From 79dc5a86c0707ee81954f7940c514263bbd8870e Mon Sep 17 00:00:00 2001
From: tegarajipangestu <13512061@std.stei.itb.ac.id>
Date: Thu, 25 Feb 2016 14:49:19 +0700
Subject: [PATCH] Enabling csrf token

---
 code/edit_post.php        | 4 ++++
 code/edit_post_action.php | 2 +-
 code/new_post.php         | 5 +++++
 code/new_post_action.php  | 3 +--
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/code/edit_post.php b/code/edit_post.php
index b2c751a..42dea77 100644
--- a/code/edit_post.php
+++ b/code/edit_post.php
@@ -3,6 +3,9 @@
 
   if (isset($_SESSION["isLogin"])){
 
+    if (! isset($_SESSION['csrf_token'])) {
+        $_SESSION['csrf_token'] = base64_encode(openssl_random_pseudo_bytes(32));
+    }
 
     include 'mainviewer.php';
     $con = phpsqlconnection();
@@ -74,6 +77,7 @@
                 echo 
                     "<form method=\"post\" action=\"edit_post_action.php?postid=".$postid."\" enctype=\"multipart/form-data\">";
                  ?>
+                    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" />
                     <label for="Judul">Judul:</label>
                     <?php 
                         echo 
diff --git a/code/edit_post_action.php b/code/edit_post_action.php
index 9e06496..ea788d5 100644
--- a/code/edit_post_action.php
+++ b/code/edit_post_action.php
@@ -1,6 +1,6 @@
 <?php 
 session_start();
-if (isset($_SESSION["isLogin"])){
+if (isset($_SESSION["isLogin"]) && (isset($_POST['csrf_token']) && $_POST['csrf_token'] === $_SESSION['csrf_token'])){
 	include 'mainviewer.php';
 	$Judul = $_POST['Judul'];
 	$Tanggal = $_POST['Tanggal'];
diff --git a/code/new_post.php b/code/new_post.php
index a3535af..67c6240 100644
--- a/code/new_post.php
+++ b/code/new_post.php
@@ -1,5 +1,9 @@
 <?php 
   session_start();
+  if (! isset($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = base64_encode(openssl_random_pseudo_bytes(32));
+  }
+
   if (isset($_SESSION["isLogin"])){
  ?>
 
@@ -59,6 +63,7 @@
             <h2 style="margin-top: 24px;">Tambah Post</h2>
             <div id="contact-area">
                  <form name="PostForm" method="post" onSubmit="return validateDate()" action="new_post_action.php" enctype="multipart/form-data">
+                    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" />
                     <label for="Judul">Judul:</label>
                     <input type="text" name="Judul" id="Judul" required>
 
diff --git a/code/new_post_action.php b/code/new_post_action.php
index fb51146..10f0b66 100644
--- a/code/new_post_action.php
+++ b/code/new_post_action.php
@@ -1,7 +1,6 @@
 <?php 
-error_reporting(E_ALL);
 session_start();
-if (isset($_SESSION["isLogin"])){
+if (isset($_SESSION["isLogin"]) && (isset($_POST['csrf_token']) && $_POST['csrf_token'] === $_SESSION['csrf_token'])){
 	include 'mainviewer.php';
 	$Judul = $_POST['Judul'];
 	$Tanggal = $_POST['Tanggal'];
-- 
GitLab