Jump to content

jmb272

Member
  • Posts

    18
  • Joined

  • Last visited

Posts posted by jmb272

  1. Hi guys.

     

    I'm writing my own MVC framework and I've written a CSRF token validation class to help prevent CSRF attacks.

    This is my first attempt at writing a CSRF token validation class and I just wanted to get some feedback.

     

    I've looked at how others have done it and sort of stuck to the general route that most people take when writing something similar.

     

    <?php
    
    // Security measure.
    if (!defined('BASE_PATH')) { exit(); }
    
    class CSRF
    {
    private static $tokens = array();
    private static $session_name = 'csrf_data';
    
    /**
     * Loads CSRF token data from session into $tokens array.
     *
     * This method is called in the index.php file before a controller is loaded.
     *
     * @return void
     */
    public static function init()
    {
    	$session_name = self::$session_name;
    
    	// Move CSRF token data from session to class field.
    	if (isset($_SESSION[$session_name])) {
    		self::$tokens = unserialize($_SESSION[$session_name]);	
    		unset($_SESSION[$session_name]);
    	}
    }
    
    /**
     * Saves the CSRF data to a session.
     *
     * @static
     * @return void
     */
    private static function save() 
    {
    	$session_name = self::$session_name;
    	unset($_SESSION[$session_name]);
    
    	$_SESSION[$session_name] = serialize(self::$tokens);
    }
    
    /**
     * Creates a new token.
     *
     * @static
     * @param string $name
     * @return string
     */
    private static function generateToken($name)
    {
    	$token = md5(uniqid(rand(), true));
    
    	self::$tokens[$name] = $token;
    	self::save();
    
    	return $token;
    }
    
    /**
     * Validate a token by its name.
     *
     * @static
     * @param string $name
     * @param string $token The CSRF token included with the form data.
     * @return bool
     */
    public static function validateToken($name, $token)
    {
    	if (!isset(self::$tokens[$name])) {
    		return false;
    	}
    
    	return ($token == self::$tokens[$name]);
    }
    
    
    } // End of CSRF class.

  2. What alternative is there to tables?

     

    Floating Divs? I prefer to use tables as they work in almost every browser.

     

    I have a lot of issues with floating divs, i'd switch to them however if Internet explorer was never invented.

     

    however..

     

    <html>
    <head>
      <title>My Website</title>
      <style type="text/css">
         .center, body, #container {
            text-align: left;
            margin-left: auto;
            margin-right: auto;
         }
         #container {
            width: 900px;
         }
         #sidebar {
            float: left;
            width: 150px;
         }
         #content {
            float: right;
            width: 750px;
         }
    
      </style>
    </head>
    <body>
      <div id="sidebar">
         <a href="?go=home">Home</a><br /><br />
         <a href="?go=page-1">Page 1</a><br />
         <a href="?go=page-2">Page 2</a><br />
         <a href="?go=page-3">Page 3</a><br />
      </div>
      <div id="content">
      <?php
      $default = "content/home.php";
      if (isset($_GET['go'])) {
         switch ($_GET['go']) {
            case "page-1": include("content/page1.php"); break;
            case "page-2": include("content/page2.php"); break;
            case "page-3": include("content/page3.php"); break;
            default: include($default);
         }
      } else { include($default); }
      ?>
      </div>
    </body>
    </html>

  3. You could do something like this:

     

    <html>
    <head>
      <title>My Website</title>
    </head>
    <body>
      <table width="100%" border="0" cellpadding="2" cellspacing="3">
         <tr>
            <td id="sidebar">
               <a href="?go=home">Home</a><br /><br />
               <a href="?go=page-1">Page 1</a><br />
               <a href="?go=page-2">Page 2</a><br />
               <a href="?go=page-3">Page 3</a><br />
            </td>
            <td id="content">
            <?php
            $default = "content/home.php";
            if (isset($_GET['go'])) {
               switch ($_GET['go']) {
                  case "page-1": include("content/page1.php"); break;
                  case "page-2": include("content/page2.php"); break;
                  case "page-3": include("content/page3.php"); break;
                  default: include($default);
               }
            } else { include($default); }
            ?>
            </td>
         </tr>
      </table>
    </body>
    </html>

    • Like 1
  4. Good call -- doing the searching within the MySQL query makes a lot more sense than the way I posted above.

     

    Thanks. Yeah it will do, saves you having to fetch all the records and preg_match them. :)

     

    When you have your results, if you want to highlight the criteria in the results you could do something like..

     

    while ($row = @mysql_fetch_array($results, MYSQL_ASSOC))
    {
      $field = $row['field_name'];
      $field = str_replace($_POST['search_criteria'], '<font color="#336699">'.$_POST['search_criteria'].'</font>', $field);
    
     echo $field;
    }
    

  5. I've recently built a search function into my website.

     

    This works for me.

     

    $criteria = strtoupper($_POST['search_criteria']);

    SELECT * FROM `tbl_name` WHERE UPPER(`field_name`) LIKE '%'.mysql_real_escape_string($critera).'%'

     

    I've converted the search criteria and table field values to uppercase to make the query case insensitive.

  6. Hello,

     

    I have a table with fields date,day,and some data for each day.

    I want to display the data on a weekly basis, (ie from Monday to Friday) along with options for next week and

    previous week.

     

    Could someone help me with this?

     

    Why not get a twitter account and build/download a script to display your latest tweets?

  7. I'd recommend using Notepad++, it just makes things easier.

    Also, when u save a file in notepad, you're better off typing "name.html" including the quotes.

    If you install notepad++, you can simply right click on your html file and select "Edit with Notepad++".

     

    Alternatively, open notepad and drag your html file icon into the window to open it.

  8. JustHost isn't bad. Its better than other web hosts i've used such as Streamline and 1&1 Internet.

    You get free advertisement credit for google, yahoo & bidvertiser.

     

    My package has unlimited/unmetered bandwidth & space and is about £6-7 per month.

  9. Anyone else heard about the new .co TLD being released on 20th July?

     

    Already preordered one, going to get some more tommorow. £20 a pop but its worth it.

     

    The cheapest pre-ordering price I've found so far is heart internet which is £20, others like 123-reg charge £30.

     

    So if you're interested in preordering one, i'd go with heart internet on price unless you can find a better deal.

  10. Like many others, i despise IE. However, i dont dismiss it when building a site.

    If i add something to a web page that works in firefox, chrome, opera & safari but i cant get it to work in IE, i take it out.

    Compatibility is my number 1 priority.

×
×
  • Create New...