include dirname(__FILE__).'/inc/config.php';
$db = new db(DB_PATH);
-$action = (isset ($_GET['action'])) ? htmlspecialchars($_GET['action']) : '';
-$id = (isset ($_GET['id'])) ? htmlspecialchars($_GET['id']) : '';
+$action = (isset ($_GET['action'])) ? htmlentities($_GET['action']) : '';
+$id = (isset ($_GET['id'])) ? htmlentities($_GET['id']) : '';
+$token = (isset ($_GET['token'])) ? $_GET['token'] : '';
-switch ($action)
-{
- case 'toggle_fav' :
- $sql_action = "UPDATE entries SET is_fav=~is_fav WHERE id=?";
- $params_action = array($id);
- break;
- case 'toggle_archive' :
- $sql_action = "UPDATE entries SET is_read=~is_read WHERE id=?";
- $params_action = array($id);
- break;
- default:
- break;
-}
+if (verif_token($token)) {
+ switch ($action)
+ {
+ case 'toggle_fav' :
+ $sql_action = "UPDATE entries SET is_fav=~is_fav WHERE id=?";
+ $params_action = array($id);
+ break;
+ case 'toggle_archive' :
+ $sql_action = "UPDATE entries SET is_read=~is_read WHERE id=?";
+ $params_action = array($id);
+ break;
+ default:
+ break;
+ }
-# action query
-if (isset($sql_action))
-{
- $query = $db->getHandle()->prepare($sql_action);
- $query->execute($params_action);
+ # action query
+ if (isset($sql_action))
+ {
+ $query = $db->getHandle()->prepare($sql_action);
+ $query->execute($params_action);
+ }
}
-?>
\ No newline at end of file
+else die('CSRF problem');
\ No newline at end of file