From cf3180f6b8c552bbf7214d1ba72fbf1fc90ef861 Mon Sep 17 00:00:00 2001 From: nicosomb Date: Mon, 15 Apr 2013 14:09:58 +0200 Subject: =?UTF-8?q?v=C3=A9rificatio=20CSRF=20et=20mise=20en=20page?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- process.php | 45 ++++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 21 deletions(-) (limited to 'process.php') diff --git a/process.php b/process.php index 0bd20e5d..5a056caa 100644 --- a/process.php +++ b/process.php @@ -11,27 +11,30 @@ include dirname(__FILE__).'/inc/config.php'; $db = new db(DB_PATH); -$action = (isset ($_GET['action'])) ? htmlspecialchars($_GET['action']) : ''; -$id = (isset ($_GET['id'])) ? htmlspecialchars($_GET['id']) : ''; +$action = (isset ($_GET['action'])) ? htmlentities($_GET['action']) : ''; +$id = (isset ($_GET['id'])) ? htmlentities($_GET['id']) : ''; +$token = (isset ($_GET['token'])) ? $_GET['token'] : ''; -switch ($action) -{ - case 'toggle_fav' : - $sql_action = "UPDATE entries SET is_fav=~is_fav WHERE id=?"; - $params_action = array($id); - break; - case 'toggle_archive' : - $sql_action = "UPDATE entries SET is_read=~is_read WHERE id=?"; - $params_action = array($id); - break; - default: - break; -} +if (verif_token($token)) { + switch ($action) + { + case 'toggle_fav' : + $sql_action = "UPDATE entries SET is_fav=~is_fav WHERE id=?"; + $params_action = array($id); + break; + case 'toggle_archive' : + $sql_action = "UPDATE entries SET is_read=~is_read WHERE id=?"; + $params_action = array($id); + break; + default: + break; + } -# action query -if (isset($sql_action)) -{ - $query = $db->getHandle()->prepare($sql_action); - $query->execute($params_action); + # action query + if (isset($sql_action)) + { + $query = $db->getHandle()->prepare($sql_action); + $query->execute($params_action); + } } -?> \ No newline at end of file +else die('CSRF problem'); \ No newline at end of file -- cgit v1.2.3