/** * Generates an opening HTML form tag. * * // Form will submit back to the current page using POST * echo Form::open(); * * // Form will submit to 'search' using GET * echo Form::open('search', array('method' => 'get')); * * // When "file" inputs are present, you must include the "enctype" * echo Form::open(NULL, array('enctype' => 'multipart/form-data')); * * @param mixed form action, defaults to the current request URI, or [Request] class to use * @param array html attributes * @return string * @uses Request::instance * @uses URL::site * @uses HTML::attributes */ public static function open($action = NULL, array $attributes = NULL) { if ($action instanceof Request) { // Use the current URI $action = $action->uri(); } if (!$action) { // Allow empty form actions (submits back to the current url). $action = ''; } elseif (strpos($action, '://') === FALSE) { // Make the URI absolute $action = URL::site($action); } // Add the form action to the attributes $attributes['action'] = $action; // Only accept the default character set $attributes['accept-charset'] = Kohana::$charset; if (!isset($attributes['method'])) { // Use POST method $attributes['method'] = 'post'; } // Only render the CSRF field when the POST method is used $hidden_csrf_field = $attributes['method'] == 'post' ? self::hidden('form_auth_id', CSRF::token()) : ''; return '<form' . HTML::attributes($attributes) . '>' . $hidden_csrf_field; }
public static function __constructStatic() { if (!isset($_COOKIE['csrfToken'])) { self::$token = Helper::randStr(10); setcookie("csrfToken", self::$token, 0, "/", Lobby::getHostname()); } else { self::$token = $_COOKIE['csrfToken']; } }
/** * Processes the request, executing the controller action that handles this * request, determined by the [Route]. * * 1. Before the controller action is called, the [Controller::before] method * will be called. * 2. Next the controller action will be called. * 3. After the controller action is called, the [Controller::after] method * will be called. * * By default, the output from the controller is captured and returned, and * no headers are sent. * * $request->execute(); * * @return Response * @throws Request_Exception * @throws HTTP_Exception_404 * @uses [Kohana::$profiling] * @uses [Profiler] */ public function execute() { if (!$this->_route instanceof Route) { throw new HTTP_Exception_404('Unable to find a route to match the URI: :uri', array(':uri' => $this->_uri)); } if (!$this->_client instanceof Request_Client) { throw new Request_Exception('Unable to execute :uri without a Kohana_Request_Client', array(':uri' => $this->_uri)); } // Add custom header for CSRF protection where an Ajax // request is made via HTTP POST if ($this->method() === 'POST' and $this->is_ajax()) { $this->headers('X-CSRF-Token', CSRF::token()); } return $this->_client->execute($this); }
/** * Processes the request, executing the controller action that handles this * request, determined by the [Route]. * * 1. Before the controller action is called, the [Controller::before] method * will be called. * 2. Next the controller action will be called. * 3. After the controller action is called, the [Controller::after] method * will be called. * * By default, the output from the controller is captured and returned, and * no headers are sent. * * $request->execute(); * * @return Response * @throws Request_Exception * @throws HTTP_Exception_404 * @uses [Kohana::$profiling] * @uses [Profiler] */ public function execute() { if (!$this->_external) { $processed = Request::process($this, $this->_routes); if ($processed) { // Store the matching route $this->_route = $processed['route']; $params = $processed['params']; // Is this route external? $this->_external = $this->_route->is_external(); if (isset($params['directory'])) { // Controllers are in a sub-directory $this->_directory = $params['directory']; } // Store the controller $this->_controller = $params['controller']; // Store the action $this->_action = isset($params['action']) ? $params['action'] : Route::$default_action; // These are accessible as public vars and can be overloaded unset($params['controller'], $params['action'], $params['directory']); // Params cannot be changed once matched $this->_params = $params; } } if (!$this->_route instanceof Route) { return HTTP_Exception::factory(404, 'Unable to find a route to match the URI: :uri', array(':uri' => $this->_uri))->request($this)->get_response(); } if (!$this->_client instanceof Request_Client) { throw new Request_Exception('Unable to execute :uri without a Kohana_Request_Client', array(':uri' => $this->_uri)); } // Add custom header for CSRF protection where an Ajax // request is made via HTTP POST if ($this->method() === 'POST' and $this->is_ajax()) { $this->headers('X-CSRF-Token', CSRF::token()); } return $this->_client->execute($this); }
<img class="img-responsive" src="images/<?php echo $p->filename; ?> " alt="<?php echo $p->caption; ?> "> </div> </div> <div class="col-lg-6 col-lg-offset-3"> <form method="post" action="photo.php?id=<?php echo $p->id; ?> "> <input type="hidden" name="token" value="<?php echo CSRF::token(); ?> "> <h4>Add your comment</h4> <?php echo $msg; ?> <div class="form-group"> <label>Name</label> <input class="form-control" type="text" placeholder="Enter your Name" name="author" value=""> </div> <div class="form-group"> <label>Comment</label> <textarea class="form-control" placeholder="Enter your Comment" name="body"></textarea>
/** * Creates CSRF token input * * @param string $id ID e.g. uid [Optional] * @param string $action Action [Optional] * * @return string * * @uses CSRF::token */ public static function csrf($id = '', $action = '') { return self::hidden('token', CSRF::token($id, $action)); }
/** * Generates the CSRF form input * @uses Form * @param string $namespace * @return string generated HTML */ public static function form($namespace = 'default') { return Form::hidden('csrf_' . $namespace, CSRF::token($namespace)); }