3007 posts
  • Has been part of the Envato Community for over 4 years
  • Has referred 200+ members
  • Has sold $250,000+ on Envato Market
  • Had an item featured in an Envato Bundle
+7 more
duotive says
hello. i am using php to create a css with the skins of our new theme. do you see a problem with using this:

<link href="[website-url]/css/skin.php?themecolor=8d70ca&amp;slideshow_background_image=disabled&amp;slideshow_background_color=eae9e2" rel="stylesheet" type="text/css" media="all" />

Thanks
2073 posts
  • Made it to the Authors' Hall of Fame
  • Had an item featured on Envato Market
  • Provided great feedback to improve the user experience on Envato Market
  • Interviewed on an Envato blog
+9 more
revaxarts says

Don’t see problems until the php file is set up correctly.

Always check the parameters and make a white-list to prevent injections

3007 posts
  • Has been part of the Envato Community for over 4 years
  • Has referred 200+ members
  • Has sold $250,000+ on Envato Market
  • Had an item featured in an Envato Bundle
+7 more
duotive says
Params will be set by the backend. Any need to test that? There is no database interaction so i dont think that user input can be harmfull. I will show you the php too. Its below. Keep in mind that will get complex over time, and now its just basic so i can test things.

<?php header("Content-type: text/css"); ?>
<?php $color = $_GET['themecolor']; ?>
#toptoolbar .menu-toptoolbar ul li a:hover,
#toptoolbar .menu-toptoolbar ul li a:active,
#toptoolbar .menu-toptoolbar ul li.current-menu-item a:link,
#toptoolbar .menu-toptoolbar ul li.current-menu-item a:visited,
.menu-header ul li a:hover,
.menu-header ul li a:active,
.menu-header ul li.current-menu-item a:link,
.menu-header ul li.current-menu-item a:visited
{
    color: #<?php echo $color; ?>;
}
#toptoolbarsearch input.searchbutton:hover,
.menu-header ul.sub-menu,
.menu-header .sfHover .sf-sub-indicator {
    background-color: #<?php echo $color; ?>;
}
<?php $slideshow_background_color = $_GET['slideshow_background_color']; ?>
<?php $slideshow_background_image = $_GET['slideshow_background_image']; ?>
#slideshow-wrapper {
<?php if ( $slideshow_background_color == 'disabled' ) : ?>
background-color: #FFF;
<?php else: ?>
background-color: #<?php echo $slideshow_background_color; ?>;
<?php endif; ?>
<?php if ( $slideshow_background_image == 'disabled' ) : ?>
background-image:none;
<?php else: ?>
background-image: url(<?php echo $slideshow_background_image; ?>);
<?php endif; ?>
background-repeat:  no-repeat;
background-position: center top;
}

2073 posts
  • Made it to the Authors' Hall of Fame
  • Had an item featured on Envato Market
  • Provided great feedback to improve the user experience on Envato Market
  • Interviewed on an Envato blog
+9 more
revaxarts says

In this special case it’s not bad because it’s only CSS , but injecting some ‘bad’ css is easy:

<link href="[website-url]/css/skin.php?themecolor=8d70ca&amp;slideshow_background_image=disabled&amp;slideshow_background_color=eae9e2;}body{display:none;}" rel="stylesheet" media="all" type="text/css" />
so you get (nearly) this css:
background-color: #eae9e2;}body{display:none;};

You see what I mean?

Ok its CSS , so no worry but I have every time concerns about get variables and php

3007 posts
  • Has been part of the Envato Community for over 4 years
  • Has referred 200+ members
  • Has sold $250,000+ on Envato Market
  • Had an item featured in an Envato Bundle
+7 more
duotive says

Thanks for the opinion. Any others?
And what filter could i do. :) There is nothing i can do to prevent call with faulty variables.

by
by
by
by
by
by