function checkRights(&$db, &$user) { csrfguard_start(); return $user->hasRight($db, 'mgt_modify_product'); }
$token = generate_token($name); $form_data_html = str_replace($m[0], "<form{$m[1]}>\n<input type='hidden' name='CSRFName' value='{$name}' />\n<input type='hidden' name='CSRFToken' value='{$token}' />{$m[2]}</form>", $form_data_html); } } return $form_data_html; } function inject() { $data = ob_get_clean(); $data = replace_forms($data); echo $data; } function csrfguard_start() { if (count($_POST)) { if (!isset($_POST['CSRFName']) or !isset($_POST['CSRFToken'])) { die("No CSRFName found, probable invalid request."); } $name = $_POST['CSRFName']; $token = $_POST['CSRFToken']; if (!validate_token($name, $token)) { die("Invalid CSRF token."); } } ob_start(); /* adding double quotes for "inject" to prevent: Notice: Use of undefined constant inject - assumed 'inject' */ register_shutdown_function("inject"); } csrfguard_start();