danwin1210/hosting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add csrf tokens to all sensitive forms

Browse Source
This commit is contained in:
Daniel Winzen
2019-01-27 17:40:12 +01:00
parent cf83b9901a
commit 9c5294e64e
7 changed files with 79 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
var/www/html/delete.php
View File

@ -9,7 +9,9 @@ session_start();
$user=check_login();
$msg='';
if($_SERVER['REQUEST_METHOD']==='POST'){
if(!isset($_POST['pass']) || !password_verify($_POST['pass'], $user['password'])){
if($error=check_csrf_error()){
$msg.='<p style="color:red;">'.$error.'</p>';
}elseif(!isset($_POST['pass']) || !password_verify($_POST['pass'], $user['password'])){
$msg.='<p style="color:red;">Wrong password.</p>';
}else{
$stmt=$db->prepare('UPDATE users SET todelete=1 WHERE id=?;');
@ -29,7 +31,7 @@ header('Content-Type: text/html; charset=UTF-8');
</head><body>
<p>This will delete your account and all data asociated with it. It can't be un-done. Are you sure?</p>
<?php echo $msg; ?>
<form method="POST" action="delete.php"><table>
<form method="POST" action="delete.php"><input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>"><table>
<tr><td>Enter your account password to confirm</td><td><input type="password" name="pass" required autofocus></td></tr>
<tr><td colspan="2"><input type="submit" value="Delete"></td></tr>
</table></form>