infacq · January 13, 2014 04:01
diff --git a/form.php b/form.php
 <?php

 require dirname(__FILE__) . '/functions.php';

 $module   = md5('MODULE_NAME');
 $page_url = sanitize($_SERVER['PHP_SELF']);

 if (isset($_POST['firstname']))
    require dirname(__FILE__) . '/save.php';

 if (isset( $_SESSION[$module]['firstname']))
    extract($_SESSION[$module]);

 $csrf_salt = base64_encode(openssl_random_pseudo_bytes(16));
 $_SESSION[$module]['csrf_salt'] = $csrf_salt;
 ?>

 <form class="signup" action="<?php echo $page_url ?>" method="post">
    <input type="hidden" name="csrf_salt" id="csrf_salt" value="<?php echo $csrf_salt ?>"/>
    <table>
        <tr>
            <td><label for="email">E-mail <span class="asterix">*</span></label></td>
            <td><input type="text" name="email" id="email" maxlength="255" value="<?php if (isset($email)) echo $email ?>"/></td>
        </tr>
        <tr>
            <td><label for="password">Password <span class="asterix">*</span></label></td>
            <td><input type="password" name="password" id="password" maxlength="20" /></td>
        </tr>
        <tr>
            <td><label for="password2">Confirm password <span class="asterix">*</span></label></td>
            <td><input type="password" name="password2" id="password2" maxlength="20" /></td>
        </tr>
        <tr>
            <td>&nbsp;</td>
            <td><button type="submit">Submit</button></td>
        </tr>
    </table>
 </form>
diff --git a/functions.php b/functions.php
 <?php

 function sanitize($input, $strip = true, $charset = 'UTF-8')
 {
    if (is_array($input)) {
        $output = array();
        foreach ( $input as $key => $data ) {
            $output[$key] = sanitize($data, $strip, $charset);
        }
        return $output;
    }
    else {
        // Strip HTML tags if set
        if ($strip) $input = strip_tags($input);

        // Encode special chars
        $input = htmlspecialchars($input, ENT_QUOTES, $charset);

        if (get_magic_quotes_gpc())
            return mysql_real_escape_string(stripslashes($input));
        else
            return mysql_real_escape_string($input);
    }
 }
diff --git a/save.php b/save.php
 <?php

 $secured = array();
 $secured = sanitize($_POST);
 extract($secured);

 foreach ($secured as $key => $value) {
    $_SESSION[$module][$key] = $value;
 }

 // idea from http://stackoverflow.com/a/10469574/289404
 if ($csrf_salt !== $_SESSION[$module]['csrf_salt']) {
    echo '<br class="clr"><p class="notice">Bad request token. Please try again.</p>';
    return false;
 }

 // Check required
 $required = array(
    'firstname' => 'First name',
    'surname'   => 'Last name',
    'zip'       => 'ZIP',
    'email'     => 'E-mail',
    'password'  => 'Password',
    'password2' => 'Confirm password',
    'agree'     => 'Agreement',
 );

 foreach ($required as $key => $value) {
    if (empty(${$key})) {
        echo '<br class="clr"><p class="notice">Please enter: '.$value.'.</p>';
        return false;
    }
 }

 if ($password != $password2) {
    echo '<br class="clr"><p class="notice">Passwords missmatch.</p>';
    return false;
 }

 if (!valid_email($email)) {
    echo '<br class="clr"><p class="notice">Bad e-mail.</p>';
    return false;
 }

 unset($_SESSION[$module]);
	<?php

	require dirname(__FILE__) . '/functions.php';

	$module = md5('MODULE_NAME');
	$page_url = sanitize($_SERVER['PHP_SELF']);

	if (isset($_POST['firstname']))
	require dirname(__FILE__) . '/save.php';

	if (isset( $_SESSION[$module]['firstname']))
	extract($_SESSION[$module]);

	$csrf_salt = base64_encode(openssl_random_pseudo_bytes(16));
	$_SESSION[$module]['csrf_salt'] = $csrf_salt;
	?>

	<form class="signup" action="<?php echo $page_url ?>" method="post">
	<input type="hidden" name="csrf_salt" id="csrf_salt" value="<?php echo $csrf_salt ?>"/>
	<table>
	<tr>
	<td><label for="email">E-mail <span class="asterix">*</span></label></td>
	<td><input type="text" name="email" id="email" maxlength="255" value="<?php if (isset($email)) echo $email ?>"/></td>
	</tr>
	<tr>
	<td><label for="password">Password <span class="asterix">*</span></label></td>
	<td><input type="password" name="password" id="password" maxlength="20" /></td>
	</tr>
	<tr>
	<td><label for="password2">Confirm password <span class="asterix">*</span></label></td>
	<td><input type="password" name="password2" id="password2" maxlength="20" /></td>
	</tr>
	<tr>
	<td> </td>
	<td><button type="submit">Submit</button></td>
	</tr>
	</table>
	</form>
	<?php

	function sanitize($input, $strip = true, $charset = 'UTF-8')
	{
	if (is_array($input)) {
	$output = array();
	foreach ( $input as $key => $data ) {
	$output[$key] = sanitize($data, $strip, $charset);
	}
	return $output;
	}
	else {
	// Strip HTML tags if set
	if ($strip) $input = strip_tags($input);

	// Encode special chars
	$input = htmlspecialchars($input, ENT_QUOTES, $charset);

	if (get_magic_quotes_gpc())
	return mysql_real_escape_string(stripslashes($input));
	else
	return mysql_real_escape_string($input);
	}
	}
	<?php

	$secured = array();
	$secured = sanitize($_POST);
	extract($secured);

	foreach ($secured as $key => $value) {
	$_SESSION[$module][$key] = $value;
	}

	// idea from http://stackoverflow.com/a/10469574/289404
	if ($csrf_salt !== $_SESSION[$module]['csrf_salt']) {
	echo '<br class="clr"><p class="notice">Bad request token. Please try again.</p>';
	return false;
	}

	// Check required
	$required = array(
	'firstname' => 'First name',
	'surname' => 'Last name',
	'zip' => 'ZIP',
	'email' => 'E-mail',
	'password' => 'Password',
	'password2' => 'Confirm password',
	'agree' => 'Agreement',
	);

	foreach ($required as $key => $value) {
	if (empty(${$key})) {
	echo '<br class="clr"><p class="notice">Please enter: '.$value.'.</p>';
	return false;
	}
	}

	if ($password != $password2) {
	echo '<br class="clr"><p class="notice">Passwords missmatch.</p>';
	return false;
	}

	if (!valid_email($email)) {
	echo '<br class="clr"><p class="notice">Bad e-mail.</p>';
	return false;
	}

	unset($_SESSION[$module]);