/blog/add-post.php |
---|
21,6 → 21,8 |
if (isset($_POST['post'])) |
{ |
$page->checkCSRFToken($page->getLoggedInUser()->ID, $_POST['csrftoken']); |
$title = $_POST['title']; |
$content = $_POST['content']; |
$parentID = $_POST['parentID']; |
78,6 → 80,7 |
</tr> |
<input type="hidden" name="post" value="yes" /> |
<input type="hidden" name="csrftoken" value="<?php echo $page->getCSRFToken($page->getLoggedInUser()->ID); ?>" /> |
<?php |
write('<input type="hidden" name="parentID" value="' . getParentID() . '" />'); |
/blog/edit-post.php |
---|
28,6 → 28,8 |
$error = ''; |
if (isset($_POST['id'])) { |
$page->checkCSRFToken($page->getLoggedInUser()->ID, $_POST['csrftoken']); |
$title = $_POST['title']; |
$content = $_POST['content']; |
$category = $_POST['category']; |
71,8 → 73,9 |
<?php |
write('<input type="hidden" name="id" value="' . $id . '" />'); |
?> |
<input type="hidden" name="csrftoken" value=""<?php echo $page->getCSRFToken($page->getLoggedInUser()->ID); ?>" /> |
<tr> |
<tr> |
<td class="bold"></td> |
<td><input type="submit" value="Edit" /></td> |
</tr> |
/_taios.php |
---|
488,19 → 488,19 |
return $res; |
} |
function getCRSFToken($id) { |
function getCSRFToken($id) { |
$token = $this->rndString(); |
$this->query("UPDATE USERS Set CSRFToken = ? WHERE ID = ?", array($token, $id)); |
return $token; |
} |
function checkCRSFToken($id, $token) { |
function checkCSRFToken($id, $token) { |
$user = $this->getUserByID($id); |
if ($token !== $user->csrftoken) { |
die("a death"); |
} |
$this->getCRSFToken($id); // change to something else so we can't re-use it |
$this->getCSRFToken($id); // change to something else so we can't re-use it |
} |
function getGetID() { |
/register-do.php |
---|
44,8 → 44,8 |
$salt = $username . "horses"; |
$args = array(2, $username, $page->saltAndBurn($password, $salt), $salt, $email, $name, 0); |
$page->query("INSERT INTO Users (AccessID, Username, Password, Salt, EmailAddress, Name, ChallengeID) VALUES (?, ?, ?, ?, ?, ?, ?)", $args); |
$args = array(2, $username, $page->saltAndBurn($password, $salt), $salt, $email, $name, $page->rndString(), 0); |
$page->query("INSERT INTO Users (AccessID, Username, Password, Salt, EmailAddress, Name, CSRFToken, ChallengeID) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", $args); |
$page->redirect('login.php'); |