Skip to content

Instantly share code, notes, and snippets.

@chesster

chesster/dzielo.diff

Created December 3, 2014 12:46
Show Gist options
  • Save chesster/a7ed92c1f8c7a472b319 to your computer and use it in GitHub Desktop.
Save chesster/a7ed92c1f8c7a472b319 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
dzielo.diff
diff --git a/.gitignore b/.gitignore
index b8746ec..6dc9d1e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
ses_tmp/*
+vendor/*
+config/bootstrap.local.php
diff --git a/config/SiteController.class.php b/config/SiteController.class.php
index 6e28759..a2a8a34 100644
--- a/config/SiteController.class.php
+++ b/config/SiteController.class.php
@@ -24,6 +24,7 @@ class SiteController extends Controller {
}
public function before() {
+ parent::before();
$short_class = strtolower(str_replace('Controller', '', get_class($this)));
if (!$this->Auth->isAuthMethod($short_class, $this->methodRequest)) {
Error::redirect(401);
diff --git a/config/bootstrap.local.example.php b/config/bootstrap.local.example.php
new file mode 100644
index 0000000..b24dc36
--- /dev/null
+++ b/config/bootstrap.local.example.php
@@ -0,0 +1,19 @@
+<?php
+/*
+ * Requires Runkit.
+ * Instalaction:
+ *
+ * cd /tmp
+ * git clone https://github.com/zenovich/runkit.git
+ * cd runkit
+ * pecl install package.xml
+ * echo "extension=runkit.so" >> /etc/php/apache2/php.ini
+ * service httpd restart
+ */
+runkit_constant_redefine('DOMAIN', 'personalbodyplan.dev');
+runkit_constant_redefine('ROOT_URL', 'http'.(IS_HTTPS == 'on' ? "s" : "").'://'.DOMAIN.PREFIX.'/');
+runkit_constant_redefine('HTTP_ROOT_URL', 'http://'.DOMAIN.PREFIX.'/');
+runkit_constant_redefine('HTTPS_ROOT_URL', 'https://'.DOMAIN.PREFIX.'/');
+runkit_constant_redefine('DEBUG', 1);
+runkit_constant_redefine('DEBUG_BACKTRACE', 1);
+?>
diff --git a/config/bootstrap.php b/config/bootstrap.php
index 09cca33..ad7f111 100644
--- a/config/bootstrap.php
+++ b/config/bootstrap.php
@@ -7,8 +7,8 @@
*/
// ROOT
-define('DOMAIN', 'personalbodyplan.dev');
-define('IS_HTTPS', false);
+define('DOMAIN', '10.10.129.166');
+define('IS_HTTPS', isset($_SERVER["HTTPS"]) && strtolower($_SERVER["HTTPS"]));
define('PREFIX', '');
define('ROOT_URL', 'http'.(IS_HTTPS == 'on' ? "s" : "").'://'.DOMAIN.PREFIX.'/');
define('HTTP_ROOT_URL', 'http://'.DOMAIN.PREFIX.'/');
@@ -113,4 +113,8 @@ define('ENORMAIL_API_KEY', 'c1f31c25912709abb16bdd84fd4c7ac0');
// Debug function
function localdebug() { global $DEBUG_IPS; if(in_array(trim(Net::getIP()), $DEBUG_IPS)) { debug(func_get_args()); } }
function debug() { ob_start(); $var = func_get_args(); call_user_func_array('var_dump', $var); echo '<pre>'.htmlentities(preg_replace(array("/ *=\>\n */"), array(" => "), ob_get_clean())).'</pre>';};
+
+if (file_exists(DOCUMENT_ROOT . '/config/bootstrap.local.php')) {
+ require_once DOCUMENT_ROOT . '/config/bootstrap.local.php';
+}
?>
diff --git a/controller/admin/forum.php b/controller/admin/forum.php
index 3510d5d..685136e 100644
--- a/controller/admin/forum.php
+++ b/controller/admin/forum.php
@@ -629,7 +629,7 @@ class ForumController extends SiteController {
'href' => 'forum/index_category/' . $category['id']);
}
$breadcrums[] = array(
- 'title' => 'Zoeken op: <em>' . $filter['word'] . '</em>');
+ 'title' => 'Zoeken op: ' . $filter['word']);
$this->set(compact('pagination', 'paginated', 'breadcrums', 'filter'));
$this->setLayoutVar('pageTitle', 'Forum');
@@ -700,7 +700,7 @@ class ForumController extends SiteController {
'href' => 'forum/index_thread/' . $thread['id']
),
array(
- 'title' => 'Zoeken op: <em>' . $filter['word'] . '</em>'
+ 'title' => 'Zoeken op: ' . $filter['word']
)
)
);
diff --git a/controller/api.php b/controller/api.php
index 2a0a71b..9606f35 100644
--- a/controller/api.php
+++ b/controller/api.php
@@ -6,6 +6,8 @@
* @package pbp
* @subpackage controller
*/
+error_reporting(0);
+
class ApiController extends SiteController {
public static $roles = array(
@@ -77,6 +79,8 @@ class ApiController extends SiteController {
$this->isAjaxCall();
}
+ public function before() {
+ }
/*
* *************************************************************************************************************************
* ********** PUBLIC FUNCTIONS (viewable) **********************************************************************************
diff --git a/controller/articles.php b/controller/articles.php
index a73bf99..4f1807f 100644
--- a/controller/articles.php
+++ b/controller/articles.php
@@ -105,7 +105,7 @@ class ArticlesController extends SiteController {
$related = $this->Articles->getRelated($article);
$this->setLayoutVar('pageTitle', $article['title']);
- $this->set(compact('article', 'related', 'thisURL', 'updateShareCount'));
+ $this->set(compact('article', 'related', 'thisURL', 'updateShareCount'), false);
}
/*
diff --git a/controller/behavior.php b/controller/behavior.php
index cad1698..250bda1 100644
--- a/controller/behavior.php
+++ b/controller/behavior.php
@@ -134,7 +134,7 @@ class BehaviorController extends SiteController {
)
);
- $this->set(compact('habit', 'lessons', 'habits', 'breadcrums'));
+ $this->set(compact('habit', 'lessons', 'habits', 'breadcrums'), false);
}
public function lesson($habit_id, $lesson_num) {
@@ -208,7 +208,7 @@ class BehaviorController extends SiteController {
)
);
- $this->set(compact('optional_progress', 'lesson_num', 'lessons', 'breadcrums'));
+ $this->set(compact('optional_progress', 'lesson_num', 'lessons', 'breadcrums'), false);
}
/*
diff --git a/controller/error.php b/controller/error.php
index 39c80bc..bd55a22 100644
--- a/controller/error.php
+++ b/controller/error.php
@@ -34,6 +34,7 @@ class ErrorController extends SiteController {
$title = "403 | Forbidden";
break;
case 404:
+ header("HTTP/1.0 404 Not Found");
$title = "404 | Page not found";
break;
default:
diff --git a/controller/forum.php b/controller/forum.php
index f0db9fd..09bbf81 100644
--- a/controller/forum.php
+++ b/controller/forum.php
@@ -83,7 +83,7 @@ class ForumController extends SiteController {
}
public function index_category($category_id) {
- $category_id = Filter::int($category_id);
+ $category_id = Filter::int($category_id, true, true);
$category = $this->Forum->getRowBy(array('id' => $category_id), NULL, 'community_forum_categories');
@@ -345,7 +345,7 @@ class ForumController extends SiteController {
$category = $this->Forum->getRowBy(array('id' => $filter['category_id']), NULL, 'community_forum_categories');
$breadcrums[] = array('title' => $category['title'], 'href' => 'forum/index_category/' . $category['id']);
}
- $breadcrums[] = array('title' => 'Zoeken op: <em>' . $filter['word'] . '</em>');
+ $breadcrums[] = array('title' => 'Zoeken op: ' . $filter['word']);
$this->set(compact('pagination', 'paginated', 'breadcrums', 'filter'));
$this->setLayoutVar('pageTitle', 'Forum');
@@ -367,9 +367,8 @@ class ForumController extends SiteController {
if (isset($this->data['search']) && trim($this->data['search'] != "")) {
$filter['word'] = trim($this->data['search']);
}
- if (isset($this->data['search_thread']) && trim($this->data['search_thread'] != "")) {
- $filter['thread_id'] = trim($this->data['search_thread']);
- }
+
+ $filter['thread_id'] = isset($this->data['search_thread']) ? Filter::int(trim($this->data['search_thread'])) : false;
if ($filter['thread_id'] == 0 || $filter['word'] == '') {
Net::redirect(ROOT_URL . 'forum', array(
@@ -401,7 +400,7 @@ class ForumController extends SiteController {
'href' => 'forum/index_thread/' . $thread['id']
),
array(
- 'title' => 'Zoeken op: <em>' . $filter['word'] . '</em>'
+ 'title' => 'Zoeken op: ' . $filter['word']
)
);
diff --git a/controller/nutrition.php b/controller/nutrition.php
index 2699dc7..2422e58 100644
--- a/controller/nutrition.php
+++ b/controller/nutrition.php
@@ -430,8 +430,12 @@ class NutritionController extends SiteController {
}
public function products($nutrient_id) {
- $nutrients = $this->Nutrition->getKeyPairedBy(NULL, array('fields' => array('id', 'name')), 'nutrition_nutrients');
+ $nutrient_id = Filter::int($nutrient_id, true);
$nutrient = $this->Nutrition->getRowBy(array('id' => $nutrient_id), NULL, 'nutrition_nutrients');
+ if (!$nutrient) {
+ Error::redirect(404);
+ }
+ $nutrients = $this->Nutrition->getKeyPairedBy(NULL, array('fields' => array('id', 'name')), 'nutrition_nutrients');
$sub_nutrients = $this->Nutrition->getAssocBy(array('nutrient_id' => $nutrient_id), array('fields' => array('id', 'name'), 'order' => array('n', 'id')), 'nutrition_nutrients_sub');
$products = $this->Nutrition->getProductsByNutrientForProgram($nutrient_id, $this->Auth->user['program']);
@@ -470,13 +474,14 @@ class NutritionController extends SiteController {
}
public function product($product_id) {
- $nutrients = $this->Nutrition->getKeyPairedBy(NULL, array('fields' => array('id', 'name')), 'nutrition_nutrients');
+ $product_id = Filter::int($product_id, true);
$product = $this->Nutrition->getProductWithNutrients($product_id, $this->Auth->user['program']);
-
if (!$product) {
Net::redirect(ROOT_URL . 'nutrition');
}
+ $nutrients = $this->Nutrition->getKeyPairedBy(NULL, array('fields' => array('id', 'name')), 'nutrition_nutrients');
+
$breadcrums = array(
array(
'title' => 'Voeding',
@@ -495,15 +500,19 @@ class NutritionController extends SiteController {
}
public function mealtype($mealtype_id) {
+ $mealtype_id = Filter::int($mealtype_id, true);
+ $mealtype = $this->Nutrition->getRowBy(array('id' => $mealtype_id), NULL, 'nutrition_mealtypes');
+ if (!$mealtype) {
+ Error::redirect(404);
+ }
+ $_SESSION['last_mealtype_id'] = $mealtype_id;
+
$this->attachModel(array('Users'));
$allergies = $this->Nutrition->getKeyPairedBy(NULL, array(
'fields' => array('id', 'name'),
'order' => array('name')
), 'allergies');
- $mealtype = $this->Nutrition->getRowBy(array('id' => $mealtype_id), NULL, 'nutrition_mealtypes');
- $_SESSION['last_mealtype_id'] = $mealtype_id;
-
if (isset($this->data)) {
$allergy_selection = array();
if (isset($this->data['allergies']) && is_array($this->data['allergies'])) {
diff --git a/controller/oauth.php b/controller/oauth.php
index 6e4a958..5d8be94 100644
--- a/controller/oauth.php
+++ b/controller/oauth.php
@@ -6,6 +6,8 @@
* @package pbp
* @subpackage controller
*/
+require_once(DOCUMENT_ROOT . 'model/api.php');
+
class OAuthController extends SiteController {
public static $roles = array(
@@ -22,6 +24,9 @@ class OAuthController extends SiteController {
$this->isAjaxCall();
}
+ public function before() {
+ }
+
/*
* *************************************************************************************************************************
* ********** PUBLIC FUNCTIONS (viewable) **********************************************************************************
@@ -50,6 +55,8 @@ class OAuthController extends SiteController {
}
}
$this->set(array('ajax' => $ajax));
+
+ Api::log();
}
/*
diff --git a/controller/pages.php b/controller/pages.php
index 9f96ea3..8b72941 100644
--- a/controller/pages.php
+++ b/controller/pages.php
@@ -154,7 +154,7 @@ class PagesController extends SiteController {
$team = $this->Team->getAllBy(NULL, array(
'order' => 'n'));
- $this->set(compact('team', 'group'));
+ $this->set(compact('team', 'group'), false);
}
public function webchat() {
@@ -181,7 +181,7 @@ class PagesController extends SiteController {
Net::redirect(ROOT_URL);
}
$this->setLayoutVar('pageTitle', $page['title']);
- $this->set(compact('page'));
+ $this->set(compact('page'), false);
}
public function hoe_werkt_het() {
diff --git a/controller/results.php b/controller/results.php
index 96482e7..59feb26 100644
--- a/controller/results.php
+++ b/controller/results.php
@@ -71,7 +71,7 @@ class ResultsController extends SiteController {
$ajax = false;
}
- $this->set(compact('ajax'));
+ $this->set(compact('ajax'), false);
}
public function ajax_get_result($id) {
@@ -80,7 +80,7 @@ class ResultsController extends SiteController {
if ($ajax) {
$ajax['created'] = date('d-m-Y', strtotime($ajax['created']));
}
- $this->set(compact('ajax'));
+ $this->set(compact('ajax'), false);
}
}
diff --git a/controller/subscriptions.php b/controller/subscriptions.php
index 82912a8..0bf53d9 100644
--- a/controller/subscriptions.php
+++ b/controller/subscriptions.php
@@ -696,10 +696,6 @@ class SubscriptionsController extends SiteController {
}
}
-
-
-
-
Net::redirect(ROOT_URL . $redirectURI, array(
'notify' => array(
'message' => $badges,
diff --git a/controller/training.php b/controller/training.php
index b7a6099..c0c7623 100644
--- a/controller/training.php
+++ b/controller/training.php
@@ -247,7 +247,7 @@ class TrainingController extends SiteController {
)
);
}
- $this->set(compact('exercise', 'breadcrums'));
+ $this->set(compact('exercise', 'breadcrums'), false);
}
/*
diff --git a/controller/users.php b/controller/users.php
index 3e8c53d..855c690 100644
--- a/controller/users.php
+++ b/controller/users.php
@@ -126,9 +126,9 @@ class UsersController extends SiteController {
}
$this->setLayoutVar('pageTitle', 'Aanmelden');
-
if ($via_code != "") {
$registered_via_id = $this->Coupons->codeToId($via_code);
+
if ($registered_via_id) {
$via_user = $this->Users->getRowBy(array('user_id' => $registered_via_id), NULL, 'users');
if ($via_user) {
@@ -136,6 +136,9 @@ class UsersController extends SiteController {
$this->set(compact('via_user'));
}
}
+ else {
+ $via_code = '';
+ }
}
$this->set(compact('group', 'via_code'));
@@ -144,7 +147,6 @@ class UsersController extends SiteController {
public function register_success() {
$this->layout = 'default_responsive';
}
-
// Verify email address
public function verify($verification_hash = NULL) {
$this->attachModel(array('Groups'));
@@ -156,9 +158,9 @@ class UsersController extends SiteController {
} else {
$status = 'activation_failed';
}
- }
$this->set(compact('status'));
}
+ }
public function intake() {
$this->layout = 'intake';
@@ -187,7 +189,6 @@ class UsersController extends SiteController {
);
}
}
-
$extra_questions = $this->Users->intake_extra_questions();
$allergies = $this->Users->getKeyPairedBy(NULL, array('fields' => array('id', 'name')), 'allergies');
diff --git a/core/Controller.class.php b/core/Controller.class.php
index a48846b..92631d2 100644
--- a/core/Controller.class.php
+++ b/core/Controller.class.php
@@ -58,7 +58,7 @@ class Controller {
* @uses AuthController::getInstance()
*/
public function __construct() {
- if(isset($_REQUEST['data'])) $this->data = $_REQUEST['data'];
+ if(isset($_REQUEST['data'])) $this->data = Sanitization::MYSQLsanitizeArray($_REQUEST['data']);
$this->Auth = AuthController::getInstance();
$this->layout = (ADMINVIEW)? 'admin': 'default';
if(sizeof($this->uses) > 0) $this->attachModel($this->uses);
@@ -69,6 +69,7 @@ class Controller {
* Is always ran before first function call
*/
public function before() {
+ CSRFProtection::validateAndRedirectAllPOST();
}
/**
@@ -100,13 +101,13 @@ class Controller {
* @param array $vars array of key=>value
* @return bool
*/
- protected function set($vars){
+ protected function set($vars, $sanitize=true){
if(is_array($vars)){
foreach($vars as $k => $v) {
if(is_array($v) && isset($this->viewVars[$k])) {
$v = array_merge($this->viewVars[$k], $v);
}
- $this->viewVars[$k] = $v;
+ $this->viewVars[$k] = $sanitize ? Sanitization::HTMLsanitizeArray($v) : $v ;
}
return true;
}
@@ -136,10 +137,17 @@ class Controller {
* @return array pagination values
*/
protected function getPagination($defaults = array()) {
- $pagination['order'] = (isset($_GET['o']))? $_GET['o']:((isset($defaults['order']))?$defaults['order']:'DEFAULT');
- $pagination['page'] = (isset($_GET['p']) && is_int((int)$_GET['p']))? (int)$_GET['p'] : ((isset($defaults['page']))?$defaults['page']:1);
- $pagination['filter'] = (isset($_GET['filter']))? $_GET['filter'] : '';
- $pagination['direction'] = (isset($_GET['d']) && (strtoupper($_GET['d']) == 'DESC' || strtoupper($_GET['d']) == 'ASC'))? strtoupper($_GET['d']) : ((isset($defaults['direction']))? $defaults['direction'] : 'DESC');
+ $page = ArrayHelper::getKey($_GET, 'p');
+ $order = ArrayHelper::getKey($_GET, 'o');
+ $filter = ArrayHelper::getKey($_GET, 'filter');
+ $direction = ArrayHelper::getKey($_GET, 'd');
+ $default_direction = ArrayHelper::getKey($defaults, 'direction');
+ $pagination = array(
+ 'order' => $order ? $order : 'DEFAULT',
+ 'page' => ($page && Filter::int($page, true, true)) ? $page : 1,
+ 'filter' => $filter ? $filter : '',
+ 'direction' => ($direction && in_array(strtoupper($direction), array('ASC', 'DESC'))) ? $direction : ($default_direction ? $default_direction : 'DESC'),
+ );
$this->set(array('pagination' => $pagination));
return $pagination;
}
diff --git a/core/Model.class.php b/core/Model.class.php
index 9944787..84d762b 100644
--- a/core/Model.class.php
+++ b/core/Model.class.php
@@ -1,5 +1,9 @@
<?php
+require_once(DOCUMENT_ROOT . "lib/ai/ArrayHelper.class.php");
+require_once(DOCUMENT_ROOT . "lib/ai/Sanitization.class.php");
+
+
/**
* Model - Model to extend, default DB methods
* @author Arjen Boutsema
@@ -519,17 +523,19 @@ class Model {
* @return string SQL query for order an limit
*/
protected function pagination($paginate, $perpage, $handles) {
+
$args = array();
if ($paginate['order'] != '' && $paginate['direction'] != '') {
$handle = (isset($handles[$paginate['order']])) ? $handles[$paginate['order']] : $handles['DEFAULT'];
$args['order'] = $handle . ' ' . $paginate['direction'];
}
- if ($paginate['page']) {
+
+ if (ArrayHelper::getKey($paginate, 'page')) {
$paginate['page'] = Filter::int($paginate['page'], true);
+ $paginate['page'] = ($paginate['page']) ? $paginate['page'] : 1 ;
$perpage = Filter::int($perpage, true);
$args['limit'] = (($paginate['page'] - 1) * $perpage) . ',' . $perpage;
}
-
return $args;
}
diff --git a/data/.gitkeep b/data/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/data/measurements/.gitkeep b/data/measurements/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/lib/ai/ArrayHelper.class.php b/lib/ai/ArrayHelper.class.php
new file mode 100644
index 0000000..fa18132
--- /dev/null
+++ b/lib/ai/ArrayHelper.class.php
@@ -0,0 +1,18 @@
+<?php
+/**
+* Crypt methods
+* @package core
+* @subpackage Libs
+*/
+class ArrayHelper
+{
+ public static function getKey($array, $key, $sanitize=true) {
+ if (array_key_exists($key, $array)) {
+ if ($sanitize) {
+ return Sanitization::stringSanitize($array[$key]);
+ }
+ return $array[$key];
+ }
+ return false;
+ }
+}
diff --git a/lib/ai/CSRFProtection.class.php b/lib/ai/CSRFProtection.class.php
new file mode 100644
index 0000000..c31816d
--- /dev/null
+++ b/lib/ai/CSRFProtection.class.php
@@ -0,0 +1,113 @@
+<?php
+
+class CSRFProtection {
+
+ protected $acceptGet = false;
+
+ protected $timeout = 300;
+
+ private static $instance = false;
+
+ public static function getInstance($timeout=300, $acceptGet=false)
+ {
+ if( self::$instance == false )
+ {
+ self::$instance = new CSRFProtection($timeout, $acceptGet);
+ }
+ return self::$instance;
+ }
+
+ private function __construct($timeout=300, $acceptGet=false){
+ $this->timeout = $timeout;
+ $this->inputToken = null;
+ if (session_id()) {
+ $this->acceptGet = (bool) $acceptGet;
+ } else {
+ throw new Exception('Could not find session id', 1);
+ }
+ }
+
+ public function randomString($len = 10) {
+ $rString = '';
+ $chars = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789';
+ $charsTotal = strlen($chars);
+ for ($i = 0; $i < $len; $i++) {
+ $rInt = (integer) mt_rand(0, $charsTotal);
+ $rString .= substr($chars, $rInt, 1);
+ }
+ return $rString;
+ }
+
+ public function generateTokenAndStoreInSession() {
+ $hash = $this->generateToken();
+ if (!isset($_SESSION['csrf']) || !is_array($_SESSION['csrf'])) {
+ $_SESSION['csrf'] = array($hash);
+ }
+ else {
+ if (!in_array($hash, $_SESSION['csrf'])) {
+ $_SESSION['csrf'][] = $hash;
+ }
+ }
+ return $hash;
+ }
+
+ public function generateToken() {
+ return base64_encode(sha1(implode('',array(
+ 'time' => time(),
+ 'salt' => $this->randomString(32),
+ 'sessid' => session_id(),
+ 'ip' => $_SERVER['REMOTE_ADDR'],
+ ))));
+ }
+
+ public function generateHiddenField() {
+ if (!$this->inputToken) {
+ $this->inputToken = $this->generateTokenAndStoreInSession();
+ }
+ return '<input type="hidden" name="csrf" value="'.$this->inputToken.'" />';
+ }
+
+ protected function checkTimeout($timeout=NULL) {
+ if (!$timeout) {
+ $timeout = $this->timeout;
+ }
+ return ($_SERVER['REQUEST_TIME'] - $_SESSION['csrf']['time']) < $timeout;
+ }
+
+ public function checkToken($timeout=NULL) {
+ if (isset($_SESSION['csrf'])) {
+ if (!$this->checkTimeout($timeout)) {
+ //return false;
+ }
+ if (session_id()) {
+ if (($this->acceptGet and isset($_GET['csrf'])) or isset($_POST['csrf'])) {
+ return in_array($_REQUEST['csrf'], $_SESSION['csrf']);
+ }
+ }
+ }
+ return false;
+ }
+
+ public static function validateAndRedirectAllPOST($timeout=300) {
+ if (isset($_POST) && is_array($_POST) && count($_POST)) {
+ return self::validateAndRedirect($timeout);
+ }
+ }
+
+ public static function validateAndRedirect($timeout=300, $acceptGet=false) {
+ if (!self::validate($timeout, $acceptGet)) {
+ Error::redirect(403);
+ }
+ }
+
+ public static function validate($timeout=300, $acceptGet=false) {
+ $csrf = self::getInstance($timeout, $acceptGet);
+ return $csrf->checkToken();
+ }
+
+ public static function hiddenInput($timeout=300, $acceptGet=false) {
+ $csrf = self::getInstance($timeout, $acceptGet);
+ return $csrf->generateHiddenField();
+ }
+}
+
diff --git a/lib/ai/Filter.class.php b/lib/ai/Filter.class.php
index 5b9da91..28829f0 100644
--- a/lib/ai/Filter.class.php
+++ b/lib/ai/Filter.class.php
@@ -13,12 +13,16 @@ class Filter {
* @param string $strict flag,
* @return mixed integer on succes, false (strict) or rounded integer on error
*/
- public static function int($value, $strict = false) {
+ public static function int($value, $strict = false, $positive_only = false) {
+ if (preg_replace("/[^0-9]/", "", $value) != $value) {
+ return false;
+ }
if($strict) {
- return filter_var($value, FILTER_VALIDATE_INT, array('options' => array('default' => false)));
+ $int = filter_var($value, FILTER_VALIDATE_INT, array('options' => array('default' => false)));
} else {
- return filter_var($value, FILTER_VALIDATE_INT, array('options' => array('default' => round((int)$value))));
+ $int = filter_var($value, FILTER_VALIDATE_INT, array('options' => array('default' => round((int)$value))));
}
+ return ($positive_only && ($int <= 0)) ? false : $int;
}
/**
@@ -28,6 +32,9 @@ class Filter {
* @return mixed float on succes, false (strict) or rounded integer on error
*/
public static function float($value, $strict = false) {
+ if (preg_replace("/[^0-9,.]/", "", $value) != $value) {
+ return false;
+ }
if($strict) {
return filter_var($value, FILTER_VALIDATE_FLOAT, array('options' => array('default' => false)));
} else {
diff --git a/lib/ai/Sanitization.class.php b/lib/ai/Sanitization.class.php
new file mode 100644
index 0000000..843985f
--- /dev/null
+++ b/lib/ai/Sanitization.class.php
@@ -0,0 +1,54 @@
+<?php
+/**
+* Crypt methods
+* @package core
+* @subpackage Libs
+*/
+class Sanitization
+{
+
+ public static function MYSQLsanitize($string, $pdo=null) {
+ if ($pdo) {
+ return $pdo->quote($string);
+ }
+ $string = stripslashes($string);
+ return addslashes($string);
+ }
+
+ public static function MYSQLsanitizeArray($array, $pdo=null, $implode=false, $implode_delimiter=',') {
+ if (is_array($array)) {
+ foreach ($array as $key => $value) {
+ $array[$key] = self::MYSQLsanitizeArray($value, $pdo, $implode, $implode_delimiter);
+ }
+ return $implode ? implode($array, $implode_delimiter) : $array ;
+ }
+ else {
+ return self::MYSQLsanitize($array, $pdo);
+ }
+ }
+
+ public static function stringSanitize($string) {
+ return self::nullByteSanitize($string);
+ }
+
+ public static function nullByteSanitize($string) {
+ return str_replace(chr(0), '', $string);
+ }
+
+ public static function HTMLsanitize($string) {
+ $string = htmlspecialchars_decode($string);
+ return htmlspecialchars($string);
+ }
+
+ public static function HTMLsanitizeArray($array) {
+ if (is_array($array)) {
+ foreach ($array as $key => $value) {
+ $array[$key] = Sanitization::HTMLsanitizeArray($value);
+ }
+ return $array;
+ }
+ else {
+ return Sanitization::HTMLsanitize($array);
+ }
+ }
+}
diff --git a/migrations/.gitkeep b/migrations/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/migrations/001-api.sql b/migrations/001-api.sql
new file mode 100644
index 0000000..b6fb106
--- /dev/null
+++ b/migrations/001-api.sql
@@ -0,0 +1,12 @@
+use pbp;
+CREATE TABLE IF NOT EXISTS `api_usage` (
+ `api_version` varchar(8 NOT NULL DEFAULT '1.0.0',
+ `device_id` varchar(256) NOT NULL DEFAULT '1.0.0',
+ `ip` varchar(15) NOT NULL,
+ `usage_count` int(10) unsigned NOT NULL,
+ `user_id` int(10) unsigned NOT NULL,
+ `last_access` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+ PRIMARY KEY (`user_id`,`device_id`,`api_version`),
+ CONSTRAINT `api_usage_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `RABC_users` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+);
+
diff --git a/model/api.php b/model/api.php
new file mode 100644
index 0000000..872d373
--- /dev/null
+++ b/model/api.php
@@ -0,0 +1,99 @@
+<?php
+
+/**
+ * Api
+ * @package pbp
+ * @subpackage model
+ */
+class Api extends Model {
+
+ const DEVICE_ID_KEY = 'device_id';
+ const API_VERSION_KEY = 'api_version';
+
+ protected $name = 'api_usage';
+
+ public $fields = array(
+ 'user_id' => 'int',
+ 'device_id' => 'string',
+ 'api_version' => 'string',
+ 'ip' => 'string',
+ 'usage_count' => 'int',
+ 'last_access' => 'string'
+ );
+
+ public static function log($user_id=null) {
+ $user_id = (Filter::int($user_id, true)) ? $user_id : (isset($_SESSION['RABC_user']['user']['id'])) ? $_SESSION['RABC_user']['user']['id'] : null ;
+ if (!$user_id) {
+ return false;
+ }
+ $api = new self();
+ $api->log_user($user_id, $_REQUEST);
+ }
+
+ public static function ValidateDeviceID($device_id) {
+ # @TODO: Implementation
+ return true;
+ }
+
+ public static function ValidateAPIVersion($api_version) {
+ # @TODO: Implementation
+ return true;
+ }
+
+ public function log_user($user_id, $request) {
+
+ try {
+ if (!$user_id) return false;
+
+ # @TODO: Validators
+ $api_version = (isset($request[self::API_VERSION_KEY])) ? $request[self::API_VERSION_KEY] : '1.0.0' ;
+ if (!self::ValidateAPIVersion($api_version)) {
+ return false;
+ }
+
+ $device_id = (isset($request[self::DEVICE_ID_KEY])) ? $request[self::DEVICE_ID_KEY] : $_SERVER['HTTP_USER_AGENT'];
+ if (!self::ValidateDeviceID($device_id)) {
+ return false;
+ }
+
+ $pre = $this->pdo->prepare("SELECT usage_count FROM `api_usage` WHERE `api_version`=? AND `user_id`=? AND `device_id`=?");
+ $pre->execute(array($api_version, $user_id, $device_id));
+ $usage_count = $pre->fetch();
+ $usage_count = (($usage_count) ? (int) $usage_count['usage_count'] : 0 )+1;
+
+ if (1 == $usage_count) {
+ $this->insert(
+ array(
+ 'api_version' => $api_version,
+ 'device_id' => $device_id,
+ 'user_id' => $user_id,
+ 'ip' => Net::getIP(),
+ 'usage_count' => 1,
+ )
+ );
+ }
+ else {
+ $this->update(
+ array(
+ 'api_version' => $api_version,
+ 'device_id' => $device_id,
+ 'user_id' => $user_id,
+ 'ip' => Net::getIP(),
+ 'usage_count' => $usage_count,
+ ),
+ array(
+ 'api_version' => $api_version,
+ 'device_id' => $device_id,
+ 'user_id' => $user_id,
+ )
+ );
+ }
+
+ } catch (PDOException $e) {
+ Log::error($e->getMessage());
+ return false;
+ }
+ }
+}
+
+?>
\ No newline at end of file
diff --git a/model/forum.php b/model/forum.php
index fa97179..b148958 100644
--- a/model/forum.php
+++ b/model/forum.php
@@ -335,7 +335,7 @@ class Forum extends Model {
}
try {
- $sth = $this->pdo->prepare("
+ $sql = "
SELECT
SQL_CALC_FOUND_ROWS cft.*, cfp.post, u.`first_name` as username, u.last_name, uc.level, cfp_last.last_post_created, cfp_last.last_post_user_id, u.client
FROM `community_forum_threads` cft
@@ -351,8 +351,9 @@ class Forum extends Model {
WHERE " . implode(' AND ', $where) . "
GROUP BY cft.id
ORDER BY cfp_last.last_post_created DESC, cft.`created` DESC
- LIMIT " . $pagination['limit'] . "
- ");
+ " . ((ArrayHelper::getKey($pagination, 'limit')) ? 'LIMIT ' . $pagination['limit'] : '') . "
+ ";
+ $sth = $this->pdo->prepare($sql);
$sth->execute($execute);
return array(
@@ -406,7 +407,6 @@ class Forum extends Model {
$where[] = '(cfp.`post` LIKE \'%' . $filter['word'] . '%\')';
}
-
$posts = array(
'rows' => $this->getAllBy($where, array(
'order' => array('created ASC'),
diff --git a/model/nutrition.php b/model/nutrition.php
index b718c90..4295fd1 100644
--- a/model/nutrition.php
+++ b/model/nutrition.php
@@ -886,7 +886,7 @@ class Nutrition extends Model {
'nutrition_recipes_mealtypes_codes nrmc' => array('nr.id' => 'nrmc.recipe_id'),
);
if (isset($filter['allergies']) && count($filter['allergies']) > 0) {
- $joins['nutrition_recipes_allergies nra'] = array('nr.id' => 'nra.recipe_id', 'nra.`allergy_id` IN (' . implode(', ', $filter['allergies']) . ')');
+ $joins['nutrition_recipes_allergies nra'] = array('nr.id' => 'nra.recipe_id', 'nra.`allergy_id` IN (' . Sanitization::MYSQLsanitizeArray($filter['allergies'], $this->pdo, true) . ')');
$group_by = 'nr.id';
$where[] = '`allergy_id` IS NULL';
}
@@ -904,7 +904,7 @@ class Nutrition extends Model {
$joins = "";
if (isset($filter['allergies']) && count($filter['allergies']) > 0) {
- $joins = "LEFT JOIN `nutrition_recipes_allergies` nra ON nra.`recipe_id` = nr.`id` AND nra.`allergy_id` IN (" . implode(', ', $filter['allergies']) . ")";
+ $joins = "LEFT JOIN `nutrition_recipes_allergies` nra ON nra.`recipe_id` = nr.`id` AND nra.`allergy_id` IN (" . Sanitization::MYSQLsanitizeArray($filter['allergies'], $this->pdo, true) . ")";
$group_by = 'GROUP BY nr.`id`';
$where = 'AND `allergy_id` IS NULL';
}
@@ -954,7 +954,7 @@ class Nutrition extends Model {
);
// If allergies, JOIN all recipes that have the same allergy. Only return if no join could be made
if (isset($filter['allergies']) && is_array($filter['allergies']) && count($filter['allergies']) > 0) {
- $joins['nutrition_recipes_allergies nra'] = array('nra.recipe_id' => 'nrmc.recipe_id', 'nra.`allergy_id` IN (' . implode(', ', $filter['allergies']) . ')');
+ $joins['nutrition_recipes_allergies nra'] = array('nra.recipe_id' => 'nrmc.recipe_id', 'nra.`allergy_id` IN (' . Sanitization::MYSQLsanitizeArray($filter['allergies'], $this->pdo, true) . ')');
$group_by = 'nr.id, mealtype_id';
$where[] = '`allergy_id` IS NULL';
}
@@ -984,7 +984,7 @@ class Nutrition extends Model {
// If allergies, JOIN all recipes that have the same allergy. Only return if no join could be made
if (isset($filter['allergies']) && count($filter['allergies']) > 0) {
- $joins['nutrition_nutrients_products_allergies nnpa'] = array('nnpa.product_id' => 'nnpc.product_id', 'nnpa.`allergy_id` IN (' . implode(', ', $filter['allergies']) . ')');
+ $joins['nutrition_nutrients_products_allergies nnpa'] = array('nnpa.product_id' => 'nnpc.product_id', 'nnpa.`allergy_id` IN (' . Sanitization::MYSQLsanitizeArray($filter['allergies'], $this->pdo, true) . ')');
$group_by = 'nnp.id';
$where[] = '`allergy_id` IS NULL';
}
@@ -1038,7 +1038,7 @@ class Nutrition extends Model {
), 'nutrition_nutrients_products_codes nnpc');
if(
- !$fruit || count($fruit == 0) ||
+ !$fruits || count($fruits == 0) ||
!$recipes || count($recipes == 0) ||
!$supplements || count($supplements == 0)
) {
diff --git a/view/articles/admin/edit.php b/view/articles/admin/edit.php
index 8794268..c094d21 100644
--- a/view/articles/admin/edit.php
+++ b/view/articles/admin/edit.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Type artikel</legend>
diff --git a/view/articles/admin/index.php b/view/articles/admin/index.php
index a410100..691cdeb 100644
--- a/view/articles/admin/index.php
+++ b/view/articles/admin/index.php
@@ -8,6 +8,7 @@
?><button type="button" style="float: right;" class="btn btn-large btn-success" onclick="window.location='<?= ROOT_URL ?>admin/articles/edit';"><i class="icon-plus icon-white"></i> Artikel toevoegen</button>
</div>
<form method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/behavior/admin/edit_habit.php b/view/behavior/admin/edit_habit.php
index 1d9b6e0..b09884d 100644
--- a/view/behavior/admin/edit_habit.php
+++ b/view/behavior/admin/edit_habit.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+<?=CSRFProtection::hiddenInput(); ?>
<div class="well filter">
<fieldset class="vertical">
<legend>Code</legend>
diff --git a/view/behavior/admin/edit_lesson.php b/view/behavior/admin/edit_lesson.php
index 26ec2f4..21ae142 100644
--- a/view/behavior/admin/edit_lesson.php
+++ b/view/behavior/admin/edit_lesson.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="well filter">
<fieldset class="vertical">
<legend>Code</legend>
diff --git a/view/behavior/admin/index.php b/view/behavior/admin/index.php
index 302aacc..78e440f 100644
--- a/view/behavior/admin/index.php
+++ b/view/behavior/admin/index.php
@@ -140,6 +140,7 @@ if($may_edit) {
}
if (isset($pagination)) { ?>
<form method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/behavior/lesson.php b/view/behavior/lesson.php
index 1be8d79..4c32927 100644
--- a/view/behavior/lesson.php
+++ b/view/behavior/lesson.php
@@ -33,6 +33,7 @@ echo preg_replace($pattern, $replacement, $lessons[$lesson_num]['descr']);
<h3>Jouw challenge</h3>
<p>Bevat deze les een challenge die je wilt delen met je coach?</p>
<form method="post">
+ <?=CSRFProtection::hiddenInput(); ?>
<textarea name="data[challenge]" style="width: 100%; height: 130px; padding: 5px;"><?= $optional_progress['challenge'] ?></textarea>
<button type="button" id="image_button" class="btn add_photo_button" style="margin-top: 5px;">Plaats er een foto bij &gt;</button>
<div id="image_uploader_container"></div>
diff --git a/view/elements/community_add_post.php b/view/elements/community_add_post.php
index 5b13a35..76ccb14 100644
--- a/view/elements/community_add_post.php
+++ b/view/elements/community_add_post.php
@@ -1,4 +1,5 @@
<form method="post" id="add-post-form" action="<?= ROOT_URL ?>forum/add_post/<?= $post['thread_id'] ?>" class="form-horizontal" role="form" enctype="multipart/form-data">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="block">
<div class="forum_add">
<fieldset>
diff --git a/view/elements/header.php b/view/elements/header.php
index c2fcec2..41568bd 100644
--- a/view/elements/header.php
+++ b/view/elements/header.php
@@ -75,7 +75,8 @@ if (!isset($extendable)) {
<a id="login-dropdown-toggle" class="dropdown-toggle">Inloggen</a>
<div id="login-dropdown" class="dropdown-menu" role="menu">
<form name="loginform" id="loginform" method="post" action="<?= ROOT_URL ?>login">
- <input placeholder="E-mailadres" type="text" value="" name="data[username]" />
+ <?=CSRFProtection::hiddenInput(); ?>
+ <input placeholder="E-mailadres" autocomplete="off" type="text" value="" name="data[username]" />
<input placeholder="Wachtwoord" type="password" value="" name="data[password]" />
<div class="clearfix">
<input id="cookie" type="checkbox" value="" name="data[remember_me]" /><label for="cookie">Onthoud mij</label>
diff --git a/view/elements/nutrition_input_calories.php b/view/elements/nutrition_input_calories.php
index aeeedf7..d25b2fc 100644
--- a/view/elements/nutrition_input_calories.php
+++ b/view/elements/nutrition_input_calories.php
@@ -1,6 +1,7 @@
<div class="block">
<h3>Gegeten product invoeren</h3>
<form method="post" id="find-products" action="<?= HTTPS_ROOT_URL ?>nutrition/search_nutrients" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="form-group">
<input class="form-control" type="text" placeholder="Product of PBP-recept" name="data[search]"/>
</div>
diff --git a/view/elements/nutrition_input_meals.php b/view/elements/nutrition_input_meals.php
index b8a2dfc..665602c 100644
--- a/view/elements/nutrition_input_meals.php
+++ b/view/elements/nutrition_input_meals.php
@@ -31,6 +31,7 @@
<div class="block">
<div><h3>Mijn dagmenu</h3></div>
<form id="meal_progress_form" method="post">
+ <?=CSRFProtection::hiddenInput(); ?>
<ul id="meal_progress_list"></ul>
<?php
if ($day['n'] == 0) {
diff --git a/view/elements/nutrition_mealsuggestions.php b/view/elements/nutrition_mealsuggestions.php
index d33ac2c..f62ffe2 100644
--- a/view/elements/nutrition_mealsuggestions.php
+++ b/view/elements/nutrition_mealsuggestions.php
@@ -4,6 +4,7 @@
<?php
$n = 0;
$day = '';
+ if (is_array($suggestion_days)) {
foreach ($suggestion_days as $suggestion_day) {
if($day != $suggestion_day['day']) {
$day = $suggestion_day['day'];
@@ -11,9 +12,9 @@
$n = 0;
}
$n ++;
-
echo '<li><a href="' . ROOT_URL . 'nutrition/mealsuggestions/'.$suggestion_day['day_n'].'">' . ($suggestion_day['day'] == 'normal' ? 'Dag '.$n : 'Trainingsdag '.$n) . '</a><span class="info">' . $suggestion_day['meals'] . ' maaltijden</span></li>';
}
+ }
?>
</ul>
</div>
diff --git a/view/faq/admin/edit_category.php b/view/faq/admin/edit_category.php
index 0ba08bf..b8c5100 100644
--- a/view/faq/admin/edit_category.php
+++ b/view/faq/admin/edit_category.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Category</legend>
diff --git a/view/faq/admin/edit_question.php b/view/faq/admin/edit_question.php
index e99afc6..f6f7042 100644
--- a/view/faq/admin/edit_question.php
+++ b/view/faq/admin/edit_question.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>FAQ</legend>
diff --git a/view/faq/admin/index.php b/view/faq/admin/index.php
index a6fae4c..34742a2 100644
--- a/view/faq/admin/index.php
+++ b/view/faq/admin/index.php
@@ -3,6 +3,7 @@
<a href="<?= ROOT_URL ?>admin/faq/edit_category" class="btn btn-large">Nieuwe category</a>
</div>
<form method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/faq/admin/index_category.php b/view/faq/admin/index_category.php
index 9178e9f..7702f91 100644
--- a/view/faq/admin/index_category.php
+++ b/view/faq/admin/index_category.php
@@ -2,6 +2,7 @@
<a href="<?= ROOT_URL ?>admin/faq/edit_question" class="btn btn-large">Nieuwe vraag</a>
</div>
<form method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/forum/add_thread.php b/view/forum/add_thread.php
index 68bb331..981541e 100644
--- a/view/forum/add_thread.php
+++ b/view/forum/add_thread.php
@@ -6,6 +6,7 @@
<?php Loader::element('breadcrums', compact('breadcrums')); ?>
<div class="content_left">
<form method="post" id="edit_form" class="form-horizontal" role="form" enctype="multipart/form-data">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="block">
<div class="forum_add">
<fieldset>
diff --git a/view/forum/admin/edit_category.php b/view/forum/admin/edit_category.php
index 2410332..da80614 100644
--- a/view/forum/admin/edit_category.php
+++ b/view/forum/admin/edit_category.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Categorie</legend>
diff --git a/view/forum/admin/edit_post.php b/view/forum/admin/edit_post.php
index aed1e8c..8b62443 100644
--- a/view/forum/admin/edit_post.php
+++ b/view/forum/admin/edit_post.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Bericht</legend>
diff --git a/view/forum/admin/edit_thread.php b/view/forum/admin/edit_thread.php
index 2e9a11c..07ed852 100644
--- a/view/forum/admin/edit_thread.php
+++ b/view/forum/admin/edit_thread.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Onderwerp</legend>
diff --git a/view/forum/admin/index.php b/view/forum/admin/index.php
index 8ae526b..0d870c4 100644
--- a/view/forum/admin/index.php
+++ b/view/forum/admin/index.php
@@ -11,6 +11,7 @@
?>
<form class="form-horizontal" method="POST" enctype="multipart/form-data" id="search_form" action="<?= ROOT_URL ?>admin/forum/search_threads">
+ <?=CSRFProtection::hiddenInput(); ?>
<fieldset>
<div class="control-group">
<div class="controls" style="margin-left: 0;">
@@ -21,6 +22,7 @@
</form>
</div>
<form method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/forum/admin/index_thread.php b/view/forum/admin/index_thread.php
index 841e4b0..49ff7d1 100644
--- a/view/forum/admin/index_thread.php
+++ b/view/forum/admin/index_thread.php
@@ -5,6 +5,7 @@ $show_delete_button = $Auth->isMemberOf(array('administrator'));
<div class="well clearfix">
<h2>Zoeken <span style="font-size: 12px; color: #aaa; font-style: italic;">(Binnen deze topic)</span></h2>
<form class="form-horizontal" method="POST" enctype="multipart/form-data" id="search_form" action="<?= ROOT_URL ?>admin/forum/search_posts">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="hidden" name="data[search_thread]" value="<?= $thread['id'] ?>" />
<fieldset>
<div class="control-group">
@@ -66,6 +67,7 @@ $show_delete_button = $Auth->isMemberOf(array('administrator'));
<?php Loader::element('admin/twitter_pagination', array('pagination' => $pagination)); ?>
<?php if ($thread['status']) { ?>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form" action="<?=ROOT_URL?>admin/forum/edit_post/<?=$thread['id']?>/0">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Reageer</legend>
diff --git a/view/forum/admin/search_threads.php b/view/forum/admin/search_threads.php
index 96539f5..f331345 100644
--- a/view/forum/admin/search_threads.php
+++ b/view/forum/admin/search_threads.php
@@ -5,6 +5,7 @@ $show_delete_button = $Auth->isMemberOf(array('administrator'));
<div class="well clearfix">
<h2>Zoeken <span style="font-size: 12px; color: #aaa; font-style: italic;"><?= $filter['category_id'] ? '(Binnen deze categorie)' : '(In het gehele forum)' ?></span></h2>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="search_form" action="<?= ROOT_URL ?>admin/forum/search_threads">
+ <?=CSRFProtection::hiddenInput(); ?>
<?php
if ($filter['category_id'] != 0) {
echo '<input type="hidden" name="data[search_category]" value="' . $filter['category_id'] . '" />';
diff --git a/view/forum/index.php b/view/forum/index.php
index 584a4b8..01de9e5 100644
--- a/view/forum/index.php
+++ b/view/forum/index.php
@@ -10,6 +10,7 @@
<div class="block">
<h3><span class="forum_icon"></span>Zoeken (In hele forum)</h3>
<form id="search_forum" method="post" class="form-horizontal" role="form" enctype="multipart/form-data" action="<?= ROOT_URL ?>forum/search_threads">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="control-group">
<div class="controls row">
<div class="col-xs-9">
diff --git a/view/forum/index_category.php b/view/forum/index_category.php
index 6025bf6..6dcb710 100644
--- a/view/forum/index_category.php
+++ b/view/forum/index_category.php
@@ -7,6 +7,7 @@
<div class="block">
<h3><span class="forum_icon"></span>Zoeken in <?= $category['title'] ?></h3>
<form id="search_forum" method="post" class="form-horizontal" role="form" enctype="multipart/form-data" action="<?= ROOT_URL ?>forum/search_threads">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="control-group">
<div class="controls row">
<div class="col-xs-9">
diff --git a/view/forum/index_thread.php b/view/forum/index_thread.php
index 07fe711..58f5e12 100644
--- a/view/forum/index_thread.php
+++ b/view/forum/index_thread.php
@@ -8,6 +8,7 @@
<div class="block">
<h3><span class="forum_icon"></span>Zoeken in <?= $thread['title'] ?></h3>
<form id="search_forum" method="post" class="form-horizontal" role="form" enctype="multipart/form-data" action="<?= ROOT_URL ?>forum/search_posts">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="control-group">
<div class="controls row">
<div class="col-xs-9">
@@ -44,7 +45,7 @@
<td>
<p class="thread_info">' . (
$row['client'] ?
- 'Geplaatst door: <a href="'.ROOT_URL.'forum/view_profile/'.$row['user_id'].'">' . $row['username'] . ' (level ' . $row['level']['title'] . ')</a>' :
+ 'Geplaatst door: <a href="'.ROOT_URL.'forum/view_profile/'.$row['user_id'].'">' . $row['username'] . '</a>' :
'Geplaatst door: <span class="coach">' . $row['username'] . ' ' . $row['last_name'] . '</span>'
) .
' op
diff --git a/view/forum/search_posts.php b/view/forum/search_posts.php
index bfe3cec..9141d9d 100644
--- a/view/forum/search_posts.php
+++ b/view/forum/search_posts.php
@@ -7,6 +7,7 @@
<div class="block">
<h3><span class="forum_icon"></span>Zoeken in <?= $thread['title'] ?></h3>
<form id="search_forum" method="post" class="form-horizontal" role="form" enctype="multipart/form-data" action="<?= ROOT_URL ?>forum/search_posts">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="control-group">
<div class="controls row">
<div class="col-xs-9">
@@ -28,7 +29,7 @@
<table class="table_list forum_thread">
<tbody>
<?php
- if (sizeof($paginated['rows']) > 0) {
+ if (count($paginated['rows']) > 0) {
foreach ($paginated['rows'] as $row) {
$image_path = 'data/user_profile/'.$row['user_id'].'/50.jpg';
echo '
@@ -46,7 +47,7 @@
<td>
<p class="thread_info">' . (
$row['client'] ?
- 'Geplaatst door: <a href="'.ROOT_URL.'forum/view_profile/'.$row['user_id'].'">' . $row['username'] . ' (level ' . $row['level']['title'] . ')</a>' :
+ 'Geplaatst door: <a href="'.ROOT_URL.'forum/view_profile/'.$row['user_id'].'">' . $row['username'] . '</a>' :
'Geplaatst door: <span class="coach">' . $row['username'] . ' ' . $row['last_name'] . '</span>'
) .
' op
diff --git a/view/forum/search_threads.php b/view/forum/search_threads.php
index 7f2565d..f73cb92 100644
--- a/view/forum/search_threads.php
+++ b/view/forum/search_threads.php
@@ -8,6 +8,7 @@
<div class="block">
<h3><span class="forum_icon"></span>Zoeken in <?= $filter['category_id'] ? 'deze categorie' : 'het gehele forum' ?></h3>
<form id="search_forum" method="post" class="form-horizontal" role="form" enctype="multipart/form-data" action="<?= ROOT_URL ?>forum/search_threads">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="control-group">
<div class="controls row">
<div class="col-xs-9">
diff --git a/view/messages/admin/send.php b/view/messages/admin/send.php
index 32d1ed4..e2a64e2 100644
--- a/view/messages/admin/send.php
+++ b/view/messages/admin/send.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="well filter">
<fieldset>
<legend>Berichtopties</legend>
diff --git a/view/messages/admin/send_as_coach.php b/view/messages/admin/send_as_coach.php
index f82c646..6cd5a30 100644
--- a/view/messages/admin/send_as_coach.php
+++ b/view/messages/admin/send_as_coach.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="well filter">
<fieldset>
<legend>Berichtopties</legend>
diff --git a/view/messages/history.php b/view/messages/history.php
index 4977e8c..a350ce6 100644
--- a/view/messages/history.php
+++ b/view/messages/history.php
@@ -30,6 +30,7 @@
<hr />
<h2>Nieuw bericht</h2>
<form id="new_message" method="post">
+ <?=CSRFProtection::hiddenInput(); ?>
<textarea style="height: 120px; width: 100%;" name="message_text" id="message_text"></textarea>
<input type="submit" class="btn" value="Verstuur >" />
<br class="clear" />
diff --git a/view/nevo/admin/nevo_import.php b/view/nevo/admin/nevo_import.php
index 0916567..8642b2c 100644
--- a/view/nevo/admin/nevo_import.php
+++ b/view/nevo/admin/nevo_import.php
@@ -2,6 +2,7 @@
<?php if (isset($pagination)) { ?>
<div class="border_table">
<form id="nevo-form" method="post">
+ <?=CSRFProtection::hiddenInput(); ?>
<a style="float: right;" id="nevo-save" class="btn btn-large btn-success"><i class="icon-plus icon-white"></i> Koppelingen opslaan</a>
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/nevo/admin/without_variants.php b/view/nevo/admin/without_variants.php
index a845740..b35141b 100644
--- a/view/nevo/admin/without_variants.php
+++ b/view/nevo/admin/without_variants.php
@@ -1,6 +1,7 @@
<?php if (isset($pagination)) { ?>
<div class="border_table">
<form id="nevo-form" method="post">
+ <?=CSRFProtection::hiddenInput(); ?>
<a style="float: right;" id="nevo-save" class="btn btn-large btn-success"><i class="icon-plus icon-white"></i> Varianten opslaan</a>
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/nutrition/admin/edit_nutrient.php b/view/nutrition/admin/edit_nutrient.php
index 3e0fa1a..6ccd508 100644
--- a/view/nutrition/admin/edit_nutrient.php
+++ b/view/nutrition/admin/edit_nutrient.php
@@ -1,5 +1,6 @@
<?php Loader::element('admin/breadcrums', compact('breadcrums')); ?>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Omschrijving</legend>
diff --git a/view/nutrition/admin/edit_product.php b/view/nutrition/admin/edit_product.php
index cee4928..9f571fc 100644
--- a/view/nutrition/admin/edit_product.php
+++ b/view/nutrition/admin/edit_product.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="well filter" id="code_selection">
<fieldset class="vertical">
<legend>Programma
diff --git a/view/nutrition/admin/edit_recipe.php b/view/nutrition/admin/edit_recipe.php
index a9da799..fbc6d77 100644
--- a/view/nutrition/admin/edit_recipe.php
+++ b/view/nutrition/admin/edit_recipe.php
@@ -15,6 +15,7 @@ if (!isset($recipe)) {
}
?>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="well filter" id="code_selection">
<fieldset class="vertical">
<legend>Programma
@@ -185,6 +186,7 @@ if (!isset($recipe)) {
</div>
<div class="modal-body">
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="modal-form">
+ <?=CSRFProtection::hiddenInput(); ?>
<fieldset>
<div class="control-group">
<label class="control-label">Zoek:</label>
diff --git a/view/nutrition/admin/edit_sub_nutrient.php b/view/nutrition/admin/edit_sub_nutrient.php
index 772f7fd..bc6a386 100644
--- a/view/nutrition/admin/edit_sub_nutrient.php
+++ b/view/nutrition/admin/edit_sub_nutrient.php
@@ -1,5 +1,6 @@
<?php Loader::element('admin/breadcrums', compact('breadcrums')); ?>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<?php
diff --git a/view/nutrition/admin/index_nutrients.php b/view/nutrition/admin/index_nutrients.php
index fc92fd2..a08bba9 100644
--- a/view/nutrition/admin/index_nutrients.php
+++ b/view/nutrition/admin/index_nutrients.php
@@ -1,5 +1,6 @@
<?php Loader::element('admin/breadcrums', compact('breadcrums')); ?>
<form class="form-horizontal" method="post" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/nutrition/admin/index_products.php b/view/nutrition/admin/index_products.php
index 0bf3cbc..9cc9fd9 100644
--- a/view/nutrition/admin/index_products.php
+++ b/view/nutrition/admin/index_products.php
@@ -1,5 +1,6 @@
<div class="well filter">
<form class="form-horizontal" method="post" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<fieldset>
<legend>Filter nutrient</legend>
<div class="control-group">
diff --git a/view/nutrition/admin/index_sub_nutrients.php b/view/nutrition/admin/index_sub_nutrients.php
index 14fcf9d..38cf04c 100644
--- a/view/nutrition/admin/index_sub_nutrients.php
+++ b/view/nutrition/admin/index_sub_nutrients.php
@@ -3,6 +3,7 @@
<a style="position: absolute; right: 10px; top: 8px;" class="btn btn-large btn-success" href="<?= ROOT_URL ?>admin/nutrition/edit_sub_nutrient/<?= $nutrient['id'] ?>/0"><i class="icon-plus icon-white"></i> Sub-nutri&euml;nt toevoegen</a>
</div>
<form class="form-horizontal" method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/nutrition/admin/view_community_recipe.php b/view/nutrition/admin/view_community_recipe.php
index 87a89e7..fecdb2f 100644
--- a/view/nutrition/admin/view_community_recipe.php
+++ b/view/nutrition/admin/view_community_recipe.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
diff --git a/view/nutrition/mealsuggestions.php b/view/nutrition/mealsuggestions.php
index d780dc3..8533521 100644
--- a/view/nutrition/mealsuggestions.php
+++ b/view/nutrition/mealsuggestions.php
@@ -4,6 +4,7 @@
<div class="content_left">
<div class="block">
<form method="post">
+ <?=CSRFProtection::hiddenInput(); ?>
<h3>Maaltijd suggestie</h3>
<p>Op basis van <select name="data[meals_per_day]">
<?php
diff --git a/view/nutrition/mealtype.php b/view/nutrition/mealtype.php
index 35aca39..6440091 100644
--- a/view/nutrition/mealtype.php
+++ b/view/nutrition/mealtype.php
@@ -7,6 +7,7 @@
<div class="block">
<h3><span class="nutrition"></span><?= $mealtype['name'] ?> recepten zoeken</h3>
<form id="search_meals" method="post" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="control-group">
<div class="controls row">
<div class="col-xs-9">
diff --git a/view/nutrition/my_recipe_edit.php b/view/nutrition/my_recipe_edit.php
index 5fd0845..d90b38a 100644
--- a/view/nutrition/my_recipe_edit.php
+++ b/view/nutrition/my_recipe_edit.php
@@ -27,6 +27,7 @@ if (!isset($recipe)) {
<?php Loader::element('breadcrums', compact('breadcrums')); ?>
<div class="content_left" id="my_recipes_edit">
<form method="post" id="edit_form"class="form-horizontal" role="form" enctype="multipart/form-data">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="block">
<div class="edit_block">
<fieldset>
diff --git a/view/nutrition/my_recipe_view.php b/view/nutrition/my_recipe_view.php
index fd7b848..d3f1641 100644
--- a/view/nutrition/my_recipe_view.php
+++ b/view/nutrition/my_recipe_view.php
@@ -183,11 +183,10 @@
<br />
<script type="text/javascript" src="<?= ROOT_URL ?>assets/lib/flot/jquery.flot.js"></script>
<script type="text/javascript" src="<?= ROOT_URL ?>assets/lib/flot/jquery.flot.pie.js"></script>
+<?php if(isset($rows) && is_array($rows)): ?>
<script type="text/javascript">
-
$(document).ready(function () {
var data = [<?php echo implode(',', $rows); ?>];
-
$.plot($("#pie_chart"), data,
{
series: {
@@ -202,6 +201,5 @@
legend: { show: false }
});
});
-
</script>
-
+<?php endif; ?>
diff --git a/view/nutrition/search.php b/view/nutrition/search.php
index a68bb2c..740c8d1 100644
--- a/view/nutrition/search.php
+++ b/view/nutrition/search.php
@@ -6,6 +6,7 @@
<div class="block">
<h3><span class="nutrition"></span>Recepten zoeken</h3>
<form id="search_meals" method="post">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="text" name="data[search]" value="<?=$searched_for?>" />
<input type="submit" value="" />
<br class="clear" />
diff --git a/view/nutrition/search_nutrients.php b/view/nutrition/search_nutrients.php
index b4aae2a..b85d937 100644
--- a/view/nutrition/search_nutrients.php
+++ b/view/nutrition/search_nutrients.php
@@ -7,6 +7,7 @@
<div class="block">
<h3>Zoeken</h3>
<form method="post" id="find-products" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="form-group">
<div class="col-md-7">
<input class="form-control" type="text" placeholder="Product of PBP-recept" name="data[search]" value="<?= isset($search) ? $search : '' ?>" />
@@ -22,6 +23,7 @@
<div class="block">
<h3>Handmatig invoeren</h3>
<form method="post" id="add-nutrients" class="form-vertical" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="row">
<div class="form-group col-xs-4">
<label class="control-label">Calori&euml;n</label>
diff --git a/view/pages/admin/edit.php b/view/pages/admin/edit.php
index 8552871..125f502 100644
--- a/view/pages/admin/edit.php
+++ b/view/pages/admin/edit.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Pagina</legend>
diff --git a/view/pages/admin/index.php b/view/pages/admin/index.php
index cb34c21..812a8d1 100644
--- a/view/pages/admin/index.php
+++ b/view/pages/admin/index.php
@@ -1,4 +1,5 @@
<form method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/pages/contact.php b/view/pages/contact.php
index 5fd16a3..e5fdf34 100644
--- a/view/pages/contact.php
+++ b/view/pages/contact.php
@@ -28,6 +28,7 @@
<h4>Contactformulier</h4>
<form method="post" id="contact_form" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="form-group">
<div class="col-md-6">
<input required="required" class="form-control" type="text" placeholder="Naam" name="data[name]" style="" />
diff --git a/view/payments/admin/payment_overview.php b/view/payments/admin/payment_overview.php
index ece9c42..96a0c97 100644
--- a/view/payments/admin/payment_overview.php
+++ b/view/payments/admin/payment_overview.php
@@ -80,6 +80,7 @@
if (isset($userlist)) {
?>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="list_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<table id="list" class="payment_overview table table-striped table-bordered">
<thead>
<tr>
diff --git a/view/payments/admin/payments_per_month.php b/view/payments/admin/payments_per_month.php
index acc51a7..b62d60b 100644
--- a/view/payments/admin/payments_per_month.php
+++ b/view/payments/admin/payments_per_month.php
@@ -105,6 +105,7 @@ if (isset($results)) {
}
?></strong></h2>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="list_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<table id="list" class="payment_overview table table-striped table-bordered">
<thead>
<tr>
diff --git a/view/recovery/admin/edit.php b/view/recovery/admin/edit.php
index 755003d..4d994e3 100644
--- a/view/recovery/admin/edit.php
+++ b/view/recovery/admin/edit.php
@@ -9,6 +9,7 @@ if (!isset($supplement)) {
}
?>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Supplementomschrijving</legend>
diff --git a/view/recovery/admin/edit_supplement_hormone.php b/view/recovery/admin/edit_supplement_hormone.php
index 70c74de..ea4baa1 100644
--- a/view/recovery/admin/edit_supplement_hormone.php
+++ b/view/recovery/admin/edit_supplement_hormone.php
@@ -13,6 +13,7 @@ if (!isset($supplement_hormone)) {
}
?>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Supplement</legend>
diff --git a/view/recovery/admin/index_hormones.php b/view/recovery/admin/index_hormones.php
index 9cd838a..c11e7df 100644
--- a/view/recovery/admin/index_hormones.php
+++ b/view/recovery/admin/index_hormones.php
@@ -9,6 +9,7 @@ if (!isset($program)) {
?>
<div class="well filter">
<form class="form-horizontal" method="post" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<fieldset>
<legend>Selecteer programmatype</legend>
<div class="control-group">
diff --git a/view/results/admin/edit.php b/view/results/admin/edit.php
index 5b16afd..58d18e3 100644
--- a/view/results/admin/edit.php
+++ b/view/results/admin/edit.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Resultaat</legend>
diff --git a/view/results/admin/index.php b/view/results/admin/index.php
index 4375a51..98645b0 100644
--- a/view/results/admin/index.php
+++ b/view/results/admin/index.php
@@ -2,6 +2,7 @@
<button type="button" style="float: right;" class="btn btn-large btn-success" onclick="window.location='<?= ROOT_URL ?>admin/results/edit';"><i class="icon-plus icon-white"></i> Resultaat toevoegen</button>
</div>
<form method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/subscriptions/admin/change_code.php b/view/subscriptions/admin/change_code.php
index 2635666..f463b40 100644
--- a/view/subscriptions/admin/change_code.php
+++ b/view/subscriptions/admin/change_code.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Codeselectie</legend>
diff --git a/view/subscriptions/admin/view.php b/view/subscriptions/admin/view.php
index 270c743..f979d96 100644
--- a/view/subscriptions/admin/view.php
+++ b/view/subscriptions/admin/view.php
@@ -692,10 +692,12 @@
</div>
</h2>
<form id="new_message" method="post">
+ <?=CSRFProtection::hiddenInput(); ?>
<textarea style="width: 724px; height: 120px; margin-right: 15px;" name="message_text" id="message_text"></textarea><br />
<button class="btn btn-primary" id="send_text_as_message" type="submit" style="float:none" >Verzenden als bericht</button>
</form>
<form id="new_mail" method="post" style="display:none" data-from="<?= $Auth->user['email']; ?>" data-from-name="<?= $Auth->user['first_name']; ?> <?= $Auth->user['last_name']; ?>">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="text" style="width: 724px;" placeholder="Onderwerp" value="Nieuw bericht van uw Personal Body Plan" id="mail_subject" /><br />
<textarea style="width: 724px; height: 120px; margin-right: 15px;" name="mail_text" id="mail_text"></textarea><br />
<button class="btn btn-primary" id="send_text_as_mail" type="submit" style="float:none">Verzenden als e-mail (vanuit: <?= $Auth->user['email']; ?>)</button>
@@ -703,6 +705,7 @@
</div>
<div class="tab-pane tab-comments" id="comments">
<form class="form-horizontal" method="post" id="comments_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<fieldset>
<legend>Opmerkingen</legend>
<div class="control-group">
diff --git a/view/subscriptions/dashboard.php b/view/subscriptions/dashboard.php
index 12f1e39..0dea65b 100644
--- a/view/subscriptions/dashboard.php
+++ b/view/subscriptions/dashboard.php
@@ -309,6 +309,7 @@ if ($Auth->user['get_new_subscription']) {
</div>-->
</ul>
<form method="post" id="message_form" name="message_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="text" id="message_text" placeholder="Typ hier je bericht" />
<input type="submit" class="btn" value="Versturen >" />
</form>
diff --git a/view/subscriptions/do_payment.php b/view/subscriptions/do_payment.php
index d48923a..faa2999 100644
--- a/view/subscriptions/do_payment.php
+++ b/view/subscriptions/do_payment.php
@@ -10,6 +10,7 @@ if (isset($error)) {
<div class="content user">
<div class="block subscription_payment">
<form method="post" id="pay_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<h3>Overzicht van betalingen</h3>
<?php
$monthly = 0;
diff --git a/view/subscriptions/get_activity_level.php b/view/subscriptions/get_activity_level.php
index 5eefd5b..c5f7168 100644
--- a/view/subscriptions/get_activity_level.php
+++ b/view/subscriptions/get_activity_level.php
@@ -7,6 +7,7 @@
<p>Lorem ipsum dolor sit amet. Deze vragenlijst gebruiken we om te bepalen wat je activiteitsniveau is. Vul deze eerlijk om een goed voedingsadvies te krijgen.</p>
<p>Een aantal van deze vragen heb je in de intake al ingevuld, maar over tijd kunnen deze punten wijzigen. Na iedere meting gaan we deze lijst opnieuw invullen.</p>
<form method="post" name="pal_form" id="pal_form" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<?php
if ($birthdate == NULL) {
?>
diff --git a/view/subscriptions/get_measurements.php b/view/subscriptions/get_measurements.php
index c231753..afd1058 100644
--- a/view/subscriptions/get_measurements.php
+++ b/view/subscriptions/get_measurements.php
@@ -8,6 +8,7 @@
</p>
<?php } else { */ ?>
<form method="post" id="measure_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div id="measurement_photos" class="content_bg">
<div class="block">
<p>Meten is weten! Elke vier weken vragen we jou om je maten door te geven
diff --git a/view/subscriptions/get_subscription.php b/view/subscriptions/get_subscription.php
index 6444782..0d3016f 100644
--- a/view/subscriptions/get_subscription.php
+++ b/view/subscriptions/get_subscription.php
@@ -49,6 +49,7 @@ $total_discount_community = number_format($discount_community, 2, ',', '');
<div class="block">
<h3>Maak nu je keuze!</h3>
<form method="post" id="subscription_form" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<table class="subscription_payment get_subscription">
<thead>
<tr>
diff --git a/view/subscriptions/intake.php b/view/subscriptions/intake.php
index c6ea48e..a232e95 100644
--- a/view/subscriptions/intake.php
+++ b/view/subscriptions/intake.php
@@ -297,6 +297,7 @@
</form>
</div>
<form id="intake_submit" method="post" action="<?= ROOT_URL ?>subscriptions/intake">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="hidden" value="" name="data[choices]" />
</form>
<script type="text/javascript" src="<?= ROOT_URL ?>assets/js/ai/jquery.validate.js"></script>
diff --git a/view/subscriptions/week_plan.php b/view/subscriptions/week_plan.php
index 19f864f..b6bcb4c 100644
--- a/view/subscriptions/week_plan.php
+++ b/view/subscriptions/week_plan.php
@@ -12,6 +12,7 @@
<h2>Schema</h2>
<p>Planning is van essentieel belang binnen Personal Body Plan. Je kan hier je week inplannen. Zorg er voor dat er 1 dag tussen je trainingsdagen zit.</p>
<form method="post">
+ <?=CSRFProtection::hiddenInput(); ?>
<?php
function dayToLi($day, $type, $active = true) {
diff --git a/view/team/admin/edit.php b/view/team/admin/edit.php
index 19514a5..a8f1c1c 100644
--- a/view/team/admin/edit.php
+++ b/view/team/admin/edit.php
@@ -12,6 +12,7 @@ if (!isset($member)) {
}
?>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Teamlid</legend>
diff --git a/view/team/admin/index.php b/view/team/admin/index.php
index 542eefe..d995f2a 100644
--- a/view/team/admin/index.php
+++ b/view/team/admin/index.php
@@ -1,5 +1,6 @@
<button type="button" style="float: right;" class="btn btn-large btn-success" onclick="window.location='<?= ROOT_URL ?>admin/team/edit';"><i class="icon-plus icon-white"></i> Teamlid toevoegen</button>
<form method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/training/admin/availability.php b/view/training/admin/availability.php
index 916aa20..7d1dd1b 100644
--- a/view/training/admin/availability.php
+++ b/view/training/admin/availability.php
@@ -1,5 +1,6 @@
<div class="well filter">
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="filter_code_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<fieldset class="vertical" id="filter_code">
<legend>Code </legend>
<div id="code_selected">
diff --git a/view/training/admin/edit_description.php b/view/training/admin/edit_description.php
index 62e2dbd..4ed9ed4 100644
--- a/view/training/admin/edit_description.php
+++ b/view/training/admin/edit_description.php
@@ -16,6 +16,7 @@ if (!isset($item)) {
}
?>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend><?=$type_to_nice[$type]?></legend>
diff --git a/view/training/admin/edit_exercise.php b/view/training/admin/edit_exercise.php
index 84bdc3e..032b163 100644
--- a/view/training/admin/edit_exercise.php
+++ b/view/training/admin/edit_exercise.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Algemeen</legend>
diff --git a/view/training/admin/edit_schedule.php b/view/training/admin/edit_schedule.php
index 7b31025..5d594ac 100644
--- a/view/training/admin/edit_schedule.php
+++ b/view/training/admin/edit_schedule.php
@@ -7,6 +7,7 @@
}
</style>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="hidden" name="data[days]" value="" />
<input type="hidden" name="data[weeks]" value="" />
diff --git a/view/training/admin/index_descriptions.php b/view/training/admin/index_descriptions.php
index 3f48170..b9d87de 100644
--- a/view/training/admin/index_descriptions.php
+++ b/view/training/admin/index_descriptions.php
@@ -12,6 +12,7 @@
</div>
<form method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/training/admin/index_exercises.php b/view/training/admin/index_exercises.php
index 26481f1..8face0e 100644
--- a/view/training/admin/index_exercises.php
+++ b/view/training/admin/index_exercises.php
@@ -4,6 +4,7 @@
</div>
<form method="post" id="order_table">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="border_table">
<div class="clear"></div>
<table class="table table-striped table_hover">
diff --git a/view/users/_interested.php b/view/users/_interested.php
index 40d85ae..869c465 100644
--- a/view/users/_interested.php
+++ b/view/users/_interested.php
@@ -40,6 +40,7 @@
<span class="subtitle">Zet nu de eerste stap naar jouw gewenste eindresultaat!</span>
</div>
<form id="presale_form" method="POST">
+ <?=CSRFProtection::hiddenInput(); ?>
<p>Indien je geïnteresseerd bent in Personal Body Plan raden wij je ten zeerste aan om je nu alvast aan te melden. De voorgaande groepen waren namelijk binnen enkele uren uitverkocht. Lees hieronder hoe jij jezelf kan aanmelden.</p>
<h3>Optie 1: Ik meld me gratis aan voor de wachtlijst</h3>
<p>Je plaats op de wachtlijst geeft jou het recht om je 24 uur eerder in te schrijven dan het algemene publiek. Let op: de inschrijving gaat alleen open als de groep nog niet vol zit vanuit de deelnemers op de Pre-Sale list. Wil je verzekerd zijn van een plaats? Meld je dan aan voor optie 2.</p>
diff --git a/view/users/_interested_prepay.php b/view/users/_interested_prepay.php
index 5be3a39..c14f08f 100644
--- a/view/users/_interested_prepay.php
+++ b/view/users/_interested_prepay.php
@@ -6,6 +6,7 @@
<div class="block">
<div class="block subscription_payment">
<form method="post" id="pay_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<p>Je staat op de wachtlijst! Rond je voorinschrijving af met een aanbetaling van &euro;14,95.</p>
<br />
<div style="position: relative; width: 723px; margin-left: 66px;">
diff --git a/view/users/admin/edit_coach.php b/view/users/admin/edit_coach.php
index 976f5e2..3aecd1f 100644
--- a/view/users/admin/edit_coach.php
+++ b/view/users/admin/edit_coach.php
@@ -12,6 +12,7 @@ if (!isset($coach)) {
}
?>
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<legend>Accountgegevens</legend>
diff --git a/view/users/admin/enormail_export.php b/view/users/admin/enormail_export.php
index cd45a4e..892895a 100644
--- a/view/users/admin/enormail_export.php
+++ b/view/users/admin/enormail_export.php
@@ -1,5 +1,6 @@
<div class="well filter clearfix">
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<fieldset>
<legend>Selectie </legend>
<br class="clear" />
diff --git a/view/users/admin/login.php b/view/users/admin/login.php
index de8fc1c..b7c84d3 100644
--- a/view/users/admin/login.php
+++ b/view/users/admin/login.php
@@ -1,10 +1,11 @@
<div class="login">
<form class="form-horizontal" method="post" action="<?= HTTPS_ROOT_URL ?>admin/users/login">
+ <?=CSRFProtection::hiddenInput(); ?>
<fieldset>
<div class="control-group">
<label class="control-label" for="input01">Gebruikersnaam</label>
<div class="controls">
- <input required="required" type="text" name="data[username]" class="input-xlarge" id="input01">
+ <input required="required" autocomplete="off" type="text" name="data[username]" class="input-xlarge" id="input01">
</div>
</div>
<div class="control-group">
diff --git a/view/users/admin/set_coach.php b/view/users/admin/set_coach.php
index 73cc5fd..12b0d91 100644
--- a/view/users/admin/set_coach.php
+++ b/view/users/admin/set_coach.php
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" enctype="multipart/form-data" id="edit_form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="edit_block">
<fieldset>
<div class="control-group">
diff --git a/view/users/change_password.php b/view/users/change_password.php
index 69ea5a4..6de7f69 100644
--- a/view/users/change_password.php
+++ b/view/users/change_password.php
@@ -12,6 +12,7 @@
</div>
<div class="col-md-4 col-md-offset-4">
<form method="post" id="forgot_password" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="form-group">
<input required="required" class="form-control" type="text" placeholder="Code" name="data[Reset][code]" />
</div>
diff --git a/view/users/edit.php b/view/users/edit.php
index 97a7bdb..64a827b 100644
--- a/view/users/edit.php
+++ b/view/users/edit.php
@@ -25,6 +25,7 @@ if (isset($results)) {
<div class="block user_data">
<div class="row">
<form method="post" name="edit_user_form" id="edit_user_form" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="hidden" value="edit_user" name="data[form]" />
<legend>Gebruikersgegevens</legend>
<div class="form-group">
@@ -104,6 +105,7 @@ if (isset($results)) {
</div>
<div class="row">
<form method="post" name="edit_prefs_form" id="edit_prefs_form" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="hidden" value="edit_prefs" name="data[form]" />
<?php
if (!isset($user['instruction_gender'])) {
@@ -194,6 +196,7 @@ if (isset($results)) {
<div class="row">
<form method="post" name="edit_community_form" id="edit_community_form" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="hidden" value="edit_community" name="data[form]" />
<legend>Communityprofiel</legend>
<div class="form-group">
@@ -226,6 +229,7 @@ if (isset($results)) {
<div class="row">
<form method="post" name="edit_subscription_form" id="edit_subscription_form" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="hidden" value="edit_subscription" name="data[form]" />
<legend>Abonnementsgegevens</legend>
<div class="form-group">
diff --git a/view/users/first_subscription.php b/view/users/first_subscription.php
index 10c443e..a3169e1 100644
--- a/view/users/first_subscription.php
+++ b/view/users/first_subscription.php
@@ -13,6 +13,7 @@
</div>
<div class="col-md-8 col-md-offset-2">
<form method="post" id="subscription_form" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="form-group">
<label class="col-sm-4 control-label">Naam * </label>
diff --git a/view/users/forgot_password.php b/view/users/forgot_password.php
index ddc661e..b7090e4 100644
--- a/view/users/forgot_password.php
+++ b/view/users/forgot_password.php
@@ -8,9 +8,10 @@
</div>
<div class="container header-block">
<div class="col-md-4 col-md-offset-4">
+ <?=CSRFProtection::hiddenInput(); ?>
<form method="post" id="forgot_password" class="form-horizontal" role="form">
<div class="form-group">
- <input required="required" class="form-control" type="email" placeholder="E-mailadres" name="data[Forgot][email]" />
+ <input autocomplete="off" required="required" class="form-control" type="email" placeholder="E-mailadres" name="data[Forgot][email]" />
</div>
<div class="form-group">
<button type="submit" class="btn" style="float: right;">Verzenden</button>
diff --git a/view/users/intake.php b/view/users/intake.php
index 7fd7f07..39ad864 100644
--- a/view/users/intake.php
+++ b/view/users/intake.php
@@ -481,6 +481,7 @@
</form>
</div>
<form id="intake_submit" method="post" action="<?= ROOT_URL ?>users/submit_intake">
+ <?=CSRFProtection::hiddenInput(); ?>
<input type="hidden" value="" name="data[choices]" />
</form>
<script type="text/javascript" src="<?= ROOT_URL ?>assets/js/ai/jquery.validate.js"></script>
diff --git a/view/users/login.php b/view/users/login.php
index 054df81..e9746fc 100644
--- a/view/users/login.php
+++ b/view/users/login.php
@@ -12,8 +12,9 @@
</div>
<div class="col-md-4 col-md-offset-4">
<form method="post" id="forgot_password" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="form-group">
- <input required="required" type="email" class="form-control" placeholder="E-mailadres" name="data[username]" />
+ <input required="required" autocomplete="off" type="email" class="form-control" placeholder="E-mailadres" name="data[username]" />
</div>
<div class="form-group">
<input required="required" type="password" class="form-control" placeholder="Wachtwoord" name="data[password]" />
diff --git a/view/users/register.php b/view/users/register.php
index c5d0821..6cf4c58 100644
--- a/view/users/register.php
+++ b/view/users/register.php
@@ -21,6 +21,7 @@
</div>
<div class="col-md-6 col-md-offset-3">
<form method="post" id="register_form" action="<?= HTTPS_ROOT_URL ?>registreer" class="form-horizontal" role="form">
+ <?=CSRFProtection::hiddenInput(); ?>
<div class="form-group">
<div class="row">
<div class="col-md-6 first-name-col">
diff --git a/www/index.php b/www/index.php
index 2ec096a..56d94fe 100644
--- a/www/index.php
+++ b/www/index.php
@@ -9,7 +9,7 @@ if (DEBUG) {
error_reporting(E_ALL);
ini_set('display_errors', 'On');
} else {
- error_reporting(E_ALL);
+ error_reporting(0);
ini_set('display_errors', 'Off');
}
@@ -21,6 +21,7 @@ require_once(DOCUMENT_ROOT . 'core/Controller.class.php');
require_once(DOCUMENT_ROOT . 'core/Model.class.php');
require_once(DOCUMENT_ROOT . 'core/AuthController.class.php');
require_once(DOCUMENT_ROOT . 'config/SiteController.class.php');
+require_once(DOCUMENT_ROOT . 'lib/ai/CSRFProtection.class.php');
// session config
session_set_cookie_params(0);
@@ -109,13 +110,21 @@ if (!method_exists($controllerObj, $controllerAction))
$controllerObj->methodRequest = $controllerAction;
$controllerObj->before();
-// Call method in controller
+$r = new ReflectionMethod($controllerClass, $controllerAction);
+$req_params_number = $r->getNumberOfRequiredParameters();
+foreach ($route['args'] as $k => $value) {
+ if (!$value) {
+ unset($route['args'][$k]);
+ }
+}
+if ($req_params_number > count($route['args'])) {
+ Error::redirect(404);
+}
call_user_func_array(array($controllerObj, $controllerAction), $route['args']);
+
// Check if the call is an AJAX call
if ($controllerObj->isAjaxCall) {
- //Log::error(session_id().' :: AJAXCALL ', true, false);
- //if(!DEBUG && !(Net::isFlash() || Net::isAjax() || Net::isAPICall())) {
if (!DEBUG && !(Net::isFlash() || Net::isAjax() || Net::isAPICall())) {
die(json_encode(array('error' => 'forbidden', 'error_code' => '403')));
} else {
diff --git a/www/tmp/.gitkeep b/www/tmp/.gitkeep
new file mode 100644
index 0000000..e69de29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment