Enabling csrf token

79dc5a86 · Tegar Aji Pangestu · bf4321b7 · 79dc5a86 · 79dc5a86 · 79dc5a86
Commit 79dc5a86 authored 9 years ago by Tegar Aji Pangestu
--- a/code/edit_post.php
+++ b/code/edit_post.php
@@ -3,6 +3,9 @@

  if (isset($_SESSION["isLogin"])){

+    if (! isset($_SESSION['csrf_token'])) {
+        $_SESSION['csrf_token'] = base64_encode(openssl_random_pseudo_bytes(32));
+    }

    include 'mainviewer.php';
    $con = phpsqlconnection();
@@ -74,6 +77,7 @@
                echo 
                    "<form method=\"post\" action=\"edit_post_action.php?postid=".$postid."\" enctype=\"multipart/form-data\">";
                 ?>
+                    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" />
                    <label for="Judul">Judul:</label>
                    <?php 
                        echo 

--- a/code/edit_post_action.php
+++ b/code/edit_post_action.php
 <?php 
 session_start();
-if (isset($_SESSION["isLogin"])){
+if (isset($_SESSION["isLogin"]) && (isset($_POST['csrf_token']) && $_POST['csrf_token'] === $_SESSION['csrf_token'])){
 	include 'mainviewer.php';
 	$Judul = $_POST['Judul'];
 	$Tanggal = $_POST['Tanggal'];

--- a/code/new_post.php
+++ b/code/new_post.php
 <?php 
  session_start();
+  if (! isset($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = base64_encode(openssl_random_pseudo_bytes(32));
+  }
+
  if (isset($_SESSION["isLogin"])){
 ?>

@@ -59,6 +63,7 @@
            <h2 style="margin-top: 24px;">Tambah Post</h2>
            <div id="contact-area">
                 <form name="PostForm" method="post" onSubmit="return validateDate()" action="new_post_action.php" enctype="multipart/form-data">
+                    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" />
                    <label for="Judul">Judul:</label>
                    <input type="text" name="Judul" id="Judul" required>


--- a/code/new_post_action.php
+++ b/code/new_post_action.php
 <?php 
-error_reporting(E_ALL);
 session_start();
-if (isset($_SESSION["isLogin"])){
+if (isset($_SESSION["isLogin"]) && (isset($_POST['csrf_token']) && $_POST['csrf_token'] === $_SESSION['csrf_token'])){
 	include 'mainviewer.php';
 	$Judul = $_POST['Judul'];
 	$Tanggal = $_POST['Tanggal'];