Example #1
0
 /**
  * @return bool
  */
 protected function verifyToken()
 {
     $token = $this->request->getCode(Session::TOKEN_ID);
     if (!$this->session->verifyToken($token)) {
         return false;
     }
     return true;
 }
//open resource to get actual mime type from the file
$finfo = finfo_open(FILEINFO_MIME_TYPE);
//get the mime type from the file information on the server( doesn't use info sent by client)
$mime = finfo_file($finfo, $_FILES['file']['tmp_name']);
//if the mime type is not a PDF file, then ignore the file
if ($mime !== "application/pdf") {
    $message = urlencode("{$mime} is not PDF");
    header("Location: admin.php?agenda=yes&uploaded={$message}");
    exit;
}
if (!isset($_POST['token'])) {
    $message = urlencode("Token not passed");
    header("Location: admin.php?agenda=yes&uploaded={$message}");
    exit;
}
if (!Session::verifyToken($_POST['token'])) {
    $str = urlencode("Request could not be handled, token does not match");
    header("Location: admin.php?agenda=yes&uploaded={$str}");
    exit;
}
$title = $_POST['title'];
$result = true;
//if the uploads folder does not exist, create it
if (!file_exists("./uploads")) {
    $result = mkdir("./uploads");
}
//if the upload has been created in the past at some point
if ($result === true) {
    Database::archiveAllAgendas();
    //Create a new agenda with title of Test
    $id = Database::createAgenda($title);
<?php

require_once "./database.php";
require_once "./session.php";
/*
	This page handles uploading of blog posts.
	TODO: Need to secure this by making sure correct CSRF token was sent
*/
//if the user is not logged in, do not allow the upload to continue into database
if (!Session::userLoggedIn()) {
    header("Location: login.php");
    exit;
}
$req = $_POST;
$needed = array("author", "title", "text", "token");
foreach ($needed as $key => $value) {
    if (!isset($req[$value])) {
        die("Missing {$value}");
    }
}
if (!Session::verifyToken($req['token'])) {
    $str = urlencode("Request could not be handled, token does not match");
    header("Location: admin.php?blog=true&uploaded={$str}");
    exit;
}
$title = Database::sanitizeData($req['title']);
$text = Database::sanitizeData($req['text']);
$author = Database::sanitizeData($req['author']);
Database::createBlogPost($author, $title, $text);
header("Location: admin.php?blog=true&uploaded=yes");
exit;