3007 posts
  • Author had a File in an Envato Bundle
  • Bought between 1 and 9 items
  • Elite Author
  • Europe
  • Exclusive Author
  • Has been a member for 3-4 years
  • Referred between 100 and 199 users
+2 more
duotive says
hello. i am using php to create a css with the skins of our new theme. do you see a problem with using this:

<link href="[website-url]/css/skin.php?themecolor=8d70ca&amp;slideshow_background_image=disabled&amp;slideshow_background_color=eae9e2" rel="stylesheet" type="text/css" media="all" />

Thanks
2001 posts
  • Elite Author
  • Author had a Free File of the Month
  • Has been a member for 4-5 years
  • Austria
  • Exclusive Author
  • Interviewed on the Envato Notes blog
  • Microlancer Beta Tester
+3 more
revaxarts says

Don’t see problems until the php file is set up correctly.

Always check the parameters and make a white-list to prevent injections

3007 posts
  • Author had a File in an Envato Bundle
  • Bought between 1 and 9 items
  • Elite Author
  • Europe
  • Exclusive Author
  • Has been a member for 3-4 years
  • Referred between 100 and 199 users
+2 more
duotive says
Params will be set by the backend. Any need to test that? There is no database interaction so i dont think that user input can be harmfull. I will show you the php too. Its below. Keep in mind that will get complex over time, and now its just basic so i can test things.

<?php header("Content-type: text/css"); ?>
<?php $color = $_GET['themecolor']; ?>
#toptoolbar .menu-toptoolbar ul li a:hover,
#toptoolbar .menu-toptoolbar ul li a:active,
#toptoolbar .menu-toptoolbar ul li.current-menu-item a:link,
#toptoolbar .menu-toptoolbar ul li.current-menu-item a:visited,
.menu-header ul li a:hover,
.menu-header ul li a:active,
.menu-header ul li.current-menu-item a:link,
.menu-header ul li.current-menu-item a:visited
{
    color: #<?php echo $color; ?>;
}
#toptoolbarsearch input.searchbutton:hover,
.menu-header ul.sub-menu,
.menu-header .sfHover .sf-sub-indicator {
    background-color: #<?php echo $color; ?>;
}
<?php $slideshow_background_color = $_GET['slideshow_background_color']; ?>
<?php $slideshow_background_image = $_GET['slideshow_background_image']; ?>
#slideshow-wrapper {
<?php if ( $slideshow_background_color == 'disabled' ) : ?>
background-color: #FFF;
<?php else: ?>
background-color: #<?php echo $slideshow_background_color; ?>;
<?php endif; ?>
<?php if ( $slideshow_background_image == 'disabled' ) : ?>
background-image:none;
<?php else: ?>
background-image: url(<?php echo $slideshow_background_image; ?>);
<?php endif; ?>
background-repeat:  no-repeat;
background-position: center top;
}

2001 posts
  • Elite Author
  • Author had a Free File of the Month
  • Has been a member for 4-5 years
  • Austria
  • Exclusive Author
  • Interviewed on the Envato Notes blog
  • Microlancer Beta Tester
+3 more
revaxarts says

In this special case it’s not bad because it’s only CSS , but injecting some ‘bad’ css is easy:

<link href="[website-url]/css/skin.php?themecolor=8d70ca&amp;slideshow_background_image=disabled&amp;slideshow_background_color=eae9e2;}body{display:none;}" rel="stylesheet" media="all" type="text/css" />
so you get (nearly) this css:
background-color: #eae9e2;}body{display:none;};

You see what I mean?

Ok its CSS , so no worry but I have every time concerns about get variables and php

3007 posts
  • Author had a File in an Envato Bundle
  • Bought between 1 and 9 items
  • Elite Author
  • Europe
  • Exclusive Author
  • Has been a member for 3-4 years
  • Referred between 100 and 199 users
+2 more
duotive says

Thanks for the opinion. Any others?
And what filter could i do. :) There is nothing i can do to prevent call with faulty variables.

by
by
by
by
by
by