By ultimike on

Hello,

I recently upgraded to Drupal 4.7.4 and I'm having a problem with the search box on my site. I've narrowed it to a missing "form_token" form field but I'm unsure how to add it to the search-box.tpl.php in order to get it to show up.

I'm aware that the form_token is new to 4.7.4 to prevent cross-site scripting issues - is anyone else having this issue with custom themes and the search box?

Thanks,
-mike

Categories: Drupal 4.7.x

Comments

RAYNOR-1’s picture

RAYNOR-1 commented

There is a small article (it is pretty detailed as instructions but there are a couple of unanswered questions) regarding the custom search box:
http://drupal.org/node/45295

I ran into the same issue as you did, pasting the provided search box template:

<div><div id="search" class="container-inline"><div class="form-item">
<input type="text" maxlength="128" class="form-text" name="edit[keys]" id="edit-keys" size="15" value="" alt="Enter the terms you wish to search for." />
</div>
<input type="submit" class="form-submit" name="op" value="Search" />
<input type="hidden" name="edit[form_id]" value="search_box" />
</div>
</div></form>

doesn't do the job. True, you get a sort of search form that you can customize, but it is not usable. If you try searching using this custom form, you get 'no results'. Of course, it is not an indexing issue - cron has been run and search other wise works when searching using the normal template.

The normal Drupal search form and the custom one above (as provided at http://drupal.org/node/45295) are pretty much the same, but they miss the form_token form hidden field.

http://drupal.org/node/88828 provides the function form_token() to generate this field, but this function doesn't actualy exist?
A simple way to get a default token is answered by dumping the $form variable

print_r($form);

The default token value can be found through:

$form['form_token']['#default_value']

PS: First post. Holla at everyone and sorry for any typos if any.

Heine’s picture

Heine commented

form_token exists only for Drupal 4.6.10.

Better not hardcode your form elements; take a look at form_render.

  // render the entire form.
  $output = form_render($form); 
  return $output;

  // render one form field, the rest of the form in a div
  $output = form_render($form['the_one_field']);;
  $output .= '<div class="non-semantic">';
  // render all elements that weren't previously rendered:
  $output .= form_render($form); 
  $output .= '</div>';
  return $output;

What's special about form_render, is that it marks the elements it already rendered before, so each item will be rendered only once.

Caveat: form_render marks the form array so you have to operate on the array itself.

Eg:

  foreach($form as $element) {
    $output .= form_render($element); // this operates on a *copy* of the form array
  }
  $output .= form_render($form);  
  return $output;

will look horrible because it renders the form twice. Use

  foreach(element_children($form) as $key) {
    $output .= form_render($form[$key]);
  }
  $output .= form_render($form);  
  return $output;

You can always make small modifications to the forms array; to set for example a different description / title, whatever.

--
The Manual | Troubleshooting FAQ | Tips for posting | How to report a security issue.

dr00b’s picture

dr00b commented

Hi guys, I wonder if anyone could break this down to slightly more caveman terms... I am attempting to follow this thread and have my text editor at attention ready to hack by search-box.tpl.php ... but I am still stuck in no-search-results land at the moment.

Anyone willing to spell out a step-by-step on this one? Here's my existing broken code, as it stands:

<div><div id="search" class="container-inline"><div class="form-item">
<input type="reset" class="form-submit" name="clear" alt="clear" title="Clear Search terms" value="&#8211;"  />
<input type="text" maxlength="128" class="form-text" name="edit[keys]" id="edit-keys"  size="14" value=" Search" onclick="value=''" alt="Enter the terms you wish to search for here." title="Enter the terms you wish to search for here." />
</div>
<input type="submit" class="form-submit" name="op" value="Go" title="Submit Search request" />
<input type="hidden" name="edit[form_id]" id="edit-form_id" value="search_box"  />
</div>
</div></form>

Any help would be much appreciated.

Regards,
~J.R.

P.S. Forgot to mention, just started getting validation errors and no-results after upgrading from 4.7.2. to 4.7.4.

*Edit #2*
Ok, I noticed that advanced search was still working so by comparing the two files I was able to grab my hardcoded token value and modify the search-box.tpl.php to insert that value. Here is my updated code:

<form action="/search/node"  method="post" id="search_form" class="search-form">
<div><div id="search" class="container-inline"><div class="form-item">
<input type="reset" class="form-submit" name="clear" alt="clear" title="Clear Search terms" value="&#8211;"  />
<input type="text" maxlength="128" class="form-text" name="edit[keys]" id="edit-keys"  size="14" value=" Search" onclick="value=''" alt="Enter the terms you wish to search for here." title="Enter the terms you wish to search for here." />
</div>
<input type="hidden" name="edit[form_token]" id="edit-form_token" value="thisiswhereIputmyhardcodedtokenID"  />
<input type="hidden" name="edit[form_id]" id="edit-search-form" value="search_form"  />
<input type="submit" class="form-submit" name="op" value="Go" title="Submit Search request" />
</div>
</div></form>

Now it passes along my token and the search works, but that is obviously quite a dumb way to do it and I am likely circumventing the new security features (a guess...I'm just a GUI designer/graphics guy fudging his way through this stuff). So I still need a tutorial on doing this properly if anyone can help. Many thanks in advance...

Heine’s picture

Heine commented

While this works for you, it will fail for other users.

Use 

<input type="hidden" name="edit[form_token]" id="edit-form_token" value="<?php print drupal_get_token('search_form'); ?>" /

--
The Manual | Troubleshooting FAQ | Tips for posting | How to report a security issue.

dr00b’s picture

dr00b commented

That was precisely the answer I was looking for. Seems to work like a charm. Thanks for the fast reply too. :)

madsen’s picture

madsen commented

I couldn't understand why the above would not work, until I had a look at "search.module".
If the search form is a box-form you need to use "drupal_get_token('search_theme_form')".

Heine’s picture

Heine commented

It indeed depends on the form_id.

It is actually best to use $search_box and style the form with a theme override (phptemplate_form_id).
--
The Manual | Troubleshooting FAQ | Tips for posting | How to report a security issue.