/**
* Check the CSRF token on form submission
* Assigned by setCSRF method.
*
* @return bool
* @throws Exception
*/
public function checkCSRF()
{
if ($_POST && isset($_POST['csrf_token'])) {
$validCSRF = NoCSRF::check('csrf_token', $_POST);
unset($_POST['csrf_token']);
return $validCSRF;
}
return false;
}
function test_csrf()
{
try {
NoCSRF::check('csrf_token', $_POST, true, 60 * 10, false);
} catch (Exception $e) {
$result = $e->getMessage() . ' Form ignored.';
echo $result;
exit;
}
}
private function handleNoCSRF()
{
require_once 'green_nocsrf.php';
# first look for forms
if (!empty($_POST) && count($_POST) > 0) {
try {
NoCSRF::check('gwc_csrf', $_POST, true, 60 * 10, false);
} catch (Exception $e) {
throw new Exception('Invalid form request detected');
}
}
# generate token
$this->CSRF_TOKEN = NoCSRF::generate('gwc_csrf');
}
<?php
session_start();
include 'nocsrf.php';
if (isset($_POST['field'])) {
try {
// Run CSRF check, on POST data, in exception mode, for 10 minutes, in one-time mode.
NoCSRF::check('csrf_token', $_POST, true, 60 * 10, false);
// form parsing, DB inserts, etc.
// ...
$result = 'CSRF check passed. Form parsed.';
} catch (Exception $e) {
// CSRF attack detected
$result = $e->getMessage() . ' Form ignored.';
}
} else {
$result = 'No post data yet.';
}
// Generate CSRF token to use in form hidden field
$token = NoCSRF::generate('csrf_token');
?>
<h1>CSRF sandbox</h1>
<pre style="color: red"><?php
echo $result;
?>
</pre>
<form name="csrf_form" action="#" method="post">
<h2>Form using generated token.</h2>
<input type="hidden" name="csrf_token" value="<?php
<?php
session_start();
include 'tokengenerator.php';
$result = "";
if (isset($_POST['field'])) {
$result = NoCSRF::check('csrf_token');
} else {
$result = 'Submit button not pressed.';
}
$token = NoCSRF::generate('csrf_token');
?>
<h3><?php
echo $result;
?>
</h3>
<h2>Form with token protection</h2>
<form name="csrf_form" action="#" method="post">
<input type="hidden" size="55px" name="csrf_token" value="<?php
echo $token;
?>
">
Name <input type="text" name="field" value="name"><br/>
<br/>
<input type="submit" value="Send form"><br/>
</form>
<?php
require_once '../../Connections/connSystem.php';
mysql_select_db($database_connSystem, $connSystem);
if (isset($_POST['form_action']) && $_POST['form_action'] == "authenticate") {
try {
// Run CSRF check, on POST data, in exception mode, for 10 minutes, in one-time mode.
NoCSRF::check('nocsrf', $_POST, true, 60 * 10, false);
//first clean em up
$username = preg_replace('/[^a-z\\-_0-9\\.:@\\/\\s]/i', '', mysql_escape_string(trim($_POST['account_usr'])));
$userpass = mysql_escape_string(trim($_POST['account_pwd']));
//first, check the last time this person has tried logging in
//capture the users ip in case they are using a proxy, use the function below
function loggerIP()
{
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$theIP = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$theIP = $_SERVER['REMOTE_ADDR'];
}
return trim($theIP);
}
$userIP = loggerIP();
$userBrowser = $_SERVER['HTTP_USER_AGENT'];
//check if the mac address for this server is valid before proceeding
/* ob_start(); // Turn on output buffering
system('ipconfig /all'); //Execute external program to display output
$mycom=ob_get_contents(); // Capture the output into a variable
ob_clean(); // Clean (erase) the output buffer
$findme = "Physical";
<?php
$app->group('/api', function () use($app) {
$app->get('/', function () use($app) {
});
$app->group('/contact', function () use($app) {
$app->post('/submit', function () use($app) {
$app->response->headers->set('Content-Type', 'application/json');
try {
NoCSRF::check('csrf_token', $app->request->post(), true, 60 * 10, false);
$errors = '';
$name = $app->request->post('name');
$email = $app->request->post('email');
$message = $app->request->post('message');
if (empty($name) || !preg_match("/^[a-zA-Z ]*\$/", $name)) {
$errors .= "Please enter a valid name \n";
}
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$errors .= "Please enter a valid email \n";
}
if (empty($message) || !preg_match("/^[a-zA-Z ]*\$/", $message)) {
$errors .= "Please enter a valid message \n";
}
if (!empty($errors)) {
$json = array('error' => $errors);
echo JSONResponse::send($json);
return;
}
$sendgrid = new SendGrid('API_KEY_HERE');
$email = new SendGrid\Email();
$email->addTo($app->config->get('smtp')->to)->setFrom('*****@*****.**')->setSubject('Inquiry from ' . $name)->setText($message);
echo "<link href=\"../../assets_backend/css/style.css\" rel=\"stylesheet\" type=\"text/css\" />";
require_once '../../admin/a/header.php';
echo "<div class=\"msg_warning\" style=\"padding:0px 0px 0px 300px\">[2]" . $msg_warning_oldlink . "</div>";
exit;
}
$expir = date("Y-m-d H:i:s", strtotime($fet_valpag['visited_on']) + 1 * 86400);
if ($expir < $timenowis) {
echo "<link href=\"../../assets_backend/css/style.css\" rel=\"stylesheet\" type=\"text/css\" />";
require_once '../../admin/a/header.php';
echo "<div class=\"msg_warning\" style=\"padding:0px 0px 0px 300px\">[3]" . $msg_warning_oldlink . "</div>";
exit;
}
if (isset($_POST['formaction']) && $_POST['formaction'] == "send") {
try {
// Run CSRF check, on POST data, in exception mode, for 10 minutes, in one-time mode.
NoCSRF::check('dkm', $_POST, true, 60 * 10, false);
$pusrpass = mysql_escape_string(trim($_POST['usrpass']));
$pcusrpass = mysql_escape_string(trim($_POST['cusrpass']));
if (strlen($pusrpass) < 8 || strlen($pcusrpass) < 8) {
$msg = "<div class=\"msg_warning\">" . $msg_warning_shortpwd . "</div>";
$error_short_password = "******";
}
if (!isset($error_short_password) && (preg_match('/[A-Z]/', $pcusrpass) && preg_match('/[a-z]/', $pcusrpass) && preg_match('/[0-9]/', $pcusrpass))) {
$pwdsecure = "SECURE";
} else {
$error_pwd_policy = "<div class=\"msg_warning\">" . $msg_warning_pwdpolicy . "</div>";
}
if (isset($pwdsecure) && $pwdsecure == "SECURE" && !isset($error_short_password) && !isset($error_pwd_policy)) {
//find if such a user exists
$sql_useris = "SELECT idusrpwdreminder,acstatus,visited_on,usremail,idusrac,utitle,lname FROM usrpwdreminder \n\t\t\t\t\t\tINNER JOIN usrac ON usrpwdreminder.userid=usrac.idusrac \n\t\t\t\t\t\tWHERE userid='" . $userid . "' AND token1='" . $tk1 . "' AND token2='" . $tk2 . "' AND token3='" . $tk3 . "' LIMIT 1";
$res_useris = mysql_query($sql_useris);
