Prevent CSRF
git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@76 7c3ca157-0c34-0410-bff1-cbf682f78f5c
This commit is contained in:
parent
f90c7d8f50
commit
505b79d82c
24
index.php
24
index.php
|
@ -13,23 +13,35 @@ include "./connect.inc.php";
|
|||
if (isset($_GET["dump"])) {
|
||||
include "./dump.inc.php";
|
||||
} else {
|
||||
if (isset($_GET["sql"])) {
|
||||
include "./sql.inc.php";
|
||||
} elseif (isset($_GET["table"])) {
|
||||
if (isset($_GET["table"])) {
|
||||
include "./table.inc.php";
|
||||
} elseif (isset($_GET["select"])) {
|
||||
include "./select.inc.php";
|
||||
} elseif (isset($_GET["view"])) {
|
||||
include "./view.inc.php";
|
||||
} else {
|
||||
$params = preg_replace('~.*\\?~', '', $_SERVER["REQUEST_URI"]);
|
||||
if ($_POST) {
|
||||
$error = (in_array($_POST["token"], (array) $_SESSION["tokens"][$params]) ? "" : lang('Invalid CSRF token.'));
|
||||
}
|
||||
if ($_POST && !$error) {
|
||||
$token = $_POST["token"];
|
||||
} else {
|
||||
$token = rand(1, 1e6);
|
||||
$_SESSION["tokens"][$params][] = $token;
|
||||
}
|
||||
if (isset($_GET["sql"])) {
|
||||
include "./sql.inc.php";
|
||||
} elseif (isset($_GET["edit"])) {
|
||||
include "./edit.inc.php";
|
||||
} elseif (isset($_GET["create"])) {
|
||||
include "./create.inc.php";
|
||||
} elseif (isset($_GET["indexes"])) {
|
||||
include "./indexes.inc.php";
|
||||
} elseif (isset($_GET["view"])) {
|
||||
include "./view.inc.php";
|
||||
} elseif (isset($_GET["database"])) {
|
||||
include "./database.inc.php";
|
||||
} else {
|
||||
unset($_SESSION["tokens"][$params]);
|
||||
page_header(htmlspecialchars(lang('Database') . ": " . $_GET["db"]));
|
||||
echo '<p><a href="' . htmlspecialchars($SELF) . 'database=">' . lang('Alter database') . "</a></p>\n";
|
||||
if (mysql_get_server_info() >= 5) {
|
||||
|
@ -43,12 +55,12 @@ if (isset($_GET["dump"])) {
|
|||
echo "<th>" . htmlspecialchars($row["ROUTINE_NAME"]) . "</th>"; //! parameters from SHOW CREATE {PROCEDURE|FUNCTION}
|
||||
echo "<td><pre>" . htmlspecialchars($row["ROUTINE_DEFINITION"]) . "</pre></td>";
|
||||
echo "</tr>\n";
|
||||
//! call, drop, replace
|
||||
}
|
||||
echo "</table>\n";
|
||||
}
|
||||
mysql_free_result($result);
|
||||
}
|
||||
}
|
||||
}
|
||||
page_footer();
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue