/** * @return bool */ protected function verifyToken() { $token = $this->request->getCode(Session::TOKEN_ID); if (!$this->session->verifyToken($token)) { return false; } return true; }
//open resource to get actual mime type from the file $finfo = finfo_open(FILEINFO_MIME_TYPE); //get the mime type from the file information on the server( doesn't use info sent by client) $mime = finfo_file($finfo, $_FILES['file']['tmp_name']); //if the mime type is not a PDF file, then ignore the file if ($mime !== "application/pdf") { $message = urlencode("{$mime} is not PDF"); header("Location: admin.php?agenda=yes&uploaded={$message}"); exit; } if (!isset($_POST['token'])) { $message = urlencode("Token not passed"); header("Location: admin.php?agenda=yes&uploaded={$message}"); exit; } if (!Session::verifyToken($_POST['token'])) { $str = urlencode("Request could not be handled, token does not match"); header("Location: admin.php?agenda=yes&uploaded={$str}"); exit; } $title = $_POST['title']; $result = true; //if the uploads folder does not exist, create it if (!file_exists("./uploads")) { $result = mkdir("./uploads"); } //if the upload has been created in the past at some point if ($result === true) { Database::archiveAllAgendas(); //Create a new agenda with title of Test $id = Database::createAgenda($title);
<?php require_once "./database.php"; require_once "./session.php"; /* This page handles uploading of blog posts. TODO: Need to secure this by making sure correct CSRF token was sent */ //if the user is not logged in, do not allow the upload to continue into database if (!Session::userLoggedIn()) { header("Location: login.php"); exit; } $req = $_POST; $needed = array("author", "title", "text", "token"); foreach ($needed as $key => $value) { if (!isset($req[$value])) { die("Missing {$value}"); } } if (!Session::verifyToken($req['token'])) { $str = urlencode("Request could not be handled, token does not match"); header("Location: admin.php?blog=true&uploaded={$str}"); exit; } $title = Database::sanitizeData($req['title']); $text = Database::sanitizeData($req['text']); $author = Database::sanitizeData($req['author']); Database::createBlogPost($author, $title, $text); header("Location: admin.php?blog=true&uploaded=yes"); exit;