mimic tpl in php with html in?

[someoneneedshelps]

How do I do this

<input type="hidden" name="csrftoken" value="{_CSRFTOKEN}">

with a php file that uses standard html in the form? this doesn't work

 <input type="hidden" name="csrftoken" value="<?php echo $_CSRFTOKEN; ?>">

 

[someoneneedshelps]

I just get this within the source

<b>Notice</b>:  Undefined variable: csrftoken in <b>/home/garyjacobjack/public_html/auctioneerslive.co.uk/importdata_trk_access.php</b> on line <b>112</b><br />
">

 

[spamjim]

Have you defined that csrftoken variable in importdata_trk_access.php? Something suggests that you have not. You probably need to process $_POST["csrftoken"] or $_GET["csrftoken"] (instead of $csrftoken), depending on your form method.

 

[someoneneedshelps]

I hawe the include file at the top where this is in another file...

 

[vacunita]

Can you show us the part of the code that defines the $_CSRFTOKEN variable?

The error is jus saying your $_CSRFTOKEN does not exist. So it can't be echoed out. The echo statement is correct, so make sure your variable actually defined.

----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Web & Tech

 

[Olaf Doschke]

The name suggests this shouls be a cross site request forgery token (for allowing cross site scripting with special permission).
This is not an automatic or superglobal variable of PHP. So this might be specific to your template engine.

You might look into the template engine source code (if available), how it handles such placeholders. It could be this comes from a session variable. For sure it's not a native PHP concept you can simply translate to $_CSRFTOKEN just because you could do that with other {_variable} expressions.

Could you simply tell us, what template engine you want to replace? tpl is a very commonly used file extension used for example by Smarty for its templates. There is a freedom in that, because include or require can take any file name with any file extension, even ssi is not needing special mime types. So tpl is stating nothing specific ringing any bell for us and seeing, ah, that's what you talk about. Be more specific, please.

Bye, Olaf.

 

[someoneneedshelps]

its not smarty, for instance the call to template file here

$template->set_filenames(array(
		'body' => 'sell.tpl'
		));

$template->display('body');

the sell.tpl has this variable set, this is the only instance in the sell.tpl file,

    <input type="hidden" name="csrftoken" value="{_CSRFTOKEN}">

user_login.php creates a token

// generate a random unguessable token
		$_SESSION['csrftoken'] = md5(uniqid(rand(), true));

I dont know if about php to understand how all this goes together and why tpl files have uppercase varibles because i cant find that varaible
_CSRFTOKEN

 

[Olaf Doschke]

Well, the {} syntax is one Smarty also uses, it's not processed by PHP, but by the template enngine.

I suspect the display method of the $template object injects the value of the {_CSRFTOKEN} expression, so you might find something parsing out {} expressions and acting on them case by case, eg turning {_CSRFTOKEN} to it's value perhaps in $_SESSION['csrftoken']. As sell.tpl still contains the curly braces expression it's most likely the display() method making that replacement.

Why don't you simply check, whether the html output contains the same value as $_SESSION['csrftoken']? Then you know the PHP way to get this value in. You're so close in seeing what might happen, you jsut have to verify that. echo $_SESSION['csrftoken'] and compare that with the html output of current code.

I'm not questioning the removal of the template engine, but it would also be a thought, why not simple keep it as is?

Bye, Olaf.

 

[vacunita]

Variables do not magically get created. If $_CSRFTOKEN is not defined anywhere then you cannot use it.

As Olaf points out, {_CSRFTOKE} is likely just the way the template replaces its own variables. You cannot simply convert that to a PHP variable and expect to work if the PHP variable is not set anywhere else.

If the value you are looking for comes from a session you could do something like: $_CSRFTOKEN = $S_SESSION['csrftoken'] anywhere prior to trying to place in the form and it should technically work. But values do not auto-magically go from one place to an other.

If you are trying to move away form the template, then you need to look inside, and understand what the template is doing and how its settings its tokens or variables. If you want to do things manually, then you need to know where the values are coming from.





----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Web & Tech

 

[Olaf Doschke]

A template engine is not simply a str_replace, it can in short be something like PHP initially was itself, a simply interpreter of commands variable names or expressions can be a simple part of that.
If you want to replace a template engine by native PHP usage, then you can only pray the engine wasn't used extensively and with all it's features, or you have to reprogram much of its parsing engine and variable and expression handling etc etc.

Or you stay with the templates.

$template has to be defined/instanciated at one place. Find the source of this object and you know the used template engine at least. This could very much help mto know aht you want to replace. At the moment it looks you want to replace something quite good, even though it is monolithically only rendering full html pages and not html snippets only. You might rather tackle this on the level of the tlp files and work on the templates instead of the code.

In general, you are deep diving into this, instead of looking at the outmost level of things. What PHP framework is used, what template engine? You might work on framework internals here, you don't do that, unless you are the framework developer.

Bye, Olaf.