WebSVN - taios - Path Comparison - / Rev 508 and / Rev 511

Ignore whitespace Rev 508 → Rev 511

 /blog/add-post.php
 ,6 → 21,8
 if (isset($_POST['post']))
 {
+    $page->checkCSRFToken($page->getLoggedInUser()->ID, $_POST['csrftoken']);
     $title = $_POST['title'];
     $content = $_POST['content'];
     $parentID = $_POST['parentID'];
 ,6 → 80,7
 </tr>
 <input type="hidden" name="post" value="yes" />
+<input type="hidden" name="csrftoken" value="<?php echo $page->getCSRFToken($page->getLoggedInUser()->ID); ?>" />
 <?php
 write('<input type="hidden" name="parentID" value="' . getParentID() . '" />');

 /blog/edit-post.php
 ,6 → 28,8
 $error = '';
 if (isset($_POST['id'])) {
+    $page->checkCSRFToken($page->getLoggedInUser()->ID, $_POST['csrftoken']);
     $title = $_POST['title'];
     $content = $_POST['content'];
     $category = $_POST['category'];
 ,8 → 73,9
 <?php
 write('<input type="hidden" name="id" value="' . $id . '" />');
 ?>
+<input type="hidden" name="csrftoken" value=""<?php echo $page->getCSRFToken($page->getLoggedInUser()->ID); ?>" />
-<tr>
+    <tr>
 <td class="bold"></td>
 <td><input type="submit" value="Edit" /></td>
 </tr>

 /_taios.php
 ,19 → 488,19
         return $res;
     }
-    function getCRSFToken($id) {
+    function getCSRFToken($id) {
         $token = $this->rndString();
         $this->query("UPDATE USERS Set CSRFToken = ? WHERE ID = ?", array($token, $id));
         return $token;
     }
-    function checkCRSFToken($id, $token) {
+    function checkCSRFToken($id, $token) {
         $user = $this->getUserByID($id);
         if ($token !== $user->csrftoken) {
             die("a death");
         }
-        $this->getCRSFToken($id); // change to something else so we can't re-use it
+        $this->getCSRFToken($id); // change to something else so we can't re-use it
     }
     function getGetID() {

 /register-do.php
 ,8 → 44,8
 $salt = $username . "horses";
-$args = array(2, $username, $page->saltAndBurn($password, $salt), $salt, $email, $name, 0);
-$page->query("INSERT INTO Users (AccessID, Username, Password, Salt, EmailAddress, Name, ChallengeID) VALUES (?, ?, ?, ?, ?, ?, ?)", $args);
+$args = array(2, $username, $page->saltAndBurn($password, $salt), $salt, $email, $name, $page->rndString(), 0);
+$page->query("INSERT INTO Users (AccessID, Username, Password, Salt, EmailAddress, Name, CSRFToken, ChallengeID) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", $args);
 $page->redirect('login.php');