aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--admin/auth.php34
-rw-r--r--admin/category/delete.php16
-rw-r--r--admin/database.php20
-rw-r--r--admin/page/delete.php16
-rw-r--r--admin/post/delete.php16
-rw-r--r--admin/user/delete.php16
6 files changed, 69 insertions, 49 deletions
diff --git a/admin/auth.php b/admin/auth.php
index 5a3cc5f..d0abc38 100644
--- a/admin/auth.php
+++ b/admin/auth.php
@@ -27,27 +27,27 @@ if(Application::isAuthenticated()) {
#===============================================================================
# IF: Login action
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'username', 'password')) {
- $UserRepository = Application::getRepository('User');
+if(HTTP::issetPOST('username', 'password')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ $UserRepository = Application::getRepository('User');
- if($User = $UserRepository->findBy('username', HTTP::POST('username'))) {
- if(password_verify(HTTP::POST('password'), $User->get('password'))) {
- $_SESSION['auth'] = $User->getID();
- HTTP::redirect(Application::getAdminURL());
- }
+ if($User = $UserRepository->findBy('username', HTTP::POST('username'))) {
+ if(password_verify(HTTP::POST('password'), $User->get('password'))) {
+ $_SESSION['auth'] = $User->getID();
+ HTTP::redirect(Application::getAdminURL());
+ } else {
+ $messages[] = $Language->text('authentication_failure');
+ }
+ } else {
+ $fake_hash = '$2y$10$xpnwDU2HumOgGQhVpMOP9uataEF82YXizniFhSUhYjUiXF8aoDk0C';
+ $fake_pass = HTTP::POST('password');
+
+ password_verify($fake_pass, $fake_hash);
- else {
$messages[] = $Language->text('authentication_failure');
}
- }
-
- else {
- $fake_hash = '$2y$10$xpnwDU2HumOgGQhVpMOP9uataEF82YXizniFhSUhYjUiXF8aoDk0C';
- $fake_pass = HTTP::POST('password');
-
- password_verify($fake_pass, $fake_hash);
-
- $messages[] = $Language->text('authentication_failure');
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}
diff --git a/admin/category/delete.php b/admin/category/delete.php
index e92387c..d7b3001 100644
--- a/admin/category/delete.php
+++ b/admin/category/delete.php
@@ -25,13 +25,17 @@ if(!$Category = $CategoryRepository->find(HTTP::GET('id'))) {
#===============================================================================
# Check for delete request
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) {
- try {
- if($CategoryRepository->delete($Category)) {
- HTTP::redirect(Application::getAdminURL('category/'));
+if(HTTP::issetPOST('delete')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ try {
+ if($CategoryRepository->delete($Category)) {
+ HTTP::redirect(Application::getAdminURL('category/'));
+ }
+ } catch(PDOException $Exception) {
+ $messages[] = $Exception->getMessage();
}
- } catch(PDOException $Exception) {
- $messages[] = $Exception->getMessage();
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}
diff --git a/admin/database.php b/admin/database.php
index a257071..1d3404f 100644
--- a/admin/database.php
+++ b/admin/database.php
@@ -13,15 +13,19 @@ require '../core/application.php';
#===============================================================================
# Execute database command(s)
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'command')) {
- try {
- $Statement = $Database->query(HTTP::POST('command'));
+if(HTTP::issetPOST('command')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ try {
+ $Statement = $Database->query(HTTP::POST('command'));
- do {
- $result[] = print_r($Statement->fetchAll(), TRUE);
- } while($Statement->nextRowset());
- } catch(PDOException $Exception) {
- $messages[] = $Exception->getMessage();
+ do {
+ $result[] = print_r($Statement->fetchAll(), TRUE);
+ } while($Statement->nextRowset());
+ } catch(PDOException $Exception) {
+ $messages[] = $Exception->getMessage();
+ }
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}
diff --git a/admin/page/delete.php b/admin/page/delete.php
index d815023..035dbee 100644
--- a/admin/page/delete.php
+++ b/admin/page/delete.php
@@ -25,13 +25,17 @@ if(!$Page = $PageRepository->find(HTTP::GET('id'))) {
#===============================================================================
# Check for delete request
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) {
- try {
- if($PageRepository->delete($Page)) {
- HTTP::redirect(Application::getAdminURL('page/'));
+if(HTTP::issetPOST('delete')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ try {
+ if($PageRepository->delete($Page)) {
+ HTTP::redirect(Application::getAdminURL('page/'));
+ }
+ } catch(PDOException $Exception) {
+ $messages[] = $Exception->getMessage();
}
- } catch(PDOException $Exception) {
- $messages[] = $Exception->getMessage();
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}
diff --git a/admin/post/delete.php b/admin/post/delete.php
index 519ba9e..3fb4c84 100644
--- a/admin/post/delete.php
+++ b/admin/post/delete.php
@@ -25,13 +25,17 @@ if(!$Post = $PostRepository->find(HTTP::GET('id'))) {
#===============================================================================
# Check for delete request
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) {
- try {
- if($PostRepository->delete($Post)) {
- HTTP::redirect(Application::getAdminURL('post/'));
+if(HTTP::issetPOST('delete')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ try {
+ if($PostRepository->delete($Post)) {
+ HTTP::redirect(Application::getAdminURL('post/'));
+ }
+ } catch(PDOException $Exception) {
+ $messages[] = $Exception->getMessage();
}
- } catch(PDOException $Exception) {
- $messages[] = $Exception->getMessage();
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}
diff --git a/admin/user/delete.php b/admin/user/delete.php
index 5a38b53..31389a2 100644
--- a/admin/user/delete.php
+++ b/admin/user/delete.php
@@ -25,13 +25,17 @@ if(!$User = $UserRepository->find(HTTP::GET('id'))) {
#===============================================================================
# Check for delete request
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) {
- try {
- if($UserRepository->delete($User)) {
- HTTP::redirect(Application::getAdminURL('user/'));
+if(HTTP::issetPOST('delete')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ try {
+ if($UserRepository->delete($User)) {
+ HTTP::redirect(Application::getAdminURL('user/'));
+ }
+ } catch(PDOException $Exception) {
+ $messages[] = $Exception->getMessage();
}
- } catch(PDOException $Exception) {
- $messages[] = $Exception->getMessage();
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}