diff options
-rw-r--r-- | admin/auth.php | 34 | ||||
-rw-r--r-- | admin/category/delete.php | 16 | ||||
-rw-r--r-- | admin/database.php | 20 | ||||
-rw-r--r-- | admin/page/delete.php | 16 | ||||
-rw-r--r-- | admin/post/delete.php | 16 | ||||
-rw-r--r-- | admin/user/delete.php | 16 |
6 files changed, 69 insertions, 49 deletions
diff --git a/admin/auth.php b/admin/auth.php index 5a3cc5f..d0abc38 100644 --- a/admin/auth.php +++ b/admin/auth.php @@ -27,27 +27,27 @@ if(Application::isAuthenticated()) { #=============================================================================== # IF: Login action #=============================================================================== -if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'username', 'password')) { - $UserRepository = Application::getRepository('User'); +if(HTTP::issetPOST('username', 'password')) { + if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) { + $UserRepository = Application::getRepository('User'); - if($User = $UserRepository->findBy('username', HTTP::POST('username'))) { - if(password_verify(HTTP::POST('password'), $User->get('password'))) { - $_SESSION['auth'] = $User->getID(); - HTTP::redirect(Application::getAdminURL()); - } + if($User = $UserRepository->findBy('username', HTTP::POST('username'))) { + if(password_verify(HTTP::POST('password'), $User->get('password'))) { + $_SESSION['auth'] = $User->getID(); + HTTP::redirect(Application::getAdminURL()); + } else { + $messages[] = $Language->text('authentication_failure'); + } + } else { + $fake_hash = '$2y$10$xpnwDU2HumOgGQhVpMOP9uataEF82YXizniFhSUhYjUiXF8aoDk0C'; + $fake_pass = HTTP::POST('password'); + + password_verify($fake_pass, $fake_hash); - else { $messages[] = $Language->text('authentication_failure'); } - } - - else { - $fake_hash = '$2y$10$xpnwDU2HumOgGQhVpMOP9uataEF82YXizniFhSUhYjUiXF8aoDk0C'; - $fake_pass = HTTP::POST('password'); - - password_verify($fake_pass, $fake_hash); - - $messages[] = $Language->text('authentication_failure'); + } else { + $messages[] = $Language->text('error_security_csrf'); } } diff --git a/admin/category/delete.php b/admin/category/delete.php index e92387c..d7b3001 100644 --- a/admin/category/delete.php +++ b/admin/category/delete.php @@ -25,13 +25,17 @@ if(!$Category = $CategoryRepository->find(HTTP::GET('id'))) { #=============================================================================== # Check for delete request #=============================================================================== -if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) { - try { - if($CategoryRepository->delete($Category)) { - HTTP::redirect(Application::getAdminURL('category/')); +if(HTTP::issetPOST('delete')) { + if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) { + try { + if($CategoryRepository->delete($Category)) { + HTTP::redirect(Application::getAdminURL('category/')); + } + } catch(PDOException $Exception) { + $messages[] = $Exception->getMessage(); } - } catch(PDOException $Exception) { - $messages[] = $Exception->getMessage(); + } else { + $messages[] = $Language->text('error_security_csrf'); } } diff --git a/admin/database.php b/admin/database.php index a257071..1d3404f 100644 --- a/admin/database.php +++ b/admin/database.php @@ -13,15 +13,19 @@ require '../core/application.php'; #=============================================================================== # Execute database command(s) #=============================================================================== -if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'command')) { - try { - $Statement = $Database->query(HTTP::POST('command')); +if(HTTP::issetPOST('command')) { + if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) { + try { + $Statement = $Database->query(HTTP::POST('command')); - do { - $result[] = print_r($Statement->fetchAll(), TRUE); - } while($Statement->nextRowset()); - } catch(PDOException $Exception) { - $messages[] = $Exception->getMessage(); + do { + $result[] = print_r($Statement->fetchAll(), TRUE); + } while($Statement->nextRowset()); + } catch(PDOException $Exception) { + $messages[] = $Exception->getMessage(); + } + } else { + $messages[] = $Language->text('error_security_csrf'); } } diff --git a/admin/page/delete.php b/admin/page/delete.php index d815023..035dbee 100644 --- a/admin/page/delete.php +++ b/admin/page/delete.php @@ -25,13 +25,17 @@ if(!$Page = $PageRepository->find(HTTP::GET('id'))) { #=============================================================================== # Check for delete request #=============================================================================== -if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) { - try { - if($PageRepository->delete($Page)) { - HTTP::redirect(Application::getAdminURL('page/')); +if(HTTP::issetPOST('delete')) { + if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) { + try { + if($PageRepository->delete($Page)) { + HTTP::redirect(Application::getAdminURL('page/')); + } + } catch(PDOException $Exception) { + $messages[] = $Exception->getMessage(); } - } catch(PDOException $Exception) { - $messages[] = $Exception->getMessage(); + } else { + $messages[] = $Language->text('error_security_csrf'); } } diff --git a/admin/post/delete.php b/admin/post/delete.php index 519ba9e..3fb4c84 100644 --- a/admin/post/delete.php +++ b/admin/post/delete.php @@ -25,13 +25,17 @@ if(!$Post = $PostRepository->find(HTTP::GET('id'))) { #=============================================================================== # Check for delete request #=============================================================================== -if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) { - try { - if($PostRepository->delete($Post)) { - HTTP::redirect(Application::getAdminURL('post/')); +if(HTTP::issetPOST('delete')) { + if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) { + try { + if($PostRepository->delete($Post)) { + HTTP::redirect(Application::getAdminURL('post/')); + } + } catch(PDOException $Exception) { + $messages[] = $Exception->getMessage(); } - } catch(PDOException $Exception) { - $messages[] = $Exception->getMessage(); + } else { + $messages[] = $Language->text('error_security_csrf'); } } diff --git a/admin/user/delete.php b/admin/user/delete.php index 5a38b53..31389a2 100644 --- a/admin/user/delete.php +++ b/admin/user/delete.php @@ -25,13 +25,17 @@ if(!$User = $UserRepository->find(HTTP::GET('id'))) { #=============================================================================== # Check for delete request #=============================================================================== -if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) { - try { - if($UserRepository->delete($User)) { - HTTP::redirect(Application::getAdminURL('user/')); +if(HTTP::issetPOST('delete')) { + if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) { + try { + if($UserRepository->delete($User)) { + HTTP::redirect(Application::getAdminURL('user/')); + } + } catch(PDOException $Exception) { + $messages[] = $Exception->getMessage(); } - } catch(PDOException $Exception) { - $messages[] = $Exception->getMessage(); + } else { + $messages[] = $Language->text('error_security_csrf'); } } |