php - csrf Token class -

-

can explain me how protect profile page wrong user editing url see other users profile page. using token class generate random number protect against cross site request forgery. reason doesn't work suggestion or other way

also following error : undefined index: token in phpproject22_csrf\profile.php on line 12

<?php  session_start(); require_once 'classes/token.php'; $tk = new token();  if(isset($_post['username'],$_post['product'],$_post['token'])){ $username = $_post['username']; $product = $_post['product']; if(!empty($product) && !empty($username)){     if(token::check($_post['token'])){         echo $_post['token'].'<br>';         $tk->get('username');         $_session['user'] = $tk->name();         echo 'process order';     } } } ?>  <!doctype html> <html> <head>     <meta http-equiv="content-type" content="text/html; charset=utf-8">     <title>csrf protection</title> </head> <body>     <form action="" method="post">         <div class="product">             <strong>profile</strong>             <div class='field'>                 username: <input type='text' name='username'>             </div>             <input type='submit' value='order'>             <input type='hidden' name='product' value='1'>             <input type='hidden' name='token' value='<?php echo token::generate();?>'>         </div>     </form>     <?php     if(isset($_post['username'])){     ?>     <p>hello <a href = 'profile.php?user=<?php echo $tk->name();?>'><?php echo $tk-  >name();?></a>!</p>     <?php     }     ?> </body> </html>  <?php class token{ private $_data;  public static function generate(){     return $_session['token'] = base64_encode(openssl_random_pseudo_bytes(32)); }  public static function check($token){     if(isset($_session['token']) && $token === $_session['token']){               unset($_session['token']);         return true;     }     return false; }  public function get($item){     if(isset($_post[$item])){         $this->_data = $_post[$item];     } }  public function name(){ return $this->_data; } } ?>  <?php require_once 'classes/token.php'; session_start(); ?> <form action="" method="post"> <input type='hidden' name='token' value='<?php echo token::generate();?>'> </form>  <?php echo 'hello '.$_session['user'].'!<br>'; if(isset($_get['user'])){ if(token::check($_post['token'])){     echo $_get['user']; } } ?>

when checking post need following:

if($_post){     if(isset($_post['token']) && token::check($_post['token']){         code     }else{         error     } }

if spoof post, , doesn't include token, you're going undefined index error, because $_post['token'] doesn't exist , referencing it.


Comments

Post a Comment

Popular posts from this blog

java - WrongTypeOfReturnValue exception thrown when unit testing using mockito -

-
my test list<person> mylist; @test public void testisvalidperson() { mylist = new arraylist<person>(); mylist.add(new person("tom")); when(persondao.get(person)).thenreturn(mylist); when((persondao.get(person)).isempty()).thenreturn(false);//------exception thrown boolean result = service.isvalid("tom"); assertfalse(result); } method tested: public boolean isvalid(string person){ persondao = new persondao(); person personobj = new person(person); return (persondao.get(person).isempty())?false : true; } exception thrown: org.mockito.exceptions.misusing.wrongtypeofreturnvalue: boolean cannot returned get() get() should return list *** if you're unsure why you're getting above error read on. due nature of syntax above problem might occur because: 1. exception *might* occur in wrongly written multi-threaded tests. please refer mockito faq on limitations of concurrency testing. 2. sp
Read more

php - Magento - Deleted Base url key -

-
i working on cleaning url: http://mydomain.com/shop/shop/deals i going through settings in configuration tab in admin panel on magento , change secure , unsecure base urls remove first base url "shop" web page read: http://mydomain.com/shop/deals so changed unsecure base urls mydomain.com/shop mydomain.com , secure 12.345.67.89/shop 12.345.67.89. wrong thing do. i cannot reload page or admin console. how access these files through ftp , change correctly there?? when make changes in admin panel changes made in database not in file. have make changes in database. 1.go database , select core_config_data table under table find web/unsecure/base_url , web/secure/base_url . make changes here. don't forget clear cache in var/cache folder
Read more

android - How to disable Button if EditText is empty ? -

-
i have edittext , button in application. when button clicked,the text entered in edittext added listview. i want disable button if edittext empty.how ? this code button click imagebutton imb=(imagebutton)findviewbyid(r.id.btn_send); imb.setonclicklistener(new onclicklistener() { @override public void onclick(view arg0) { edittext et = (edittext)findviewbyid(r.id.edittext1); string str = et.gettext().tostring(); web1.add(str); toast.maketext(shoutsingleprogram.this, "you entered...."+str, toast.length_short).show(); adapter1.notifydatasetchanged(); et.settext(""); } }); } how can ? edittext1.addtextchangedlistener(new textwatcher() { @override public void ontextchanged(charsequence s, int start, int before, in
Read more