/** * Check the CSRF token on form submission * Assigned by setCSRF method. * * @return bool * @throws Exception */ public function checkCSRF() { if ($_POST && isset($_POST['csrf_token'])) { $validCSRF = NoCSRF::check('csrf_token', $_POST); unset($_POST['csrf_token']); return $validCSRF; } return false; }
function test_csrf() { try { NoCSRF::check('csrf_token', $_POST, true, 60 * 10, false); } catch (Exception $e) { $result = $e->getMessage() . ' Form ignored.'; echo $result; exit; } }
private function handleNoCSRF() { require_once 'green_nocsrf.php'; # first look for forms if (!empty($_POST) && count($_POST) > 0) { try { NoCSRF::check('gwc_csrf', $_POST, true, 60 * 10, false); } catch (Exception $e) { throw new Exception('Invalid form request detected'); } } # generate token $this->CSRF_TOKEN = NoCSRF::generate('gwc_csrf'); }
<?php session_start(); include 'nocsrf.php'; if (isset($_POST['field'])) { try { // Run CSRF check, on POST data, in exception mode, for 10 minutes, in one-time mode. NoCSRF::check('csrf_token', $_POST, true, 60 * 10, false); // form parsing, DB inserts, etc. // ... $result = 'CSRF check passed. Form parsed.'; } catch (Exception $e) { // CSRF attack detected $result = $e->getMessage() . ' Form ignored.'; } } else { $result = 'No post data yet.'; } // Generate CSRF token to use in form hidden field $token = NoCSRF::generate('csrf_token'); ?> <h1>CSRF sandbox</h1> <pre style="color: red"><?php echo $result; ?> </pre> <form name="csrf_form" action="#" method="post"> <h2>Form using generated token.</h2> <input type="hidden" name="csrf_token" value="<?php
<?php session_start(); include 'tokengenerator.php'; $result = ""; if (isset($_POST['field'])) { $result = NoCSRF::check('csrf_token'); } else { $result = 'Submit button not pressed.'; } $token = NoCSRF::generate('csrf_token'); ?> <h3><?php echo $result; ?> </h3> <h2>Form with token protection</h2> <form name="csrf_form" action="#" method="post"> <input type="hidden" size="55px" name="csrf_token" value="<?php echo $token; ?> "> Name <input type="text" name="field" value="name"><br/> <br/> <input type="submit" value="Send form"><br/> </form>
<?php require_once '../../Connections/connSystem.php'; mysql_select_db($database_connSystem, $connSystem); if (isset($_POST['form_action']) && $_POST['form_action'] == "authenticate") { try { // Run CSRF check, on POST data, in exception mode, for 10 minutes, in one-time mode. NoCSRF::check('nocsrf', $_POST, true, 60 * 10, false); //first clean em up $username = preg_replace('/[^a-z\\-_0-9\\.:@\\/\\s]/i', '', mysql_escape_string(trim($_POST['account_usr']))); $userpass = mysql_escape_string(trim($_POST['account_pwd'])); //first, check the last time this person has tried logging in //capture the users ip in case they are using a proxy, use the function below function loggerIP() { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $theIP = $_SERVER['HTTP_X_FORWARDED_FOR']; } else { $theIP = $_SERVER['REMOTE_ADDR']; } return trim($theIP); } $userIP = loggerIP(); $userBrowser = $_SERVER['HTTP_USER_AGENT']; //check if the mac address for this server is valid before proceeding /* ob_start(); // Turn on output buffering system('ipconfig /all'); //Execute external program to display output $mycom=ob_get_contents(); // Capture the output into a variable ob_clean(); // Clean (erase) the output buffer $findme = "Physical";
<?php $app->group('/api', function () use($app) { $app->get('/', function () use($app) { }); $app->group('/contact', function () use($app) { $app->post('/submit', function () use($app) { $app->response->headers->set('Content-Type', 'application/json'); try { NoCSRF::check('csrf_token', $app->request->post(), true, 60 * 10, false); $errors = ''; $name = $app->request->post('name'); $email = $app->request->post('email'); $message = $app->request->post('message'); if (empty($name) || !preg_match("/^[a-zA-Z ]*\$/", $name)) { $errors .= "Please enter a valid name \n"; } if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { $errors .= "Please enter a valid email \n"; } if (empty($message) || !preg_match("/^[a-zA-Z ]*\$/", $message)) { $errors .= "Please enter a valid message \n"; } if (!empty($errors)) { $json = array('error' => $errors); echo JSONResponse::send($json); return; } $sendgrid = new SendGrid('API_KEY_HERE'); $email = new SendGrid\Email(); $email->addTo($app->config->get('smtp')->to)->setFrom('*****@*****.**')->setSubject('Inquiry from ' . $name)->setText($message);
echo "<link href=\"../../assets_backend/css/style.css\" rel=\"stylesheet\" type=\"text/css\" />"; require_once '../../admin/a/header.php'; echo "<div class=\"msg_warning\" style=\"padding:0px 0px 0px 300px\">[2]" . $msg_warning_oldlink . "</div>"; exit; } $expir = date("Y-m-d H:i:s", strtotime($fet_valpag['visited_on']) + 1 * 86400); if ($expir < $timenowis) { echo "<link href=\"../../assets_backend/css/style.css\" rel=\"stylesheet\" type=\"text/css\" />"; require_once '../../admin/a/header.php'; echo "<div class=\"msg_warning\" style=\"padding:0px 0px 0px 300px\">[3]" . $msg_warning_oldlink . "</div>"; exit; } if (isset($_POST['formaction']) && $_POST['formaction'] == "send") { try { // Run CSRF check, on POST data, in exception mode, for 10 minutes, in one-time mode. NoCSRF::check('dkm', $_POST, true, 60 * 10, false); $pusrpass = mysql_escape_string(trim($_POST['usrpass'])); $pcusrpass = mysql_escape_string(trim($_POST['cusrpass'])); if (strlen($pusrpass) < 8 || strlen($pcusrpass) < 8) { $msg = "<div class=\"msg_warning\">" . $msg_warning_shortpwd . "</div>"; $error_short_password = "******"; } if (!isset($error_short_password) && (preg_match('/[A-Z]/', $pcusrpass) && preg_match('/[a-z]/', $pcusrpass) && preg_match('/[0-9]/', $pcusrpass))) { $pwdsecure = "SECURE"; } else { $error_pwd_policy = "<div class=\"msg_warning\">" . $msg_warning_pwdpolicy . "</div>"; } if (isset($pwdsecure) && $pwdsecure == "SECURE" && !isset($error_short_password) && !isset($error_pwd_policy)) { //find if such a user exists $sql_useris = "SELECT idusrpwdreminder,acstatus,visited_on,usremail,idusrac,utitle,lname FROM usrpwdreminder \n\t\t\t\t\t\tINNER JOIN usrac ON usrpwdreminder.userid=usrac.idusrac \n\t\t\t\t\t\tWHERE userid='" . $userid . "' AND token1='" . $tk1 . "' AND token2='" . $tk2 . "' AND token3='" . $tk3 . "' LIMIT 1"; $res_useris = mysql_query($sql_useris);