function saveSettings() { if (verify_nonce()) { update_option('wpci_logging_threshold', $this->input->post('logging_threshold')); update_option('wpci_encryption_key', strip_tags($this->input->post('encryption_key'))); update_option('wpci_get_slug', strip_tags($this->input->post('slug'))); update_option('wpci_database_debugging_enabled', strip_tags($this->input->post('database_debugging_enabled'))); update_option('wpci_ssl_enabled', $this->input->post('ssl_enabled')); update_option('wpci_application_debugging_enabled', strip_tags($this->input->post('application_debugging_enabled'))); success('Settings <b>saved</b>.'); redirect('index'); } }
$html = ''; foreach ($buttons as $i => $text) { $active = $i === $fastFlow ? 'active' : ''; $html .= '<button type="submit" class="btn ' . $active . '" name="fastFlow" value="' . $i . '">' . $text . ' flow</button>'; } echo $html; ?> </div> </fieldset> <fieldset> <h5>Debug mode</h5> <p>Enabling <strong>debug mode</strong> will show the back-end HTTP calls made to PayPal.</p> <div class="btn-group checkout-flow" data-toggle="buttons-radio"> <?php if (verify_nonce() && isset($_POST['debug_mode'])) { if ($_POST['debug_mode'] === '1') { $_SESSION['debug_mode'] = true; $debug_mode = 1; } else { $_SESSION['debug_mode'] = false; $debug_mode = 0; } } elseif (isset($_SESSION['debug_mode']) && $_SESSION['debug_mode'] === true) { $debug_mode = 1; } else { $_SESSION['debug_mode'] = false; $debug_mode = 0; } $buttons = array('normal', 'debug mode'); $html = '';
/** * @param String (optional) Test a specific token; default will be taken from $_REQUEST['csrf'] * @return boolean */ function verify_csrf($token = null) { if (!$token && !empty($_SERVER['HTTP_X_CSRF'])) { $token = $_SERVER['HTTP_X_CSRF']; } if (!$token) { $token = $_REQUEST['csrf']; } return verify_nonce('csrf', $token); }
/** * create merchant account * @return string error */ function create_account() { if (!verify_nonce()) { return "Cross-site scripting detection error"; } if (!isset($_POST['email']) || strlen($_POST['email']) == 0) { return "Email address not found."; } if (does_user_have_account($_POST['email'])) { return "Email account already exists."; } cull_accounts(); try { global $pdo; $query = "INSERT INTO users VALUES(\n\t\t\t\t\t0,\n\t\t\t\t\tAES_ENCRYPT(:email,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:password,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:given_name,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:family_name,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:language,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:phone_number,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:street_address,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:locality,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:region,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:postal_code,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:country,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:payer_id,':aes_key'),\n\t\t\t\t\tAES_ENCRYPT(:access_token,':aes_key'),\n\t\t\t\t\tNOW(),\n\t\t\t\t\tAES_ENCRYPT(:session_key,':aes_key')\n\t\t\t\t\t)"; $query = str_replace(":aes_key", AES_KEY, $query); $sql = $pdo->prepare($query); $sql->bindParam(':email', $_POST['email'], PDO::PARAM_STR); $sql->bindParam(':password', $_POST['password'], PDO::PARAM_STR); $sql->bindParam(':given_name', $_POST['given_name'], PDO::PARAM_STR); $sql->bindParam(':family_name', $_POST['family_name'], PDO::PARAM_STR); $sql->bindParam(':language', $_POST['language'], PDO::PARAM_STR); $sql->bindParam(':phone_number', $_POST['phone_number'], PDO::PARAM_STR); $sql->bindParam(':street_address', $_POST['street_address'], PDO::PARAM_STR); $sql->bindParam(':locality', $_POST['locality'], PDO::PARAM_STR); $sql->bindParam(':region', $_POST['region'], PDO::PARAM_STR); $sql->bindParam(':postal_code', $_POST['postal_code'], PDO::PARAM_STR); $sql->bindParam(':country', $_POST['country'], PDO::PARAM_STR); $sql->bindParam(':payer_id', $_POST['payer_id'], PDO::PARAM_STR); $sql->bindParam(':access_token', $_POST['access_token'], PDO::PARAM_STR); $sql->bindParam(':session_key', $_COOKIE['session_key'], PDO::PARAM_STR); $sql->execute(); set_user_logged_in($_POST['given_name'], $_POST['email']); } catch (Exception $e) { echo 'Foo' . $e->getMessage(); return 'Error creating data: ' . $e->getMessage(); } return null; }
<?php $title = 'Your receipt'; require 'inc_header.php'; ?> <?php if (verify_nonce()) { try { $token = $_SESSION['user']['token']; $payerId = $_SESSION['user']['payer_id']; $amount = $_SESSION['user']['amt']; $_SESSION['user']['token'] = null; $_SESSION['user']['payer_id'] = null; $_SESSION['user']['amt'] = null; $params = array('method' => 'DoExpressCheckoutPayment', 'token' => $token, 'payerid' => $payerId, 'itemamt' => $amount, 'amt' => $amount, 'currencycode' => 'USD', 'paymentaction' => 'Sale', 'version' => PP_VERSION, 'user' => PP_USER, 'pwd' => PP_PWD, 'signature' => PP_SIGNATURE); $response = post_checkout($params); $checkoutDetails = parse_url_encoded($response); if ($checkoutDetails['ACK'] != 'Success') { $error = $checkoutDetails['L_LONGMESSAGE0']; } } catch (Exception $e) { $error = $e->getMessage(); } } ?> <?php if (isset($error)) { ?> <h2>Error</h2>
* member o2326570 * * @author Laurent Abbal <*****@*****.**> * @license http://www.gnu.org/licenses/gpl-2.0.html GPL License 2 * @link http://www.easyphp.org */ include "i18n.inc.php"; /** * Russell, 2012-11-10: nonce functionality relies on some function calls * located in functions.inc.php and needs sessions to operate * Also added a hidden input called nonce in rendered html below */ include "functions.inc.php"; session_start(); if (isset($_POST['to']) and $_POST['to'] == "interpretcode") { file_put_contents('codesource.php', verify_nonce() ? $_POST['sourcecode'] : 'Detected an invalid submit, maybe an exploit attempt (o2326570).'); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>[EasyPHP] Code</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <link rel="shortcut icon" href="images_easyphp/easyphp_favicon.ico" /> <body style="margin:0px;padding:0px;background:#ffffff;font-family:arial, helvetica, sans-serif;"> <div style="margin:0px 0px 10px 0px;padding:10px;font-size:18px;font-weight:bold;text-align:center;background-color:#EEEEEE;"> <a href="index.php" title="<?php
function csfr_protection() { // This function should be included in EVERY CONTROLLER FILE. // Otherwise, you're just asking for trouble. // The goal here is to secure the site against cross-site forgeries. // we're using nonces associated with the logged in user to make sure everything's A-OK. If not, we throw a 403 and die. $app = App::get_instance(); if (verify_nonce()) { return true; } else { header('HTTP/1.0 403 Forbidden'); echo "Your pathetic attempt at cross-site forgery has been detected and logged. Your IP address is: " . $app['ana']->get_ip(); } }