X-Git-Url: http://andersk.mit.edu/gitweb/sql-web.git/blobdiff_plain/7210b38439b4ffef6bc6f3e8a2691e2afcc0421e..96f685938defc906144aa50fe129f7343e9c73ea:/main.php

diff --git a/main.php b/main.php
index 4551be7..b4935af 100644
--- a/main.php
+++ b/main.php
@@ -9,16 +9,27 @@ require_once('proc.lib.php');
 
 if (!isLoggedIn()) redirect('index');
 
+if(!isset($_SESSION['csrf_token']))
+{
+	$n = rand(10e16, 10e20);
+	$_SESSION['csrf_token'] = base_convert($n, 10, 36);
+}
+
 $err1 = $msg1 = array();
 
 $User = new User($Login->getUserID());
 
 if (isPost()) {
-	if (isset($i_newdb)) {
-		list($msg1, $err1) = proc::newdb($User, $i_newdb);
-	}
-	if (isset($i_drop)) {
-		list($msg1, $err1) = proc::drop($User, $i_drop);
+	if($_SESSION['csrf_token'] != $_POST['csrf_token'])
+	{
+		$err1[] = "CSRF token incorrect or not found. Try submitting again.";
+	} else {
+		if (isset($i_newdb)) {
+			list($msg1, $err1) = proc::newdb($User, $i_newdb);
+		}
+		if (isset($i_drop)) {
+			list($msg1, $err1) = proc::drop($User, $i_drop);
+		}
 	}
 }