PEAR QuickForm2 CSRF Protection -


i looking way ensure csrf-protection in quickform2.

i found link it's quickform1.

any ideas how can adapt qf2?

thanks,

ron

after fiddling around came solution.

maybe helps else well:

<?php  /**  * @uses html_quickform  * @desc add automatic csrf mitigation forms incorporating token must matched in session , forcing use of post method  * based on: http://www.zapoyok.info/2010/07/17/csrf-et-quickform-de-pear/  */ require_once "quickform2.php";  class html_quickform2s extends html_quickform2 {     /**      * @property string $_sessiontokenkey name of session variable containing token      */     private $_sessiontokenkey;      /**      * @method __construct      * @desc override method use post , pass on parent constructor. create session key token based on form name.      * @param $id      * @param string $method      * @param mixed $attributes      * @param boolean $tracksubmit      */     public function __construct($id, $method = 'post', $attributes = null, $tracksubmit = true)     {         $this->_sessiontokenkey = "quickform2s_" . md5($id);          parent::__construct($id, $method, $attributes, $tracksubmit);          //a token hasn't been created so         if (!isset($_session[$this->_sessiontokenkey])) {             $_session[$this->_sessiontokenkey] = md5(uniqid(rand(), true) . session_id()); //requires session id known in order add difficulty compromising         }          //hide token @ end of form         $this->addelement("hidden", "qfs_csrf");          $qfscsrf= $this->getelementsbyname('qfs_csrf');         $qfscsrf[0]->setvalue($_session[$this->_sessiontokenkey]);     }      /**      * @method validate      * @desc check if passed token matches session before allowing validation      * @return boolean      */     public function validate()     {         $submitvalues = $this->getvalue();          //the token not passed or not match         if (!isset($submitvalues['qfs_csrf']) || $submitvalues['qfs_csrf'] != $_session[$this->_sessiontokenkey]) {             $this->seterror("anti-csrf token not match");         }          return parent::validate();     }  }

Comments

Post a Comment

Popular posts from this blog

android - MPAndroidChart - How to add Annotations or images to the chart -

i working latest mpandroidchart library , looking way add annotations or images clickable. example: once data reaches value event occurs want able display user - there multiple events can occur annotations (not sure if right word) or image added @ point in chart. any pointers welcome. check documentation of yaxis . focus on setspacetop(...) , setaxismaxvalue(...) methods. for background: bar-shadow , disable calling: barchart.setdrawbarshadow(false) or change color: bardataset.setbarshadowcolor(int color)
Read more

javascript - Add class to another page attribute using URL id - Jquery -

i have attached id url. ex: when click link 1 , has #tab-2 id , takes me landing page. in landing page have find element has #tab-2 id have add class .active . i tried no luck. please 1 correct code. thanks js fiddle link html <div class="menu"> <ul> <li><a href="http://jsfiddle.net/gscyoa0j/1/#tab-2">link 1</a></li> <li><a href="http://jsfiddle.net/gscyoa0j/1/#tab-44">link 2</a></li> <li><a href="http://jsfiddle.net/gscyoa0j/1/#tab-74">link 3</a></li> </ul> </div> landing page <div class="tab"> <ul> <li><a id="tab-2" class="active" >link 1 content</a></li> <li><a id="tab-44" >link 2 content</a></li> <li><a id="tab-74" >link 3 content</a></l...
Read more

firefox - Where is 'webgl.osmesalib' parameter? -

i'm trying webgl running on firefox (v37.0.2) via software acceleration mesa. tried following steps have been stated in article: http://www.binarytides.com/enable-webgl-firefox-ubuntu/ however, unable find parameter named ' webgl.osmesalib ' in about:config section? has been removed (or renamed)? if yes, how should instruct firefox use mesa's software acceleration webgl? looks support osmesa removed in favour llvmpipe.
Read more