X-Git-Url: http://andersk.mit.edu/gitweb/sql-web.git/blobdiff_plain/690e37fb59e0ed5c5f90365776f61132eeeba5f8..refs/heads/master:/main.php

diff --git a/main.php b/main.php
index f83723c..b4935af 100644
--- a/main.php
+++ b/main.php
@@ -1,4 +1,7 @@
 <?php
+/*
+	(c) 2005 Joe Presbrey
+*/
 
 require_once('mitsql.cfg.php');
 require_once('mitsql.lib.php');
@@ -6,16 +9,27 @@ require_once('proc.lib.php');
 
 if (!isLoggedIn()) redirect('index');
 
+if(!isset($_SESSION['csrf_token']))
+{
+	$n = rand(10e16, 10e20);
+	$_SESSION['csrf_token'] = base_convert($n, 10, 36);
+}
+
 $err1 = $msg1 = array();
 
 $User = new User($Login->getUserID());
 
 if (isPost()) {
-	if (isset($i_newdb)) {
-		list($msg1, $err1) = proc::newdb($User, $i_newdb);
-	}
-	if (isset($i_drop)) {
-		list($msg1, $err1) = proc::drop($User, $i_drop);
+	if($_SESSION['csrf_token'] != $_POST['csrf_token'])
+	{
+		$err1[] = "CSRF token incorrect or not found. Try submitting again.";
+	} else {
+		if (isset($i_newdb)) {
+			list($msg1, $err1) = proc::newdb($User, $i_newdb);
+		}
+		if (isset($i_drop)) {
+			list($msg1, $err1) = proc::drop($User, $i_drop);
+		}
 	}
 }