PHP CSRF::check方法代码示例

 /**
  * Grab post data, but only if the CSRF token is valid
  *
  * @param InputFilterContainer $filterContainer - Type filter for POST data
  * @param bool $ignoreCSRFToken - Don't validate CSRF tokens
  *
  * @return array|bool
  * @throws SecurityAlert
  */
 protected function post(InputFilterContainer $filterContainer = null, bool $ignoreCSRFToken = false)
 {
     if ($this->airship_http_method !== 'POST' || empty($_POST)) {
         return false;
     }
     if ($ignoreCSRFToken) {
         if ($filterContainer) {
             try {
                 return $filterContainer($_POST);
             } catch (\TypeError $ex) {
                 $this->log('Input validation threw a TypeError', LogLevel::ALERT, \Airship\throwableToArray($ex));
                 return false;
             }
         }
         return $_POST;
     }
     if ($this->airship_csrf->check()) {
         if ($filterContainer) {
             try {
                 return $filterContainer($_POST);
             } catch (\TypeError $ex) {
                 $this->log('Input validation threw a TypeError', LogLevel::ALERT, \Airship\throwableToArray($ex));
                 return false;
             }
         }
         return $_POST;
     }
     $state = State::instance();
     if ($state->universal['debug']) {
         // This is only thrown during development, to be noisy.
         throw new SecurityAlert(\__('CSRF validation failed'));
     }
     $this->log('CSRF validation failed', LogLevel::ALERT);
     return false;
 }

 public function before()
 {
     parent::before();
     if (!CSRF::check()) {
         throw new ApplicationException("Cross site request forgery.", 403);
     }
     // Set base title
     $this->template->title = array('Hacker Tees');
     $this->template->section = NULL;
 }

<div class="contents">
  <h1>Indi</h1>
  <p>Make a standalone Lobby app.</p>
  <h2>Config</h2>
  <?php 
$appID = Request::postParam("appID");
if ($appID !== null && CSRF::check()) {
    if ($appID === "") {
        $this->removeData("appID");
    } else {
        $this->saveData("appID", $appID);
    }
    echo sss("Saved", "Settings has been saved.");
}
$appID = $this->getData("appID");
?>
  <form action="<?php 
echo Lobby::u("/admin/app/indi");
?>
" method="POST">
    <label>
      <span>App ID</span>
      <select name="appID">
        <option value="">Choose App:</option>
        <?php 
foreach (Lobby\Apps::getEnabledApps() as $app) {
    echo "<option value='{$app}' " . ($appID === $app ? "selected='selected'" : "") . ">{$app}</option>";
}
?>
      </select>
    </label>

    $some_name = session_name("JBIMSAdmission");
    session_start();
}
include dirname(__FILE__) . '/config/config.php';
include dirname(__FILE__) . '/config/functions.php';
$language = array('en' => 'en', 'pt' => 'pt');
if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) {
    include dirname(__FILE__) . '/language/' . $language[$_GET['lang']] . '.php';
} else {
    include dirname(__FILE__) . '/language/en.php';
}
$useremail = strip_tags(trim($_POST["useremail"]));
$verification = strip_tags(trim($_POST["captcha"]));
$finaluseremail = htmlspecialchars($useremail, ENT_QUOTES, 'UTF-8');
$finalverification = htmlspecialchars($verification, ENT_QUOTES, 'UTF-8');
if (!CSRF::check('resend-form')) {
    echo $lang['resend_activation_token_wrong_security_token'];
} else {
    $datetime = date("Y-m-d H:i:s");
    $searchblock = mysql_query("SELECT login_system_email_activation_status, login_system_email_activation_attempts, login_system_email_activation_blocked_time FROM " . $mysqltable_name_4 . " WHERE login_system_email_activation_useremail = '" . mysql_real_escape_string($finaluseremail) . "'");
    $resultblock = mysql_num_rows($searchblock);
    $blockResult = mysql_fetch_array($searchblock);
    if ($SMTP == true) {
        if ($mysql == true) {
            if ($blockResult['login_system_email_activation_status'] == 0) {
                if ($datetime > $blockResult['login_system_email_activation_blocked_time']) {
                    $search = mysql_query("SELECT * FROM " . $mysqltable_name_4 . " WHERE login_system_email_activation_useremail = '" . mysql_real_escape_string($finaluseremail) . "'");
                    $result = mysql_num_rows($search);
                    $searchuser = mysql_query("SELECT f_name, l_name, application_id FROM " . $mysqltable_name_1 . " WHERE email_id = '" . mysql_real_escape_string($finaluseremail) . "'");
                    $resultusercount = mysql_num_rows($searchuser);
                    $resultuser = mysql_fetch_array($searchuser);

<?php

require "../../../../load.php";
$file = \Request::postParam('cx74e9c6a45', '');
$appID = \Request::postParam('s7c8csw91', '');
if ($file != "" && CSRF::check()) {
    if ($appID !== "") {
        $App = new \Lobby\Apps($appID);
        if ($App->exists && $App->enabled) {
            $AppClass = $App->run();
            $html = $AppClass->page("/ajax/{$file}");
            if ($html === "auto") {
                $html = $AppClass->inc("/src/ajax/{$file}");
            }
            echo $html;
        }
    } else {
        if (\Lobby\FS::exists($file)) {
            require_once \Lobby\FS::loc($file);
        } else {
            echo "fileNotFound";
        }
    }
}

include '../csrf_protection/csrf-class.php';
if (!isset($_SESSION)) {
    $some_name = session_name("VedicaAdmission");
    session_start();
}
include '../config/config.php';
include '../config/functions.php';
$language = array('en' => 'en', 'pt' => 'pt');
if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) {
    include '../language/' . $language[$_GET['lang']] . '.php';
} else {
    include '../language/en.php';
}
$update_username = strip_tags(trim_awesome($_POST["update_username"]));
$update_finalusername = htmlspecialchars($update_username, ENT_QUOTES, 'UTF-8');
if (!CSRF::check('update-username-form')) {
    echo $lang['update_username_wrong_security_token'];
} else {
    $usersearch = mysql_query("SELECT * FROM " . $admission_users . " WHERE application_id = " . mysql_real_escape_string_awesome($update_finalusername) . "");
    $userresult = mysql_num_rows($usersearch);
    $userquery = mysql_fetch_array($usersearch);
    if ($userquery && $userquery['login_system_registrations_user_id'] != $_SESSION['userLogin']) {
        echo $lang['update_username_already_taken'];
    } else {
        $update1 = "UPDATE " . $admission_users . " SET application_id = " . mysql_real_escape_string_awesome($update_finalusername) . " WHERE login_system_registrations_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . "";
        $updatequery1 = mysql_query($update1);
        $update2 = "UPDATE " . $mysqltable_name_2 . " SET login_system_login_attempts_username = " . mysql_real_escape_string_awesome($update_finalusername) . " WHERE login_system_login_attempts_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . "";
        $updatequery2 = mysql_query($update2);
        $update3 = "UPDATE " . $mysqltable_name_3 . " SET login_system_forgot_password_username = " . mysql_real_escape_string_awesome($update_finalusername) . " WHERE login_system_forgot_password_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . "";
        $updatequery3 = mysql_query($update3);
        $update4 = "UPDATE " . $mysqltable_name_4 . " SET login_system_email_activation_username = " . mysql_real_escape_string_awesome($update_finalusername) . " WHERE login_system_email_activation_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . "";

<?php

$this->setTitle("New App");
?>
<div class="contents">
  <h1>Add App</h1>
  <?php 
$app_info = array("id" => \Request::get("app_id"), "name" => \Request::get("app_name"), "git_url" => \Request::get("app_download"), "requires" => \Request::get("app_requires"), "short_description" => \Request::get("app_short_description"), "description" => \Request::get("app_description"), "category" => \Request::get("app_category"), "sub_category" => \Request::get("app_sub_category"), "version" => \Request::get("app_version"), "page" => \Request::get("app_page"), "author_id" => \Request::get("author_id"));
if (isset($_POST['app_id']) && array_search(null, $app_info) === false && CSRF::check()) {
    $apps_sql = \Lobby\DB::getDBH()->prepare("SELECT COUNT(1) FROM `apps` WHERE `id` = ?");
    $apps_sql->execute(array($app_info['id']));
    if ($apps_sql->fetchColumn() != 0) {
        ser("App Exists", "Hmmm... Looks like the App ID you submitted already exists either on App Center Or in the App Queue. " . \Lobby::l("/apps/{$app_info['id']}", "See Existing App"));
    } else {
        $app_info["logo"] = isset($_POST["app_logo"]) ? "1" : "0";
        $lobby_web = isset($_POST['app_lobby_web']) ? 1 : 0;
        $sql = \Lobby\DB::getDBH()->prepare("INSERT INTO `apps` (`id`, `name`, `version`, `logo`, `requires`, `git_url`, `description`, `short_description`, `category`, `sub_category`, `app_page`, `author`, `lobby_web`, `updated`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW());");
        $sql->execute(array($app_info['id'], $app_info['name'], $app_info['version'], $app_info['logo'], $app_info['requires'], $app_info['git_url'], $app_info['description'], $app_info['short_description'], $app_info['category'], $app_info['sub_category'], $app_info['page'], $app_info['author_id'], $lobby_web));
        require_once __DIR__ . "/../../inc/LobbyGit.php";
        $LG = new LobbyGit($app_info["id"], $app_info["git_url"]);
        $LG->register();
        sss("App Added", "App was added to the repository");
    }
}
?>
  <form action="<?php 
echo \Lobby::u();
?>
" method="POST">
    <label>
      <span>App ID</span>

}
include dirname(__FILE__) . '/config/config.php';
include dirname(__FILE__) . '/config/functions.php';
$language = array('en' => 'en', 'pt' => 'pt');
if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) {
    include dirname(__FILE__) . '/language/' . $language[$_GET['lang']] . '.php';
} else {
    include dirname(__FILE__) . '/language/en.php';
}
$user_name = strip_tags(trim_awesome($_POST["username"]));
$password = strip_tags(trim_awesome($_POST["password"]));
$verification = strip_tags(trim_awesome($_POST["captcha"]));
$finalusername = htmlspecialchars($user_name, ENT_QUOTES, 'UTF-8');
$finalpassword = htmlspecialchars($password, ENT_QUOTES, 'UTF-8');
$finalverification = htmlspecialchars($verification, ENT_QUOTES, 'UTF-8');
if (!CSRF::check('login-form')) {
    echo $lang['login_wrong_security_token'];
} else {
    $datetime = date("Y-m-d H:i:s");
    $userInfo = mysql_query("SELECT login_system_registrations_user_id, application_id, password, salt FROM " . $admission_users . " WHERE application_id = " . mysql_real_escape_string_awesome($finalusername) . "");
    $userQuery = mysql_num_rows($userInfo);
    $userSql = mysql_fetch_array($userInfo);
    $userstatus = mysql_query("SELECT login_system_email_activation_status FROM " . $mysqltable_name_4 . " WHERE login_system_email_activation_username = " . mysql_real_escape_string_awesome($finalusername) . "");
    $userselect = mysql_num_rows($userstatus);
    $userresult = mysql_fetch_array($userstatus);
    $infoUser = mysql_query("SELECT login_system_login_attempts_attempts, login_system_login_attempts_blocked_time FROM " . $mysqltable_name_2 . " WHERE login_system_login_attempts_username = " . mysql_real_escape_string_awesome($finalusername) . "");
    $queryUser = mysql_num_rows($infoUser);
    $sqlUser = mysql_fetch_array($infoUser);
    if ($userQuery == 1) {
        if ($userresult['login_system_email_activation_status'] == 1) {
            if ($datetime > $sqlUser['login_system_login_attempts_blocked_time']) {

include '../csrf_protection/csrf-class.php';
if (!isset($_SESSION)) {
    $some_name = session_name("VedicaAdmission");
    session_start();
}
include '../config/config.php';
include '../config/functions.php';
$language = array('en' => 'en', 'pt' => 'pt');
if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) {
    include '../language/' . $language[$_GET['lang']] . '.php';
} else {
    include '../language/en.php';
}
$update_email = strip_tags(trim_awesome($_POST["update_email"]));
$update_finalemail = htmlspecialchars($update_email, ENT_QUOTES, 'UTF-8');
if (!CSRF::check('update-email-form')) {
    echo $lang['update_email_wrong_security_token'];
} else {
    $emailsearch = mysql_query("SELECT * FROM " . $admission_users . " WHERE email_id = " . mysql_real_escape_string_awesome($update_finalemail) . "");
    $emailresult = mysql_num_rows($emailsearch);
    $emailquery = mysql_fetch_array($emailsearch);
    if ($emailquery && $emailquery['login_system_registrations_user_id'] != $_SESSION['userLogin']) {
        echo $lang['update_email_already_taken'];
    } else {
        $update1 = "UPDATE " . $admission_users . " SET email_id = " . mysql_real_escape_string_awesome($update_finalemail) . " WHERE login_system_registrations_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . "";
        $updatequery1 = mysql_query($update1);
        $update2 = "UPDATE " . $mysqltable_name_3 . " SET login_system_forgot_password_useremail = " . mysql_real_escape_string_awesome($update_finalemail) . " WHERE login_system_forgot_password_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . "";
        $updatequery2 = mysql_query($update2);
        $update3 = "UPDATE " . $mysqltable_name_4 . " SET login_system_email_activation_useremail = " . mysql_real_escape_string_awesome($update_finalemail) . " WHERE login_system_email_activation_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . "";
        $updatequery3 = mysql_query($update3);
        if ($updatequery1 && $updatequery2 && $updatequery3) {

                echo sss("Removed", "The App <b>{$displayID}</b> was successfully removed.");
            } else {
                if ($action === "clear-data" && CSRF::check()) {
                    if ($App->clearData()) {
                        echo sss("Cleared Data", "The data of <b>{$displayID}</b> was successfully cleared from the database.");
                    }
                } else {
                    if ($appID != null && $action == null && CSRF::check()) {
                        ?>
          <h1>Install App</h1>
          <p>The install progress will be displayed below. If this doesn't work, try the <?php 
                        echo \Lobby::l("/admin/install-app.php?app={$appID}&do=alternate-install" . CSRF::getParam(), "alternate install");
                        ?>
.</p>
          <?php 
                        if (isset($_GET["do"]) && $_GET["do"] === "alternate-install" && CSRF::check()) {
                            ?>
            <iframe src="<?php 
                            echo L_URL . "/admin/download.php?type=app&app={$appID}" . CSRF::getParam();
                            ?>
" style="border: 0;width: 100%;height: 300px;"></iframe>
        <?php 
                        } else {
                            ?>
            <ul id="appInstallationProgress" class="collection"></ul>
            <script>
              lobby.load(function(){
                lobby.installApp("<?php 
                            echo $appID;
                            ?>
", $("#appInstallationProgress"));

<?php

require "../../../../load.php";
if (isset($_POST['key']) && isset($_POST['value']) && CSRF::check()) {
    $key = urldecode($_POST['key']);
    $val = urldecode($_POST['value']);
    if (!saveOption($key, $val)) {
        echo "bad";
    } else {
        echo "good";
    }
} else {
    echo "fieldsMissing";
}

header('Cache-Control: no-cache');
$appID = Request::get("app");
$type = Request::get("type");
$isUpdate = Request::get("isUpdate") !== null;
// Turn off output buffering
ini_set('output_buffering', 'off');
// Turn off PHP output compression
ini_set('zlib.output_compression', false);
//Flush (send) the output buffer and turn off output buffering
//ob_end_flush();
while (@ob_end_flush()) {
}
// Implicitly flush the buffer(s)
ini_set('implicit_flush', true);
ob_implicit_flush(true);
if (CSRF::check() === false) {
    exit;
}
if ($type == "app") {
    $app = \Lobby\Server::store(array("get" => "app", "id" => $appID));
    if ($app == "false") {
        echo "Error - App '<b>{$appID}</b>' does not exist in Lobby.";
        exit;
    }
    $name = $app['name'];
} else {
    $name = "Lobby {$appID}";
}
$GLOBALS['name'] = $name;
?>
<p>

    <?php 
\Hooks::doAction("admin.head.begin");
\Response::head("Change Settings");
?>
  </head>
  <body>
    <?php 
\Hooks::doAction("admin.body.begin");
?>
    <div id="workspace">
      <div class="contents">
        <?php 
if (isset($_GET['updated']) && CSRF::check()) {
    echo sss("Updated", "Lobby was successfully updated to Version <b>" . \Lobby::$version . "</b> from the old " . htmlspecialchars($_GET['oldver']) . " version.");
}
if (isset($_POST['update_settings']) && \CSRF::check()) {
    /**
     * Sadly, PHP supports GMT+ and not UTC+
     */
    $time_zone = $_POST['timezone'];
    if ($time_zone === "") {
        Lobby\DB::saveOption("lobby_timezone", "UTC");
        \Lobby\Time::loadConfig();
    } else {
        if (@date_default_timezone_set($time_zone)) {
            Lobby\DB::saveOption("lobby_timezone", $time_zone);
            \Lobby\Time::loadConfig();
        } else {
            echo ser("Invalid Timezone", "Your PHP server doesn't support the timezone " . htmlspecialchars($time_zone));
        }
    }

<?php

include '../csrf_protection/csrf-token.php';
include '../csrf_protection/csrf-class.php';
if (!isset($_SESSION)) {
    $some_name = session_name("VedicaAdmission");
    session_start();
}
include '../config/config.php';
include '../config/functions.php';
$language = array('en' => 'en', 'pt' => 'pt');
if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) {
    include '../language/' . $language[$_GET['lang']] . '.php';
} else {
    include '../language/en.php';
}
$update_firstname = strip_tags(trim_awesome($_POST["update_firstname"]));
$update_lastname = strip_tags(trim_awesome($_POST["update_lastname"]));
$update_finalfirstname = htmlspecialchars($update_firstname, ENT_QUOTES, 'UTF-8');
$update_finallastname = htmlspecialchars($update_lastname, ENT_QUOTES, 'UTF-8');
if (!CSRF::check('update-account-form')) {
    echo $lang['update_account_wrong_security_token'];
} else {
    $update1 = "UPDATE " . $admission_users . " SET f_name = " . mysql_real_escape_string_awesome($update_finalfirstname) . ", l_name = " . mysql_real_escape_string_awesome($update_finallastname) . " WHERE login_system_registrations_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . "";
    $updatequery1 = mysql_query($update1);
    if ($updatequery1) {
        echo $lang['update_account_successful'];
    } else {
        echo $lang['update_account_unsuccessful'];
    }
}

                        /**
                         * Give warning when using SQLite on a web server
                         */
                        echo "<a class='btn red' href='?step=3&db_type=sqlite" . CSRF::getParam() . "'>SQLite</a><p style='color:red;'>WARNING<br/>It is very unsafe to use SQLite on a non localhost server</p>";
                    }
                } else {
                    echo "<a class='btn disabled'>SQLite Not Available</a><p>Lobby Requires SQLite version atleast 3.8</p>";
                }
                ?>
</td>
                </tr>
              </tbody>
            </table>
          <?php 
            } else {
                if ($install_step === "3" && CSRF::check()) {
                    $db_type = Request::get("db_type");
                    /**
                     * We call it again, so that the user had already went through the First Step
                     */
                    if (\Lobby\Install::step1() === false) {
                        // The stuff mentioned in step 1 hasn't been done
                    } else {
                        if (isset($_POST['submit'])) {
                            if ($db_type === "mysql") {
                                $dbhost = \Request::postParam('dbhost', "");
                                $dbport = \Request::postParam('dbport', "");
                                $dbname = \Request::postParam('dbname', "");
                                $username = \Request::postParam('dbusername', "");
                                $password = \Request::postParam('dbpassword', "");
                                $prefix = \Request::postParam('prefix', "");