vérificatio CSRF et mise en page

2025-09-15 18:57:05 +00:00 · 2013-04-15 14:09:58 +02:00 · 2013-04-15 14:09:58 +02:00 · cf3180f6b8
commit cf3180f6b8
parent 358ab47957
9 changed files with 125 additions and 50 deletions
--- a/process.php
+++ b/process.php
@ -11,27 +11,30 @@
 include dirname(__FILE__).'/inc/config.php';
 $db = new db(DB_PATH);

-$action = (isset ($_GET['action'])) ? htmlspecialchars($_GET['action']) : '';
-$id     = (isset ($_GET['id'])) ? htmlspecialchars($_GET['id']) : '';
+$action = (isset ($_GET['action'])) ? htmlentities($_GET['action']) : '';
+$id     = (isset ($_GET['id'])) ? htmlentities($_GET['id']) : '';
+$token  = (isset ($_GET['token'])) ? $_GET['token'] : '';

-switch ($action)
-{
-    case 'toggle_fav' :
-        $sql_action     = "UPDATE entries SET is_fav=~is_fav WHERE id=?";
-        $params_action  = array($id);
-        break;
-    case 'toggle_archive' :
-        $sql_action     = "UPDATE entries SET is_read=~is_read WHERE id=?";
-        $params_action  = array($id);
-        break;
-    default:
-        break;
-}
+if (verif_token($token)) {
+    switch ($action)
+    {
+        case 'toggle_fav' :
+            $sql_action     = "UPDATE entries SET is_fav=~is_fav WHERE id=?";
+            $params_action  = array($id);
+            break;
+        case 'toggle_archive' :
+            $sql_action     = "UPDATE entries SET is_read=~is_read WHERE id=?";
+            $params_action  = array($id);
+            break;
+        default:
+            break;
+    }

-# action query
-if (isset($sql_action))
-{
-    $query = $db->getHandle()->prepare($sql_action);
-    $query->execute($params_action);
+    # action query
+    if (isset($sql_action))
+    {
+        $query = $db->getHandle()->prepare($sql_action);
+        $query->execute($params_action);
+    }
 }
-?>
+else die('CSRF problem');