by your filepath. You would need to change your filepath in order to do that:


chdir($phpbb_root_path);

prior to your includes for instance. You would then drop the $phpbb_root_path from your includes should this be the case.

Your best bet is to contact the forums on phpBB about questions relating to these. Unfortunatly, I do not have the files in order to view what all needs to be altered.

macmonkey
09-21-2005, 03:42 PM
Fou-Lu,

Thanks very much for your response. I actually have posted on a few different phpBB boards to get a solution. In my 2 months of PHP "learning" I've never come across something like this.

I've got all my error reporting on and all of my includes are valid etc..

As you'll see by visiting the link on my original post:


define('IN_PHPBB', true);

$site_root_path = '/web/etc/you/'; //<-- Modify
$phpbb_root_path2 = '/phpbb2/'; //<-- Modify
$phpbb_root_path = $site_root_path . $phpbb_root_path2;
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.php');

$userdata = session_pagestart($user_ip, PAGE_INDEX);
init_userprefs($userdata);

is the business end of the phpBB membership system pulling all of the constant variables and session data required.

For some reason when this above code block runs on the page it's destroying the URL Variable being carried over and it's driving me nuts :/ I've got a project and this is pretty much the only thing keeping me from launching *** variables won't be passed from page to page.

I made sure to go through all of the included files to make sure a new $id was not being defined but nothing.

I'll look over your suggestions again and hopefully get to the bottom of this.

marek_mar
09-21-2005, 03:43 PM
HTTP_*_VARS are depreciated, use the _* superglobals instead.
phpBB2 was written when the superglobals were new and they used HTTP_*_VARS for compatibility with older PHP versions. The new phpBB uses superglobals like it should.

Fou-Lu
09-21-2005, 03:49 PM
Ah, I see. I hadn't been aware of that, I'm not much for forumsoftware unless its given to me :p

This one though (I was reading up on the posting for it, as I don't know what your domain is), is probably incorrect:


$site_root_path = '/web/etc/you/'; //<-- Modify
$phpbb_root_path2 = '/phpbb2/'; //<-- Modify

Have these values been altered to coincide with your domains configurations?

macmonkey
09-21-2005, 03:52 PM
yes of course they have - I'm just maintaining a sense of anonymity :)

The User Integration is fine as I've tested all of the features ie: private messages, user online status, login/logout, etc....

Fou-Lu
09-21-2005, 04:10 PM
Hmm, than I'm uncertain what the problem could be.
Assuming as well that you are requesting the id as a superglobal (you did mention it works fine if the sessions are not set, so I doubt this is the problem), it could be any function set out within the included scripts and possibly their included scripts. Makes it tough to debug.
First, check to make sure that $userdata is being created. Just dump whatever variable is being created.
Another option is perhaps the level of security that is involved. Unfortunatly, without knowing the innards of a phpBB, I can't tell you if this is the case, but it may explain why a 'guest' we'll say can access something, while a member cannot. Maybe its more of a permissions based issue?

macmonkey
09-21-2005, 04:14 PM
hrm.. definately something to think about... I know phpbb is very mindful about securities issues like sql-injections etc...

Maybe there is something like that going on.

I'm going to write the author of the "hack" to see if he's got a solution.

Then I'll report back w/ my solution.

Thanks

marek_mar
09-21-2005, 04:16 PM
Or maybe the $id variable is used and unset in the phpBB code?

macmonkey
09-21-2005, 04:19 PM
haha.. I went through the entire phpbb included file to see if something was doing that but nothing was..... I even change the variable name to something silly and it didn't work either. But it worked when i comment out the session code :/

Fou-Lu
09-21-2005, 04:20 PM
See, I was thinking about that as well. But normally if you use $id within a function, you will probably not alter it on a global scope, especially with something like this. At least, I would assume so. It would be easy to find if that were the case though, it would only be written by the session calls, and any functions that they are relying on.
All and all, the biggest problem why we cannot help you get to the bottom of this is because we can't see it as a 'whole', we only have the part.
Good luck on getting the fix you need, sorry we couldn't be a little more accomodating for you!

macmonkey
09-21-2005, 04:54 PM
I'd like to post the whole thing but it's just too much - I figured about 1/2 the php users on here would already have phpbb installed on their systems to refer to. I've posted over the past 3 days on other phpbb forums so I'll go bump those posts and hopefully draw some attention.

jw

macmonkey
09-21-2005, 06:16 PM
OK... I finally got a response from one of the guys over @ phpBBhacks.com



phpBB unsets variables passed through URLs because they are a major security risk. You need to explicity set the variables you pass via URLs by placing code such as this below the phpBB code:


$id = ( isset($_GET['id']) ) ? intval($_GET['id']) : 0;



Thanks for everyone's help on this and hopefully this post will help future phpbb integrations

marek_mar
09-21-2005, 07:03 PM
OMG that would mean you depended on register_globals = on !!!
Never do that!

Fou-Lu
09-22-2005, 04:39 AM
Assuming as well that you are requesting the id as a superglobal (you did mention it works fine if the sessions are not set, so I doubt this is the problem)

Never assume I suppose eh?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum