diff options
author | nicosomb <nicolas@loeuillet.org> | 2013-04-15 14:09:58 +0200 |
---|---|---|
committer | nicosomb <nicolas@loeuillet.org> | 2013-04-15 14:09:58 +0200 |
commit | cf3180f6b8c552bbf7214d1ba72fbf1fc90ef861 (patch) | |
tree | 86d0cad24ed4891165d720a3bb19fffe6f55c73b /process.php | |
parent | 358ab47957de18183aa3d3f7a62b631cd131f41f (diff) | |
download | wallabag-cf3180f6b8c552bbf7214d1ba72fbf1fc90ef861.tar.gz wallabag-cf3180f6b8c552bbf7214d1ba72fbf1fc90ef861.tar.zst wallabag-cf3180f6b8c552bbf7214d1ba72fbf1fc90ef861.zip |
vérificatio CSRF et mise en page
Diffstat (limited to 'process.php')
-rw-r--r-- | process.php | 45 |
1 files changed, 24 insertions, 21 deletions
diff --git a/process.php b/process.php index 0bd20e5d..5a056caa 100644 --- a/process.php +++ b/process.php | |||
@@ -11,27 +11,30 @@ | |||
11 | include dirname(__FILE__).'/inc/config.php'; | 11 | include dirname(__FILE__).'/inc/config.php'; |
12 | $db = new db(DB_PATH); | 12 | $db = new db(DB_PATH); |
13 | 13 | ||
14 | $action = (isset ($_GET['action'])) ? htmlspecialchars($_GET['action']) : ''; | 14 | $action = (isset ($_GET['action'])) ? htmlentities($_GET['action']) : ''; |
15 | $id = (isset ($_GET['id'])) ? htmlspecialchars($_GET['id']) : ''; | 15 | $id = (isset ($_GET['id'])) ? htmlentities($_GET['id']) : ''; |
16 | $token = (isset ($_GET['token'])) ? $_GET['token'] : ''; | ||
16 | 17 | ||
17 | switch ($action) | 18 | if (verif_token($token)) { |
18 | { | 19 | switch ($action) |
19 | case 'toggle_fav' : | 20 | { |
20 | $sql_action = "UPDATE entries SET is_fav=~is_fav WHERE id=?"; | 21 | case 'toggle_fav' : |
21 | $params_action = array($id); | 22 | $sql_action = "UPDATE entries SET is_fav=~is_fav WHERE id=?"; |
22 | break; | 23 | $params_action = array($id); |
23 | case 'toggle_archive' : | 24 | break; |
24 | $sql_action = "UPDATE entries SET is_read=~is_read WHERE id=?"; | 25 | case 'toggle_archive' : |
25 | $params_action = array($id); | 26 | $sql_action = "UPDATE entries SET is_read=~is_read WHERE id=?"; |
26 | break; | 27 | $params_action = array($id); |
27 | default: | 28 | break; |
28 | break; | 29 | default: |
29 | } | 30 | break; |
31 | } | ||
30 | 32 | ||
31 | # action query | 33 | # action query |
32 | if (isset($sql_action)) | 34 | if (isset($sql_action)) |
33 | { | 35 | { |
34 | $query = $db->getHandle()->prepare($sql_action); | 36 | $query = $db->getHandle()->prepare($sql_action); |
35 | $query->execute($params_action); | 37 | $query->execute($params_action); |
38 | } | ||
36 | } | 39 | } |
37 | ?> \ No newline at end of file | 40 | else die('CSRF problem'); \ No newline at end of file |