/** * Checks if this is a post request, and if it is, checks if the nonce is valid. */ function csrf_check($fatal = true) { //pass the GET request if ($_SERVER['REQUEST_METHOD'] !== 'POST') { return true; } csrf_start(); $name = $GLOBALS['csrf']['input-name']; $ok = false; $tokens = ''; do { if (!isset($_POST[$name])) { break; } $tokens = $_POST[$name]; if (!csrf_check_tokens($tokens)) { break; } $ok = true; } while (false); if ($fatal && !$ok) { $callback = $GLOBALS['csrf']['callback']; if (trim($tokens, 'A..Za..z0..9:;,') !== '') { $tokens = 'hidden'; } $callback($tokens); exit; } return $ok; }
/** * Checks if this is a post request, and if it is, checks if the nonce is valid. * @param bool $fatal Whether or not to fatally error out if there is a problem. * @return True if check passes or is not necessary, false if failure. */ function csrf_check($fatal = true) { if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] !== 'POST') { return true; } csrf_start(); $name = $GLOBALS['csrf']['input-name']; $ok = false; $tokens = ''; do { if (!isset($_POST[$name])) { break; } // we don't regenerate a token and check it because some token creation // schemes are volatile. $tokens = $_POST[$name]; if (!csrf_check_tokens($tokens)) { break; } $ok = true; } while (false); if ($fatal && !$ok) { $callback = $GLOBALS['csrf']['callback']; if (trim($tokens, 'A..Za..z0..9:;,') !== '') { $tokens = 'hidden'; } $callback($tokens); exit; } return $ok; }
/** * Checks if this is a post request, and if it is, checks if the nonce is valid. * @param bool $fatal Whether or not to fatally error out if there is a problem. * @return True if check passes or is not necessary, false if failure. */ function csrf_check($fatal = true) { if ($_SERVER['REQUEST_METHOD'] !== 'POST') { return true; } csrf_start(); $name = $GLOBALS['csrf']['input-name']; $ok = false; $tokens = ''; // PayPal CSRF hack if (substr($_SERVER['SCRIPT_NAME'], -16) == 'client/index.php' && isset($_GET['page']) && $_GET['page'] == 'invoices' && isset($_GET['paypalcsrf'])) { $_POST[$name] = $_GET['paypalcsrf']; } // do { if (!isset($_POST[$name])) { break; } // we don't regenerate a token and check it because some token creation // schemes are volatile. $tokens = $_POST[$name]; if (!csrf_check_tokens($tokens)) { break; } $ok = true; } while (false); if ($fatal && !$ok) { $callback = $GLOBALS['csrf']['callback']; if (trim($tokens, 'A..Za..z0..9:;,') !== '') { $tokens = 'hidden'; } $callback($tokens); exit; } return $ok; }