diff options
| author | Dhruv Goel <dhruv.goel92@gmail.com> | 2012-04-01 16:57:46 +0530 |
|---|---|---|
| committer | Dhruv Goel <dhruv.goel92@gmail.com> | 2012-05-17 14:02:17 +0530 |
| commit | 4129711e9f9b67ea102594254434f6210cd03e81 (patch) | |
| tree | 4c6550154c21bb46c194d8d6a1f3b6c3f5a4e134 /phpBB/includes/ucp/ucp_profile.php | |
| parent | 79ef96043546074e19bf849e7a58279b3b463c1a (diff) | |
| download | forums-4129711e9f9b67ea102594254434f6210cd03e81.tar forums-4129711e9f9b67ea102594254434f6210cd03e81.tar.gz forums-4129711e9f9b67ea102594254434f6210cd03e81.tar.bz2 forums-4129711e9f9b67ea102594254434f6210cd03e81.tar.xz forums-4129711e9f9b67ea102594254434f6210cd03e81.zip | |
[feature/delete-auto-logins] checks form key
The form key is checked after submission if not correct error is returned.
PHPBB3-9647
Diffstat (limited to 'phpBB/includes/ucp/ucp_profile.php')
| -rw-r--r-- | phpBB/includes/ucp/ucp_profile.php | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/phpBB/includes/ucp/ucp_profile.php b/phpBB/includes/ucp/ucp_profile.php index 2595e48fb5..d4e5d75c10 100644 --- a/phpBB/includes/ucp/ucp_profile.php +++ b/phpBB/includes/ucp/ucp_profile.php @@ -627,18 +627,29 @@ class ucp_profile { $keys = request_var('keys', array('')); - if (!empty($keys)) + if (!check_form_key('ucp_autologin_keys')) { - $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . ' - WHERE user_id = ' . (int) $user->data['user_id'] . ' - AND ' . $db->sql_in_set('key_id', $keys) ; + $error[] = 'FORM_INVALID'; + } - $db->sql_query($sql); + if (!sizeof($error)) + { + if (!empty($keys)) + { + $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . ' + WHERE user_id = ' . (int) $user->data['user_id'] . ' + AND ' . $db->sql_in_set('key_id', $keys) ; - meta_refresh(3, $this->u_action); - $message = $user->lang['AUTOLOGIN_SESSION_KEYS_DELETED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); - trigger_error($message); + $db->sql_query($sql); + + meta_refresh(3, $this->u_action); + $message = $user->lang['AUTOLOGIN_SESSION_KEYS_DELETED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); + trigger_error($message); + } } + + // Replace "error" strings with their real, localised form + $error = array_map(array($user, 'lang'), $error); } $sql = 'SELECT key_id, last_ip, last_login @@ -650,6 +661,8 @@ class ucp_profile while ($row = $db->sql_fetchrow($result)) { $template->assign_block_vars('sessions', array( + 'ERROR' => (sizeof($error)) ? implode('<br />', $error) : '', + 'KEY' => $row['key_id'], 'IP' => $row['last_ip'], 'LOGIN_TIME' => $row['last_login'], |