Menu
▾
▴
[Weberp-cvs] SF.net SVN: web-erp:[4058] trunk
|
From: <tim...@us...> - 2010-09-30 16:21:49
|
Revision: 4058
http://web-erp.svn.sourceforge.net/web-erp/?rev=4058&view=rev
Author: tim_schofield
Date: 2010-09-30 16:21:43 +0000 (Thu, 30 Sep 2010)
Log Message:
-----------
Add form verification to prevent form spoofing
Modified Paths:
--------------
trunk/Z_Upgrade_3.10-3.11.php
trunk/Z_UploadForm.php
Modified: trunk/Z_Upgrade_3.10-3.11.php
===================================================================
--- trunk/Z_Upgrade_3.10-3.11.php 2010-09-30 16:21:32 UTC (rev 4057)
+++ trunk/Z_Upgrade_3.10-3.11.php 2010-09-30 16:21:43 UTC (rev 4058)
@@ -10,6 +10,7 @@
prnMsg(_('This script will run perform any modifications to the database since v 3.10 required to allow the additional functionality in version 3.11 scripts'),'info');
echo "<p><form method='post' action='" . $_SERVER['PHP_SELF'] . '?' . SID . "'>";
+ echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
echo '<div class="centre"?><input type=submit name=DoUpgrade VALUE="' . _('Perform Upgrade') . '"></div>';
echo '</form>';
}
@@ -19,7 +20,7 @@
echo '<br>';
prnMsg(_('If there are any failures then please check with your system administrator').
'. '._('Please read all notes carefully to ensure they are expected'),'info');
-
+
$SQLScriptFile = file('./sql/mysql/upgrade3.10-3.11.sql');
$ScriptFileEntries = sizeof($SQLScriptFile);
@@ -88,7 +89,7 @@
} //end if its a valid sql line not a comment
} //end of for loop around the lines of the sql script
echo '</table>';
-
+
/*Now run the data conversions required. */
} /*Dont do upgrade */
Modified: trunk/Z_UploadForm.php
===================================================================
--- trunk/Z_UploadForm.php 2010-09-30 16:21:32 UTC (rev 4057)
+++ trunk/Z_UploadForm.php 2010-09-30 16:21:43 UTC (rev 4058)
@@ -9,8 +9,10 @@
include('includes/header.inc');
-echo "<form ENCtype='multipart/form-data' action='Z_UploadResult.php' method=post>
- <input type='hidden' name='MAX_FILE_SIZE' value='1000000'>" .
+echo "<form ENCtype='multipart/form-data' action='Z_UploadResult.php' method=post>";
+ echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
+
+echo "<input type='hidden' name='MAX_FILE_SIZE' value='1000000'>" .
_('Send this file') . ": <input name='userfile' type='file'>
<input type='submit' VALUE='" . _('Send File') . "'>
</form>";
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
