<?php
/**
* This code is part of the Tutsplus course PHP Security Pitfalls.
* It is meant for demonstration purposes only.
* Do not use this code in a production environment!
*/
require 'functions.php';
// Check token
require 'csrf.php';
$csrf = new csrf();
if ($csrf->check_token($csrf->get_token_from_url()) == FALSE) {
die('You cannot login');
}
$_SESSION['loggedin'] = TRUE;
header('location: index.php');
/**
* This code is part of the Tutsplus course PHP Security Pitfalls.
* It is meant for demonstration purposes only.
* Do not use this code in a production environment!
*/
require 'functions.php';
require 'csrf.php';
$csrf = new csrf();
if (!empty($_SESSION['loggedin']) && $_SESSION['loggedin'] === TRUE) {
$account = isset($_GET['account']) ? (int) $_GET['account'] : 0;
$amount = isset($_GET['amount']) ? (int) $_GET['amount'] : 0;
if ($account > 0 && $amount > 0) {
// Transfer
$token = $csrf->get_token_from_url();
if ($csrf->check_token($token) == FALSE) {
die('You rascal!');
}
$filename = 'transfers.txt';
$data = file_get_contents($filename);
$msg = "A transfer of {$amount} has been made to account {$account}\n";
$data .= $msg;
file_put_contents($filename, $data);
echo $msg;
} else {
$token = $csrf->get_token();
echo '<h1>No transfer could be made</h1>';
echo '<a href="index.php?amount=10&account=1234&token=' . $token . '">Transfer $10 into account 1234</a>';
}
} else {
$token = $csrf->get_token();
