|
PHP - Need Help Using Csrf In Codeigniter And Scriptaculous
Hi - My app is built with Codeigniter and so if I turn on CSRF on CI inside the config I get the token being created on my page - good.
But I have 1 page ( "shopping cart") which uses Scriptaculous Ajax.Updater function : http://api.prototype...x/Ajax/Updater/
When I turn on CSRF my shopping cart page refuses to function in terms of updating the cart or deleting any items from the cart. These are both js functions.
I am really stuck - any help would be a God send. Thank You !!
Here is the code:
UpDate JS Function:
function jsUpdateCart(){
var parameter_string = '';
allNodes = document.getElementsByClassName("process");
for(i = 0; i < allNodes.length; i++) {
var tempid = allNodes[i].id;
var temp = new Array;
temp = tempid.split("_");
var real_id = temp[2];
var real_value = allNodes[i].value;
parameter_string += real_id +':'+real_value+',';
}
var params = 'ids='+parameter_string;
var ajax = new Ajax.Updater(
'ajax_msg','http://localhost/mysite/index.php/welcome/ajax_cart', {method:'post',parameters:params,onComplete:showMessage}
);
}
Similar Tutorialshey guys,
i was introuduced the the world of csrf a little while ago by a member of PHP Freaks, beofore hand i had'nt a clue...so i decided to read a little more into and created a class to deal with generating tokens and ensuring the site is free from CSRF.
now my understanding is that a CSRF can be made from clicking on sponsers, images and basically anything that can cause a request to another site/domain.
now with the script allows the user to have multipule tokens and a new token is generated everytime when filling a form or whatever, allowing user to have more than one tab open. I'm just a little concerned that a CSRF attack can still be made this way as a new token is made on each form page.
when creating a form i do this:
<input name="csrf_token" type="hidden" value="12345" />then on post im able to do something like this:
$token = $csrf->get_token(); // token for input
if ($csrf->is_safe($post->csrf_token) && form->is_valid())
{
echo "safe"
}
else
{
echo "unsafe";
}
here is my class
<?php
namespace Security;
use Session\Session as Session;
use Security\SSL;
class CSRF
{
protected $_expiration = "3600";
public function get_token($expiration = null)
{
$ssl = new SSL;
$token = $ssl->random_string(20);
$session = new Session;
$session->start();
if ($expiration === null)
{
$expiration = $this->_expiration;
}
else if (!is_numeric($expiration))
{
// error
}
if (!$session->offset_exists('csrf_token'))
{
$session->csrf_token = array();
}
$expiration = time() + $expiration;
$session->append('csrf_token', array('token' => $token,
'expiration' => $expiration
));
return $csrf_token;
}
protected function token_exists($token)
{
$session = new Session;
$session->start();
$csrf_token = $session->csrf_token;
$result = false;
foreach ($csrf_token as $key => $array)
{
if (time() > $array['expiration'])
{
$session->offset_unset('csrf_token', $key);
}
else if ($array['expiration'] > time()&&
$array['token'] === $token)
{
$session->offset_unset('csrf_token', $key);
$result = true;
}
}
return $result;
}
public function is_safe($token)
{
if ($this->token_exists($token))
{
return true;
}
return false;
}
}
any advise would be greatful, thank you
Edited by Destramic, 11 January 2015 - 04:27 PM. How much work do you to stop CSRF? Like, I've made sure when changing passwords/e-mails (or anything related to account security) they have to confirm their own password so CSRF can't really do much. I've got a header referral check on everything but this is really easy to spoof so without putting hidden tokens in each form is there any easier way? I can't really be bothered and the worst thing they can do is get a user to post a spam post on my forum or something trivial. How far do you take it? As the title says, I would like to know how exactly CSRF can be 100% (or close to it) prevented.
One of the most recommended solutions is to create a token and insert it into a hidden field, but I've tested it on another domain and you can just do a cURL request and retrieve the token then make another request with it included. Proof:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "URL");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
curl_close($ch);
$exploded = explode('type="hidden" name="token" value="', $response);
$token = substr($exploded[1], 0, 64);
echo $token; // ebd9ab96d40bdb21bbaa2e1a18d657be2e413105ae86ecc14def6137f38a1571
?>
I would hate to include captcha on all my forms, so how exactly does one prevent CSRF?
I have a question about Cross-Site Request Forgeries (CSRF). Somewhere in the processing of my form, I check: if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { // all other code omitted } else { // no place for bad guys here } So basically, if the token is good then the form continues to check for errors, valid data, etc... I was wondering; is there a point in checking the token again each time I check something else? For example: // above code omitted if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { // all other code omitted // check to see if there were any errors if (count($errors) >= 1) { $valid = false; } else { // all other code omitted if ($sent == $allowed) { if ($addNew == true) {// Should I be checking the token each time, or am I being redundant?? // all other code omitted } } } } else { // no place for bad guys here } Hi all, I'm writing my own MVC framework purely to improve my oo php skills and I've created a CSRF token validation class to help prevent CSRF attacks. I just need some feedback on it really, is it insecure, is there a better way to validate tokens, etc. Code: [Select] <?php // Security measure. if (!defined('BASE_PATH')) { exit(); } class CSRF { private static $tokens = array(); private static $session_name = 'csrf_data'; /** * Loads CSRF token data from session into $tokens array. * * This is called before the controller is loaded. * * @return void */ public static function init() { $session_name = self::$session_name; // Move CSRF token data from session to class field. if (isset($_SESSION[$session_name])) { self::$tokens = unserialize($_SESSION[$session_name]); unset($_SESSION[$session_name]); } } /** * Saves the CSRF data to a session. * * @static * @return void */ private static function save() { $session_name = self::$session_name; unset($_SESSION[$session_name]); $_SESSION[$session_name] = serialize(self::$tokens); } /** * Creates a new token. * * @static * @param string $name * @return string */ private static function generateToken($name) { $token = md5(uniqid(rand(), true)); self::$tokens[$name] = $token; self::save(); return $token; } /** * Validate a token by its name. * * @static * @param string $name * @param string $token The CSRF token included with the form data. * @return bool */ public static function validateToken($name, $token) { if (!isset(self::$tokens[$name])) { return false; } return ($token == self::$tokens[$name]); } } // End of CSRF class. This topic has been moved to Ajax Help. http://www.phpfreaks.com/forums/index.php?topic=323434.0 I know, csrf token is like a random string. Does every form need a csrf token? Does every form need to have a different csrf token or all forms have a same csrf token for one logged in user? When an user logged in, I set $_SESSION['key']=$useremail; is it ok to set email for a logged in session? Do I have to set or add another $_SESSION with csrf token? How does csrf token add security for form submission? After form submission, what would PHP do with the hidden input field or with the csrf token? Someone parses the html login form and gets the csrf token from hidden field. Now can he request with that csrf token to login through jquery ajax? hello....
I am a new bee to PHP...can any one please let me know...why OOPs PHP...what make difference...between procedural(Generic) PHP and OOPs PHP...if possible provide me any referal links...
and i have gone through Codeigniter user guide....it was quite good...but can any one let me know how to develop an entire web-application...in Codeigniter....if possible provide me any referal links...
Thanks & Regards
Shankaar
Hi need help with pagination of my page where the advertiser is showing. here is my website. photoagahi.com search.php controller looks like this: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); class Search extends Application { public function __construct() { parent::__construct(); $this->load->model('meta_model'); $this->load->helper('url'); $this->load->model('category_model'); $this->load->model('advert_model'); $this->load->helper('Fdate'); $this->load->helper('form'); $this->load->library('table'); $this->load->helper('advert'); $this->load->library('form_validation'); $this->load->helper('security'); $this->config->add_to_item(KCI_LANG, 'search'); $this->load->library('pagination'); $config['base_url'] = base_url(); $config['total_rows'] = '50'; $config['per_page'] = '30'; $config['full_tag_open'] = '<p>'; $config['full_tag_close'] = '</p>'; $config['last_link'] = 'Last'; $config['uri_segment'] = '4'; $this->pagination->initialize($config); } /** * Returns the search with based on the requested county. * If the county was recently visited, the municipality and locality aren't updated. * * The primary search is also made to determine the latest search. * * @param unknown_type $slug */ public function index($county, $target = ADVERT_TARGET_ALL_SLUG, $sort = null, $type = null, $category = null, $municipality = null, $text = null) { $county = $this->meta_model->county(xss_clean($county)); if(!$county) redirect(''); $this->load_banner(array($county->county_id,BANNER_SECTION_SEARCH)); if(!get_county() || get_county()->county_id != $county->county_id) set_county($county); $this->form_validation->set_rules('text', lang('advert_freetext'), 'max_length[100]'); $adverts = array(); $count = array(); if($this->form_validation->run()) { $url = array(); $url[] = $county->county_slug; $url[] = $this->input->post('advert_target') ? $this->input->post('advert_target') : ADVERT_TARGET_ALL_SLUG; $url[] = $this->input->post('advert_sort') ? $this->input->post('advert_sort') : ADVERT_SORT_TIME; $url[] = $this->input->post('advert_type') ? implode('-',$this->input->post('advert_type')) : ADVERT_TYPE_SALE; $url[] = $this->input->post('category_id') ? $this->input->post('category_id', true) : 0; $url[] = $this->input->post('municipality_id') ? $this->input->post('municipality_id', true) : 0; if($this->input->post('text')) $url[] = urlencode($this->input->post('text', true)); $slug = '/'.implode('/', $url); redirect($slug); } else { $params = array(); //Convert to objects if($type) { $type = explode('-', xss_clean($type)); if($type) { $params['advert_type'] = $type; foreach($type as $t) populate('advert_type['.$t.']', true); } } else { $params['advert_type'] = array(ADVERT_TYPE_SALE); populate('advert_type['.ADVERT_TYPE_SALE.']', true); } if($category) $category = $this->category_model->get(xss_clean($category)); populate('category_id', $category ? $category->category_id : null); $params['category_id'] = $category ? $category->category_id : null; if($municipality == ADVERT_CODE_ENTIRE_COUNTY) { $params['county_id'] = $county->county_id; populate('municipality_id', ADVERT_CODE_ENTIRE_COUNTY); } else if($municipality == ADVERT_CODE_ENTIRE_COUNTRY) populate('municipality_id', ADVERT_CODE_ENTIRE_COUNTRY); else if($municipality) { $municipality = $this->meta_model->municipality(xss_clean($municipality)); if($municipality) { $params['municipality_id'] = $municipality->municipality_id; populate('municipality_id', $municipality->municipality_id); } } else $params['county_id'] = $county->county_id; if($target && $target != ADVERT_TARGET_ALL_SLUG) { $target = $this->advert_model->slug_target(xss_clean($target)); if($target) { populate('advert_target', $target->target_slug); $params['advert_target'] = $target->target_id; } } else populate('advert_target', ADVERT_TARGET_ALL_SLUG); $params['advert_sort'] = $sort ? $sort : ADVERT_SORT_TIME; populate('advert_sort', $params['advert_sort']); $params['text'] = $text ? xss_clean($text) : null; populate('text', $text ? xss_clean($text) : null); $adverts = $this->advert_model->search($params, $count); } $months = months(); $advert_types = $this->advert_model->types(); $municipalities = $this->meta_model->municipalities($county); $categories = $this->category_model->all(); $this->_view('search_view', array( 'months' => $months, 'municipalities' => $municipalities, 'categories'=>$categories, 'county' => $county, 'adverts' => $adverts, 'advert_types'=>$advert_types, 'count' => $count)); } /** * Returns the municipalities as JSON for a specified county * This is used by the AJAX request on the search filter * */ public function municipalities() { $result = array(); $county_id = $this->input->post('id', true); if($county_id == 0) { $result['message'] = lang('ar_county_not_choosen'); set_county(null); } else { $county = $this->meta_model->county_by_id($county_id); if(!$county) { $result['error'] = lang('ar_county_not_found'); } else { set_county($county); $result['county_name'] = utf8_encode($county->county_name); foreach($this->meta_model->municipalities_for_json($county) as $municipality) $result['municipalities'][] = array_map('utf8_encode', $municipality); } } echo json_encode($result); die(); } /** * Returns the localities as JSON for a specified municipality * This is used by the AJAX request on the search filter * */ public function localities() { $result = array(); $municipality_id = $this->input->post('id', true); if($municipality_id == 0) { $result['message'] = lang('ar_municipality_not_choosen'); set_municipality(null); } else { $municipality = $this->meta_model->municipality($municipality_id); if(!$municipality) { $result['error'] = lang('ar_municipality_not_found'); } else { set_municipality($municipality); $result['municipality_name'] = utf8_encode($municipality->municipality_name); foreach($this->meta_model->localities_for_json($municipality) as $locality) $result['localities'][] = array_map('utf8_encode', $locality); } } echo json_encode($result); die(); } /** * Updates the session container with the * latest requested locality. Used by * the AJAX request in the search filter * * */ public function locality_set() { $locality_id = $this->input->post('id', true); if($locality_id == 0 || !is_numeric($locality_id)) set_locality(null); $locality = $this->meta_model->locality($locality_id); if(!$locality) set_locality(null); else set_locality($locality); } /** * Updates the session container with the * latest requested category. Used by * the AJAX request in the search filter * * */ public function category_set() { $category_id = $this->input->post('id', true); if($category_id == 0 || !is_numeric($category_id)) set_category(null); $category = $this->category_model->get($category_id); if(!$category) set_category(null); else set_category($category); } /** * Lodge search that returns the info as JSON. * Used by the AJAX request in the search filter. * */ public function process_search() { $text = utf8_decode($this->input->post('text', true)); $offset = utf8_decode($this->input->post('offset', true)); if(!is_numeric($offset)) $offset = 0; $result = array(); $result_count = 0; $lodges = $this->lodge_model->search($text, 10, $offset, true, $result_count); $result['result_count'] = $result_count; foreach($lodges as $lodge) { $tmp = array_map('utf8_encode', get_object_vars($lodge)); foreach($this->lodge_model->facilities($lodge) as $facility) $tmp['facilities'][] = array_map('utf8_encode', get_object_vars($facility)); foreach($this->lodge_model->distances($lodge) as $distance) $tmp['distances'][] = array_map('utf8_encode', get_object_vars($distance)); foreach($this->lodge_model->prices($lodge) as $price) $tmp['prices'][] = array_map('utf8_encode', get_object_vars($price)); $image = $this->lodge_model->image($lodge); if($image) $tmp['image'] = array_map('utf8_encode', get_object_vars($image)); $result['lodges'][] = $tmp; } echo json_encode($result); } } and the model Meta_model: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); class Meta_model extends KCI_Model { public function counties_with_coordinates() { $this->db->join(TBL_COUNTY_COORDINATE, TBL_COUNTY_COORDINATE.'.county_id = '.TBL_COUNTY.'.county_id'); $this->db->order_by('map_index', 'ASC'); return $this->db->get(TBL_COUNTY)->result(); } public function county($slug) { if(!$slug) return false; $this->db->where('county_slug', $slug); $this->db->join(TBL_COUNTY_COORDINATE, TBL_COUNTY_COORDINATE.'.county_id = '.TBL_COUNTY.'.county_id'); return $this->db->get(TBL_COUNTY, 1)->row(); } public function county_by_id($id) { $this->db->where('county_id', $id); return $this->db->get(TBL_COUNTY, 1)->row(); } public function county_by_lodge($lodge) { $this->db->where('lodge_id', $lodge->lodge_id); $this->db->join(TBL_LOCALITY, TBL_LOCALITY.'.locality_id = '.TBL_LODGE.'.locality_id'); $this->db->join(TBL_MUNICIPALITY, TBL_MUNICIPALITY.'.municipality_id = '.TBL_LOCALITY.'.municipality_id'); $this->db->join(TBL_COUNTY, TBL_COUNTY.'.county_id = '.TBL_MUNICIPALITY.'.county_id'); $this->db->join(TBL_COUNTY_COORDINATE, TBL_COUNTY_COORDINATE.'.county_id = '.TBL_COUNTY.'.county_id'); return $this->db->get(TBL_LODGE, 1)->row(); } public function municipality_by_lodge($lodge) { $this->db->where('lodge_id', $lodge->lodge_id); $this->db->join(TBL_LOCALITY, TBL_LOCALITY.'.locality_id = '.TBL_LODGE.'.locality_id'); $this->db->join(TBL_MUNICIPALITY, TBL_MUNICIPALITY.'.municipality_id = '.TBL_LOCALITY.'.municipality_id'); return $this->db->get(TBL_LODGE, 1)->row(); } public function locality_by_lodge($lodge) { $this->db->where('lodge_id', $lodge->lodge_id); $this->db->join(TBL_LOCALITY, TBL_LOCALITY.'.locality_id = '.TBL_LODGE.'.locality_id'); return $this->db->get(TBL_LODGE, 1)->row(); } public function municipalities_for_json($county = null) { if($county) $this->db->where('county_id', $county->county_id); $this->db->select('municipality_id, municipality_name'); $this->db->order_by('municipality_name', 'ASC'); return $this->db->get(TBL_MUNICIPALITY)->result_array(); } public function municipalities($county = null) { if(is_numeric($county)) $this->db->where('county_id', $county); elseif($county) $this->db->where('county_id', $county->county_id); $this->db->order_by('municipality_name', 'ASC'); return $this->db->get(TBL_MUNICIPALITY)->result(); } public function municipality($id) { $this->db->where('municipality_id', $id); return $this->db->get(TBL_MUNICIPALITY, 1)->row(); } public function localities_for_json($municipality = null) { if($municipality) $this->db->where('municipality_id', $municipality->municipality_id); $this->db->where('locality_type', 'T'); $this->db->select('locality_id, locality_name'); $this->db->order_by('locality_name', 'ASC'); return $this->db->get(TBL_LOCALITY)->result_array(); } public function localities($municipality = null) { if($municipality) $this->db->where('municipality_id', $municipality->municipality_id); $this->db->where('locality_type', 'T'); $this->db->order_by('locality_name', 'ASC'); return $this->db->get(TBL_LOCALITY)->result(); } public function locality($id) { $this->db->where('locality_id', $id); $this->db->where('locality_type', 'T'); $this->db->order_by('locality_name', 'ASC'); return $this->db->get(TBL_LOCALITY, 1)->row(); } public function locality_parameters_by_municipality($municipality) { $this->db->where('municipality_id', $municipality->municipality_id); $this->db->select('locality_id'); $municipalities = $this->db->get(TBL_LOCALITY)->result(); $result = array(); if($municipalities) foreach($municipalities as $municipality) $result[] = $municipality->municipality_id; return $result; } } I'm a bit new to PHP and I'm getting my feet wet with mvc with code igniter. I'm having a bit of trouble with my view accessing a function from my controller. If anyone has seen CodeIgniter from Scratch Day 4, it's that tutorial - i've created an email newsletter signup.
In my my view (newsletter.php), my submit button is not working and isn't able to access a function from my controller (email.php). The inaccessible function is called function send(). Instead, I get a 404 error. I'll post the code from both the view and controller, but I highly suspect the error is contained within the view because my controller loads the view, but my view can't call a function from the controller. Any help you can provide would be greatly appreciated. Thanks.
Here's the code from my view (newsletter.php):
<html lang='en'> Hi coders,
code below are running good, but my problem is i did not get the line echo $row->pof_num + 1; into view "generate_po.php".
since i want that line to get the value and put into input text like below. how and kindly assist.
<input type = "text" name = "num" value = "<?php echo $row->pof_num + 1; ?>">
public function generate_po()
{
$po_id = $this->input->post('selector');
$data['result'] = $this->public_base_model->generate_po($po_id);
if($this->session->userdata('logged_in'))
{
$session_data = $this->session->userdata('logged_in');
$data['username'] = $session_data['username'];
$data['fname'] = $session_data['fname'];
$data['userid'] = $session_data['userid'];
$this->load->view('generate_po', $data,$this->get_max());
}
else
{
$this->load->view('login');
}
}
public function get_max()
{
$query2 = $this->db->query("SELECT pof_num FROM pull_out where pof_num = '8800000582'");
$row = $query2->row();
echo $row->pof_num + 1; // i want this line to put into view.
$query2->free_result();
}
Hi,
any body can help, i got 404 message and i dont know the exact way on how to resolve it.
i have url login page like this :
http://localhost/prok/run32.phpand now if the user get correct username and password, page will load or redirect in this but in this link i get 404 message http://localhost/prok/index.php/dashboard/catalogplease take a look my way of coding. #routes.php $route['default_controller'] = 'Login'; $route['404_override'] = ''; $route['dashboard/(:any)'] = 'dashboard/Catalog';
#controllers/login.php
<?php
if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Login extends CI_Controller
{
function __construct()
{
parent::__construct();
$this->load->helper('url');
}
public function index()
{
$this->load->view('login');
$array = array();
if(isset($_POST['submit']))
{
$username = $this->security->xss_clean($this->input->post('username'));
$password = $this->security->xss_clean($this->input->post('password'));
if(empty($username))
{
$array[] = "<p>Please fill-in required field!</p>";
}
else
{
$username = mysql_real_escape_string($username);
}
if(empty($password))
{
$array[] = "<p>Please fill-in required field!</p>";
}
else
{
$password = mysql_real_escape_string($password);
}
if(sizeof($array) > 0)
{
foreach($array as $val);
{ echo "<p>$val</p>";
}
}
else
{
$this->load->model('login_process');
$result = $this->login_process->validated();
if(!$result)
{
echo "<p> Invalid usernamessssss and password.</p><br />";
}
else
{
#$this->load->view('dashboard/catalog','refresh');
redirect('dashboard/catalog','refresh');
}
}
}
}
}
#controllers/dashboard/catalog.php
<?php
if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Catalog extends CI_Controller
{
public function index()
{
$this->load->view('dashboard/catalog');
}
}
please advise, what im doing wrong.
Thanks advance
Hi all
Its my first project in CodeIgniter and I tried to make it live from local
Issue is, In local server, site URI is running without index.php, but live it is giving error.
e.g http://localhost/ci_basic/site/about
folder name - ci_basic
Controller name - site
Function name - about
In .htaccess file
RewriteEngine On RewriteBase /ci_basic/ Now i uploaded the file in a folder named - chikabana ( folder in my root directory assigned to the chikabana.com ) In .htaccess file RewriteEngine On RewriteBase /chikabana/ I also changed the base url to - chikabana.com in config file and also removed index.php from config file. But this URL not working - http://chikabana.com/site/about this is working - http://chikabana.com....php/site/about Also my second question is - how i remove the controller name from url? This topic has been moved to mod_rewrite. http://www.phpfreaks.com/forums/index.php?topic=355043.0 Can you please help how to validate the date of birth in code igniter including leap years
As a long time CodeIgniter user, I made the decision to move away from CodeIgniter a while back. I still maintain, and in some cases develop new features for websites that I made using CodeIgniter.
Still somewhat active in the CodeIgniter forum, I have seen a recent question, "How do we get CodeIgniter back to the PHP framework of choice?". I have offered my own criticism of the framework, but the thread is located on the CodeIgniter forum, so many just protect their beloved CI, not willing to accept that it is in great need of change.
I would appreciate if phpfreaks members would be critical, and hopefully specific in regards to CodeIgniter's problems. I intend to link to this thread, with the hopes that your opinions will help future development of CodeIgniter. Thank you.
Hi all,
I am working on a project where i need to implement rbac control. I sthere any library available in codeigniter to extend the functionality. I have started working on codeigniter. i want to implement this in codeigniter. Please some on e guide how to achieve that. how to check roles and permssions.
Hello,
Can you guys point me to something where I can follow some tutorial or something and learning CI?
I've already made tons of 'Cars' models... 'Dogs' .. 'Cats'.. etc but I really need some project where I can follow steps to creat and learn while I create.
p.s. I think I post this thread in right place but please correct me if is wrong.
Thank's!
|
|||||||