Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
解决csrf安全问题
  • Loading branch information
Cherry-toto committed Aug 1, 2022
1 parent e9a2c27 commit 24893d9
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
9 changes: 8 additions & 1 deletion app/home/c/UserController.php
Expand Up @@ -62,6 +62,12 @@ function userinfo(){
$this->checklogin();
if($_POST){
$w = $this->frparam();
if(!isset($w['csrfkey']) || $w['csrfkey']!=$_SESSION['csrfkey']){
if($this->frparam('ajax')){
JsonReturn(['code'=>1,'msg'=>JZLANG('非法操作!')]);
}
Error(JZLANG('非法操作!'));
}
$w = get_fields_data($w,'member',0);
unset($w['jifen']);
unset($w['money']);
Expand Down Expand Up @@ -167,7 +173,8 @@ function userinfo(){
Error(JZLANG('修改成功!'));

}

$_SESSION['csrfkey'] = getRandChar(32);
$this->csrfkey = $_SESSION['csrfkey'];
$this->display($this->template.'/user/userinfo');

}
Expand Down
1 change: 1 addition & 0 deletions static/cms/user/userinfo.html
Expand Up @@ -19,6 +19,7 @@
<div class="user-content">
<h2>资料与账号</h2>
<form action="" method="POST" onsubmit="return checkform()" id="jizhiform" class="user-form">
<input type="hidden" name="csrfkey" value="{$csrfkey}">
<span id="fields_ext"></span>
<div class="form-control">
<label for="password">新密码:</label>
Expand Down

0 comments on commit 24893d9

Please sign in to comment.