mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-07-07 02:11:26 +02:00
details about CSRF
+32
-3
@@ -39,7 +39,17 @@ If the user input variable doesn't exist or matches the expected pattern, nothin
|
||||
|
||||
When to use `check_input_parameter`? On absolutely **every user input when the expected pattern is known**.
|
||||
|
||||
What if we don't have a pattern to check? For example, if you update the title of a photo, you don't have any pattern de match. This time the solution is to "escape" the variable before using it, with the `pwg_db_real_escape_string` function.
|
||||
What if we don't have a pattern to check? For example, see this example:
|
||||
|
||||
```php
|
||||
$query = '
|
||||
DELETE FROM '.OLD_PERMALINKS_TABLE.'
|
||||
WHERE permalink=\''.$_GET['delete_permanent'].'\'
|
||||
LIMIT 1
|
||||
;';
|
||||
```
|
||||
|
||||
Here you have no pattern to match, you don't know what's coming in `$_GET['delete_permanent']`. The problem is that it could countain something like `whatever'; DELETE FROM users WHERE username != '`; This time the solution is to "escape" the variable before using it, with the `pwg_db_real_escape_string` function.
|
||||
|
||||
```php
|
||||
$query = '
|
||||
@@ -55,5 +65,24 @@ TODO explain what it is, when it's a problem and when it's not a problem but a f
|
||||
|
||||
## CSRF
|
||||
|
||||
TODO explain what a CSRF is
|
||||
TODO explain how `pwg_token` protects from CSRF attacks
|
||||
Read a full explanation on [CSRF on Wikipedia](https://en.wikipedia.org/wiki/Cross-site_request_forgery). Also an explanation, but in pictures on [CSRF on PortSwigger](https://portswigger.net/web-security/csrf)
|
||||
|
||||
So in Piwigo we have implemented the `pwg_token` solution. Here is how it works. First in the form:
|
||||
|
||||
```
|
||||
<input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
|
||||
```
|
||||
|
||||
In the PHP, you send the template variable like this:
|
||||
|
||||
```
|
||||
$template->assign('PWG_TOKEN', get_pwg_token());
|
||||
```
|
||||
|
||||
And this is how you check the token is valid when submitting the form:
|
||||
|
||||
```
|
||||
check_pwg_token();
|
||||
```
|
||||
|
||||
You will find many use case in Piwigo code. Now you know how to use the `pwg_token`, you need to know "when" to use it: everywhere you delete data or edit data. If you want to make things even more secure you can use `pwg_token` on data creation too.
|
||||
Reference in New Issue
Block a user