* In case you would like to skip this, you can add a nocsrf field. * * @param unknown_type $form_data_html HTML content * @return html content with modified forms that include CSRF hidden tokens */ function csrfguard_replace_forms($form_data_html) { $count=preg_match_all("/(.*?)<\\/form>/is",$form_data_html,$matches,PREG_SET_ORDER); if (is_array($matches)) { foreach ($matches as $m) { if (strpos($m[1],"nocsrf")!==false) { continue; } $name="CSRFGuard_".mt_rand(0,mt_getrandmax()); $token= csrfguard_generate_token($name); $form_data_html=str_replace($m[0], " {$m[2]}",$form_data_html); } } return $form_data_html; } /** * Applies CSRF filter on Smarty template content. Can be * used as a output filter. * * @param string $source * @param Smarty $smarty * @return CSRF filtered content */ function smarty_csrf_filter($source, $smarty) { return csrfguard_replace_forms($source); } /** * Validates the CSRF tokens found in $_POST variable. Raoses user * errors if the token is not found or invalid. * * @return true if validated correctly, otherwise false */ function csrfguard_start() { if (count($_POST)) { if (!isset($_POST['CSRFName'])) { //trigger_error("No CSRFName found, probable invalid request.",E_USER_ERROR); //return false; redirect($_SESSION['basehref'] . 'error.php?message=No CSRFName found, probable invalid request.'); exit(); } // 20151107 $name = trim($_POST['CSRFName']); $token = trim($_POST['CSRFToken']); $good = (strlen($name) > 0 && strlen($token) > 0); if (!$good || !csrfguard_validate_token($name, $token)) { //trigger_error("Invalid CSRF token.",E_USER_ERROR); //return false; redirect($_SESSION['basehref'] . 'error.php?message=Invalid CSRF token.'); exit(); } } } // this way is runned always // Need to understand if this is needed // doSessionStart(false); // csrfguard_start();