Menu
▾
▴
[Weberp-cvs] SF.net SVN: web-erp:[4061] trunk
|
From: <tim...@us...> - 2010-09-30 16:22:31
|
Revision: 4061
http://web-erp.svn.sourceforge.net/web-erp/?rev=4061&view=rev
Author: tim_schofield
Date: 2010-09-30 16:22:24 +0000 (Thu, 30 Sep 2010)
Log Message:
-----------
Add form verification to prevent form spoofing
Modified Paths:
--------------
trunk/install/index.php
trunk/reportwriter/admin/forms/ReportsCritSetup.html
trunk/reportwriter/admin/forms/ReportsDBSetup.html
trunk/reportwriter/admin/forms/ReportsFieldSetup.html
trunk/reportwriter/admin/forms/ReportsHome.html
Modified: trunk/install/index.php
===================================================================
--- trunk/install/index.php 2010-09-30 16:22:09 UTC (rev 4060)
+++ trunk/install/index.php 2010-09-30 16:22:24 UTC (rev 4061)
@@ -53,11 +53,11 @@
if(type == 'demo') {
document.getElementById('db_file_demo').checked = true;
document.getElementById('db_file_new').checked = false;
-
+
} else if(type == 'new') {
document.getElementById('db_file_demo').checked = false;
document.getElementById('db_file_new').checked = true;
-
+
}
}
@@ -75,6 +75,7 @@
</table>
<form name="weberp_installation_wizard" action="save.php" method="post" enctype="multipart/form-data">
+<input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input type="hidden" name="url" value="" />
<input type="hidden" name="password_fieldname" value="admin_password" />
<input type="hidden" name="remember" id="remember" value="true" />
@@ -135,19 +136,19 @@
</tr>
<tr>
<td style="color: #666666;">Configuration file</td>
- <td><?php if(is_writable($path_to_root)) {
- echo '<font class="good">Writeable</font>';
- } else {
- echo '<font class="bad">Unwriteable</font>';
+ <td><?php if(is_writable($path_to_root)) {
+ echo '<font class="good">Writeable</font>';
+ } else {
+ echo '<font class="bad">Unwriteable</font>';
} ?>
</td>
<td style="color: #666666;"><?php echo 'Company data dirs ('. $comp_path. '/*)'; ?>
</td>
- <td><?php if(is_writable($comp_path)) {
- echo '<font class="good">Writeable</font>';
- } else {
- echo '<font class="bad">Unwriteable</font>';
- }
+ <td><?php if(is_writable($comp_path)) {
+ echo '<font class="good">Writeable</font>';
+ } else {
+ echo '<font class="bad">Unwriteable</font>';
+ }
?>
</td>
</tr>
@@ -186,11 +187,11 @@
<font style="cursor: pointer;" onclick="javascript: change_os('windows');">Windows</font>
</td>
<td>
- <div name="file_perms_box" id="file_perms_box" style="margin: 0; padding: 0; display: <?php if(isset($_SESSION['operating_system']) AND $_SESSION['operating_system'] == 'windows') {
- echo 'none';
- } else {
- echo 'block';
- }
+ <div name="file_perms_box" id="file_perms_box" style="margin: 0; padding: 0; display: <?php if(isset($_SESSION['operating_system']) AND $_SESSION['operating_system'] == 'windows') {
+ echo 'none';
+ } else {
+ echo 'block';
+ }
?>
;">
<input type="checkbox" tabindex="42" name="world_writeable" id="world_writeable" value="true"<?php if(isset($_SESSION['world_writeable']) AND $_SESSION['world_writeable'] == true) { echo 'checked'; } ?> />
@@ -211,18 +212,18 @@
<td width="120" style="color: #666666;">Host Name:</td>
<td width="230">
<input type="text" tabindex="43" name="database_host" style="width: 98%;" value="<?php if(isset($_SESSION['database_host'])) {
- echo $_SESSION['database_host'];
- } else {
- echo 'localhost';
+ echo $_SESSION['database_host'];
+ } else {
+ echo 'localhost';
} ?>" />
</td>
<td width="7"> </td>
<td width="70" style="color: #666666;">Username:</td>
<td>
- <input type="text" tabindex="44" name="database_username" style="width: 98%;" value="<?php if(isset($_SESSION['database_username'])) {
- echo $_SESSION['database_username'];
- } else {
- echo 'root';
+ <input type="text" tabindex="44" name="database_username" style="width: 98%;" value="<?php if(isset($_SESSION['database_username'])) {
+ echo $_SESSION['database_username'];
+ } else {
+ echo 'root';
} ?>" />
</td>
</tr>
@@ -233,18 +234,18 @@
<td> </td>
<td style="color: #666666;">Password:</td>
<td>
- <input type="password" tabindex="45" name="database_password" style="width: 98%;"<?php if(isset($_SESSION['database_password'])) {
- echo ' value = "'.$_SESSION['database_password'].'"';
+ <input type="password" tabindex="45" name="database_password" style="width: 98%;"<?php if(isset($_SESSION['database_password'])) {
+ echo ' value = "'.$_SESSION['database_password'].'"';
} ?> />
</td>
</tr>
<tr>
-
+
<td colspan="2">
- <input type="checkbox" tabindex="46" name="install_tables" id="install_tables" value="true"<?php if(!isset($_SESSION['install_tables'])) {
- echo ' checked';
- } elseif($_SESSION['install_tables'] == 'true') {
- echo ' checked';
+ <input type="checkbox" tabindex="46" name="install_tables" id="install_tables" value="true"<?php if(!isset($_SESSION['install_tables'])) {
+ echo ' checked';
+ } elseif($_SESSION['install_tables'] == 'true') {
+ echo ' checked';
} ?> />
<label for="install_tables" style="color: #666666;">Install Tables</label>
<br />
@@ -264,7 +265,7 @@
<td width="170">
Install the test company :
</td>
-
+
<td width="180">
<input type="checkbox" tabindex="51" name="DemoData" id="db_file_demo" value="demo"<?php if(!isset($_SESSION['db_file']) OR $_SESSION['db_file'] == 'demo') { echo ' checked'; } ?> />
<font style="cursor: pointer;" onclick="javascript: change_data('demo');">weberpdemo company</font>
@@ -274,13 +275,13 @@
<td width="170">
Time Zone
</td>
-
+
<td width="180">
<SELECT name='timezone' tabindex="52">
<?php
include('timezone.php');
?>
-
+
</SELECT>
</td>
</tr>
@@ -288,7 +289,7 @@
<td width="170">
Logo Image File (.jpg)
</td>
-
+
<td width="180">
<input type="hidden" name="MAX_FILE_SIZE" <?php echo "value=\"" . $_SESSION['MaxLogoSize'] . "\"" ?> />
<input type="FILE" size="50" ID="LogoFile" name="LogoFile" tabindex="53">
Modified: trunk/reportwriter/admin/forms/ReportsCritSetup.html
===================================================================
--- trunk/reportwriter/admin/forms/ReportsCritSetup.html 2010-09-30 16:22:09 UTC (rev 4060)
+++ trunk/reportwriter/admin/forms/ReportsCritSetup.html 2010-09-30 16:22:24 UTC (rev 4061)
@@ -1,5 +1,6 @@
<h2 align="center"><?php echo $FormParams['heading'].$reportname.' - '.RPT_BTN_CRIT; ?></h2>
<form name="CritFieldForm" method="post" action="ReportCreator.php?action=step7">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID; ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
@@ -92,6 +93,7 @@
<td> </td>
</tr>
<tr><form name="CritFieldForm" method="post" action="ReportCreator.php?action=step7">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
@@ -120,10 +122,11 @@
</tr>
<?php if (!$GroupListings['lists']) {
echo '<tr><td align="center" colspan="7">'.RPT_NOFIELD.'</td></tr>';
- } else {
+ } else {
foreach ($GroupListings['lists'] as $FieldDetails) { ?>
<tr>
<form name="CritFieldForm" method="post" action="ReportCreator.php?action=step7">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
@@ -138,14 +141,14 @@
<?php if ($FieldDetails['params']=='1') $selected=' checked'; else $selected=''; ?>
<td align = "center"><input disabled type="checkbox"<?php echo $selected; ?>></td>
<td>
- <INPUT type=image name="up" value="up" src="../images/upicon.png" border="0">
- <INPUT type=image name="dn" value="down" src="../images/downicon.png" border="0">
- <INPUT type=image name="ed" value="edit" src="../images/editicon.png" border="0">
- <INPUT type=image name="rm" value="delete" src="../images/delicon.png" border="0" onClick="return confirm('Delete this field?')">
+ <INPUT type=image name="up" value="up" src="../images/upicon.png" border="0">
+ <INPUT type=image name="dn" value="down" src="../images/downicon.png" border="0">
+ <INPUT type=image name="ed" value="edit" src="../images/editicon.png" border="0">
+ <INPUT type=image name="rm" value="delete" src="../images/delicon.png" border="0" onClick="return confirm('Delete this field?')">
</td>
</form>
</tr>
- <?php } // end foreach
+ <?php } // end foreach
} // end else ?>
<tr bgcolor="#CCCCCC">
<td colspan="5"><div align="center"><?php echo RPT_SORTLIST; ?></div></td>
@@ -159,6 +162,7 @@
</tr>
<tr>
<form name="CritFieldForm" method="post" action="ReportCreator.php?action=step7">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
@@ -187,10 +191,11 @@
</tr>
<?php if (!$SortListings['lists']) {
echo '<tr><td align="center" colspan="7">'.RPT_NOFIELD.'</td></tr>';
- } else {
+ } else {
foreach ($SortListings['lists'] as $FieldDetails) { ?>
<tr>
<form name="CritFieldForm" method="post" action="ReportCreator.php?action=step7">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
@@ -205,15 +210,15 @@
<?php if ($FieldDetails['params']=='1') $selected=' checked'; else $selected=''; ?>
<td align = "center"><input disabled type="checkbox"<?php echo $selected; ?>></td>
<td>
- <INPUT type=image name="up" value="up" src="../images/upicon.png" border="0">
- <INPUT type=image name="dn" value="down" src="../images/downicon.png" border="0">
- <INPUT type=image name="ed" value="edit" src="../images/editicon.png" border="0">
- <INPUT type=image name="rm" value="delete" src="../images/delicon.png" border="0" onClick="return confirm('Delete this field?')">
+ <INPUT type=image name="up" value="up" src="../images/upicon.png" border="0">
+ <INPUT type=image name="dn" value="down" src="../images/downicon.png" border="0">
+ <INPUT type=image name="ed" value="edit" src="../images/editicon.png" border="0">
+ <INPUT type=image name="rm" value="delete" src="../images/delicon.png" border="0" onClick="return confirm('Delete this field?')">
</td>
</form>
</tr>
- <?php } // end foreach
- } // end else
+ <?php } // end foreach
+ } // end else
} // end if ($Type<>'frm') ?>
<tr bgcolor="#CCCCCC">
<td colspan="5"><div align="center"><?php echo RPT_BTN_CRIT; ?></div></td>
@@ -227,6 +232,7 @@
</tr>
<tr>
<form name="CritFieldForm" method="post" action="ReportCreator.php?action=step7">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
@@ -260,10 +266,11 @@
</tr>
<?php if (!$CritListings['lists']) {
echo '<tr><td align="center" colspan="7">'.RPT_NOFIELD.'</td></tr>';
- } else {
+ } else {
foreach ($CritListings['lists'] as $FieldDetails) { ?>
<tr>
<form name="CritFieldForm" method="post" action="ReportCreator.php?action=step7">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
@@ -277,13 +284,13 @@
<td><?php echo $FieldDetails['displaydesc']; ?></td>
<td align = "center"><?php echo substr($CritChoices[$FieldDetails['params']],2); ?></td>
<td>
- <INPUT type=image name="up" value="up" src="../images/upicon.png" border="0">
- <INPUT type=image name="dn" value="down" src="../images/downicon.png" border="0">
- <INPUT type=image name="ed" value="edit" src="../images/editicon.png" border="0">
- <INPUT type=image name="rm" value="delete" src="../images/delicon.png" border="0" onClick="return confirm('Delete this field?')">
+ <INPUT type=image name="up" value="up" src="../images/upicon.png" border="0">
+ <INPUT type=image name="dn" value="down" src="../images/downicon.png" border="0">
+ <INPUT type=image name="ed" value="edit" src="../images/editicon.png" border="0">
+ <INPUT type=image name="rm" value="delete" src="../images/delicon.png" border="0" onClick="return confirm('Delete this field?')">
</td>
</form>
</tr>
-<?php } // end foreach
+<?php } // end foreach
} // end else ?>
</table>
Modified: trunk/reportwriter/admin/forms/ReportsDBSetup.html
===================================================================
--- trunk/reportwriter/admin/forms/ReportsDBSetup.html 2010-09-30 16:22:09 UTC (rev 4060)
+++ trunk/reportwriter/admin/forms/ReportsDBSetup.html 2010-09-30 16:22:24 UTC (rev 4061)
@@ -1,5 +1,6 @@
<h2 align="center"><?php echo $FormParams['heading'].$myrow['reportname'].' - '.RPT_BTN_DB; ?></h2>
<form name="DBPageSetup" method="post" action="ReportCreator.php?action=step5">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID; ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $myrow['reportname']; ?>">
Modified: trunk/reportwriter/admin/forms/ReportsFieldSetup.html
===================================================================
--- trunk/reportwriter/admin/forms/ReportsFieldSetup.html 2010-09-30 16:22:09 UTC (rev 4060)
+++ trunk/reportwriter/admin/forms/ReportsFieldSetup.html 2010-09-30 16:22:24 UTC (rev 4061)
@@ -72,6 +72,7 @@
<h2 align="center"><?php echo $FormParams['heading'].$reportname.' - '.RPT_BTN_FLDSETUP; ?></h2>
<table align="center" width="550" border="0" cellspacing="1" cellpadding="1">
<form name="RptFieldForm" method="post" action="ReportCreator.php?action=step6">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID; ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
@@ -96,6 +97,7 @@
</tr>
<tr>
<form name="RptFieldForm1" method="post" action="ReportCreator.php?action=step6">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
@@ -162,6 +164,7 @@
} else {
foreach ($FieldListings['lists'] as $FieldDetails) { ?>
<tr><form name="RptFieldForm" method="post" action="ReportCreator.php?action=step6">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID; ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
@@ -201,6 +204,7 @@
</table>
<table align="center" width="550" border="0" cellspacing="1" cellpadding="1">
<form name="RptFieldForm" method="post" action="ReportCreator.php?action=step6">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<input name="ReportID" type="hidden" value="<?php echo $ReportID; ?>">
<input name="Type" type="hidden" value="<?php echo $Type; ?>">
<input name="ReportName" type="hidden" value="<?php echo $reportname; ?>">
Modified: trunk/reportwriter/admin/forms/ReportsHome.html
===================================================================
--- trunk/reportwriter/admin/forms/ReportsHome.html 2010-09-30 16:22:09 UTC (rev 4060)
+++ trunk/reportwriter/admin/forms/ReportsHome.html 2010-09-30 16:22:24 UTC (rev 4061)
@@ -1,5 +1,6 @@
<h2 align="center"><?php echo $FormParams['heading']; ?></h2>
<form name="reporthome" method="post" action="ReportCreator.php?action=step2">
+ <input type="hidden" name="FormID" value="<?php echo $_SESSION['FormID']; ?>" />
<table align="center" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
