Voting

: eight plus zero?
(Example: nine)

The Note You're Voting On

Livingstone@stonyhills[dot]com
16 years ago
making sure your form is submitted from your page! Could also be adapted to url, by additing &token to the query string and checking this against session data(or what ever array you like) with $_GET, not that this string is randomly generated and stored. If you like you could build your own array to store the generated string if you dont want to use $_SESSION, say you could make yours like $tokens = array(), and in your easysecure class you store all the stuff in that array!

<?php

class easysecure {

var
$curr_user;
var
$curr_permission;
var
$curr_task;
var
$validpermission;
var
$error;


function &
setVar( $name, $value=null ) {
if (!
is_null( $value )) {
$this->$name = $value;
}
return
$this->$name;
}

function
maketoken($formname, $id){

$token = md5(uniqid(rand(), true));

$_SESSION[$formname.$id] = $token;

return
$token;
}

function
checktoken($token, $formname, $id){
//print_r($_SESSION);
//echo ($token);
//if we dont have a valid token, return invalid;
if(!$token){
$this->setVar('validpermission', 0);
$this->setVar('error', 'no token found, security bridgedetected');
return
false;
}

//if we have a valid token check that is is valid
$key = $_SESSION[$formname.$id];
if(
$key !== $token ){
$this->setVar('validpermission', 0);
$this->setVar('error', 'invalid token');
return
false;
}

if(
$this->validpermission !==1){
echo
'invalid Permissions to run this script';
return
false;
}else{
return
true;
}
}

}

?>

<?php $userid = *** //make it what ever id you like ?>
<form name="newform" action="index.php" method="post">
<input type="text" name="potentialeveilfield" value="" size 30 />
<input type="hidden" name="token" value="<?php echo maketoken(newform, $userid); //$userid here could be user profile id ?>" />
<input type="submit" />
</form>

Now when processing the form... check the value of your token

<?php

//well you know the form name
if(!checktoken($_POST['token'], 'newform', $userid))
{
//failed
exit(); //or what ever termination and notification method best suits you.
//you could also design the class your way to get more accurate fail (error messages from the var)
}

//you can now continue with input data clean up (validation)

?>

<< Back to user notes page

To Top