private function handleNoCSRF() { require_once 'green_nocsrf.php'; # first look for forms if (!empty($_POST) && count($_POST) > 0) { try { NoCSRF::check('gwc_csrf', $_POST, true, 60 * 10, false); } catch (Exception $e) { throw new Exception('Invalid form request detected'); } } # generate token $this->CSRF_TOKEN = NoCSRF::generate('gwc_csrf'); }
if (isset($_POST['field'])) { try { // Run CSRF check, on POST data, in exception mode, for 10 minutes, in one-time mode. NoCSRF::check('csrf_token', $_POST, true, 60 * 10, false); // form parsing, DB inserts, etc. // ... $result = 'CSRF check passed. Form parsed.'; } catch (Exception $e) { // CSRF attack detected $result = $e->getMessage() . ' Form ignored.'; } } else { $result = 'No post data yet.'; } // Generate CSRF token to use in form hidden field $token = NoCSRF::generate('csrf_token'); ?> <h1>CSRF sandbox</h1> <pre style="color: red"><?php echo $result; ?> </pre> <form name="csrf_form" action="#" method="post"> <h2>Form using generated token.</h2> <input type="hidden" name="csrf_token" value="<?php echo $token; ?> "> <input type="text" name="field" value="somevalue">
$_SESSION['tb_height'] = $_GET['height'] - $adj_height; $_SESSION['set_width'] = 1; } else { $_SESSION['tb_width'] = 1000; $_SESSION['tb_height'] = 520; $_SESSION['set_width'] = 1; } if (!isset($_POST['nocsrf'])) { include '../nocsrf.php'; } //if user alreay logged in, then do not load this page. Take them back to the protected area if (isset($_SESSION['MVGitHub_logstatus']) && ($_SESSION['MVGitHub_logstatus'] = "IS_LOGGED_IN") && isset($_SESSION['MVGitHub_idacname']) && isset($_SESSION['MVGitHub_iduserrole']) && isset($_SESSION['MVGitHub_idacteam']) && isset($_SESSION['MVGitHub_iduserprofile'])) { header('location:../../myac/'); exit; } $token = NoCSRF::generate('nocsrf'); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Installation</title> <link href="../assets_backend/css/style.css" rel="stylesheet" type="text/css" /> <link href="../user_login/a/slider.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="../scripts/jquery_1.4.2.js"></script> <script type="text/javascript" src="../scripts/jquery.simpleSlide.js"></script> <script type="text/javascript" src="../uilock/jquery.uilock.js"></script> <script language="Javascript"> $(document).ready(function(){ $('input').keypress(function(e) { var s = String.fromCharCode( e.which );
protected function get() { NoCSRF::generate('csrf_token'); }
<?php $app->get('/', function () use($app) { $work = new Portfolio($app); $app->render('index.twig', ['portfolio' => $work->getPortfolio(), 'csrf_token' => NoCSRF::generate('csrf_token')]); });
// Mail it //mail($to, $subject, $message, $headers); mail($to, $subject, $message, $headers); $acknowledge = 1; $msg = "<div class=\"msg_success\">" . $msg_pwdreset_success . "</div><div><a href=\"" . $_SERVER["SERVER_NAME"] . "\">Account Log In</a></div>"; } //is not set error message } //close secure } catch (Exception $e) { // CSRF attack detected $result = $e->getMessage() . ' Form Error '; } } //close if form is set $token = NoCSRF::generate('dkm'); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title><?php echo $pagetitle; ?> - <?php echo $fet_team['usrteamname']; ?> </title> <link href="../../assets_backend/css/style.css" rel="stylesheet" type="text/css" /> </head> <body>
/** * assign a CSRF token to be added to the form. * Will be checked by the corresponding checkCSRF method on form submission */ public function setCSRF() { $this->form['csrf_token'] = array('elementType' => 'input', 'type' => 'hidden', 'name' => 'csrf_token', 'value' => NoCSRF::generate('csrf_token')); }