Fix CSRF vulnerabilities

[sql-web.git] / tpl / main.php

diff --git a/tpl/main.php b/tpl/main.php
index 2a605ddfd86efdee16255e9f0ac7b4a11d635549..fc642dd3ab4417712ebe59f540bbece18d8017bb 100644 (file)
--- a/tpl/main.php
+++ b/tpl/main.php
@@ -15,12 +15,14 @@ if (isset($i_dropask)) {
 <h3>Databases</h3>
 
 <form method="post" action="<?=$URI?>">
+<input type='hidden' name='csrf_token' value='<?php echo $_SESSION['csrf_token']; ?>'>
 <?php printErrors($err1); ?>
 <?php printMsgs($msg1); ?>
 </form>
 
 <table width="100%">
 <form method="post" action="<?=$URI?>">
+<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
 <?php
        $bytes = $User->getBytes();
        $usage = $bytes['nBytes'];
@@ -55,6 +57,7 @@ if (isset($i_dropask)) {
 
 <form method="post" action="<?=$URI?>">
 <p align="right"><span style="width: 150px; font-style: italic;"><label for="p1">new database:</label></span> <?=$Login->getUsername()?>+<input type="text" name="newdb">
+<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
 <input type=submit value="add"></p>
 </form>