if (!isLoggedIn()) redirect('index');
+if(!isset($_SESSION['csrf_token']))
+{
+ $n = rand(10e16, 10e20);
+ $_SESSION['csrf_token'] = base_convert($n, 10, 36);
+}
+
$err1 = $msg1 = array();
$User = new User($Login->getUserID());
if (isPost()) {
- if (isset($i_newdb)) {
- list($msg1, $err1) = proc::newdb($User, $i_newdb);
- }
- if (isset($i_drop)) {
- list($msg1, $err1) = proc::drop($User, $i_drop);
+ if($_SESSION['csrf_token'] != $_POST['csrf_token'])
+ {
+ $err1[] = "CSRF token incorrect or not found. Try submitting again.";
+ } else {
+ if (isset($i_newdb)) {
+ list($msg1, $err1) = proc::newdb($User, $i_newdb);
+ }
+ if (isset($i_drop)) {
+ list($msg1, $err1) = proc::drop($User, $i_drop);
+ }
}
}
<h3>Databases</h3>
<form method="post" action="<?=$URI?>">
+<input type='hidden' name='csrf_token' value='<?php echo $_SESSION['csrf_token']; ?>'>
<?php printErrors($err1); ?>
<?php printMsgs($msg1); ?>
</form>
<table width="100%">
<form method="post" action="<?=$URI?>">
+<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
<?php
$bytes = $User->getBytes();
$usage = $bytes['nBytes'];
<form method="post" action="<?=$URI?>">
<p align="right"><span style="width: 150px; font-style: italic;"><label for="p1">new database:</label></span> <?=$Login->getUsername()?>+<input type="text" name="newdb">
+<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
<input type=submit value="add"></p>
</form>
andersk / sql-web.git / commitdiff
