TwoTalesDev/4WDCSA.co.za
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 1: Implement CSRF protection, input validation, and rate limiting

Browse Source 
Major security improvements:
- Added CSRF token generation, validation, and cleanup functions
- Implemented comprehensive input validators (email, phone, name, date, amount, ID, file uploads)
- Added rate limiting with login attempt tracking and account lockout (5 failures = 15 min lockout)
- Implemented session fixation protection with session_regenerate_id() and 30-min timeout
- Fixed SQL injection in getResultFromTable() with whitelisted columns/tables
- Added audit logging for security events
- Applied CSRF validation to all 7 process_*.php files
- Applied input validation to critical endpoints (login, registration, bookings, application)
- Created database migration for login_attempts, audit_log tables and locked_until column

Modified files:
- functions.php: +500 lines of security functions
- validate_login.php: Added CSRF, rate limiting, session hardening
- register_user.php: Added CSRF, input validation, registration rate limiting
- process_*.php (7 files): Added CSRF token validation
- Created migration: 001_phase1_security_schema.sql

Next steps: Add CSRF tokens to form templates, harden file uploads, create testing checklist
This commit is contained in:
twotalesanimation
2025-12-03 11:28:53 +02:00
parent 062dc46ffd
commit 1ef4d06627
13 changed files with 1729 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
process_course_booking.php
View File

@@ -18,10 +18,30 @@ $pending_member = getUserMemberStatusPending($user_id);
// Check if the form has been submitted
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// CSRF Token Validation
if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
auditLog($user_id, 'CSRF_VALIDATION_FAILED', 'bookings', null, ['endpoint' => 'process_course_booking.php']);
http_response_code(403);
header('Content-Type: application/json');
echo json_encode(['error' => 'Security token validation failed.']);
exit();
}
// Input variables from the form (use default values if not provided)
$additional_members = isset($_POST['members']) ? intval($_POST['members']) : 0; // Default to 1 vehicle
$num_adults = isset($_POST['non-members']) ? intval($_POST['non-members']) : 0; // Default to 1 adult
$course_id = isset($_POST['course_id']) ? intval($_POST['course_id']) : 0; // Default to 0 children
$additional_members = validateInteger($_POST['members'] ?? 0, 0, 20);
if ($additional_members === false) $additional_members = 0;
$num_adults = validateInteger($_POST['non-members'] ?? 0, 0, 20);
if ($num_adults === false) $num_adults = 0;
$course_id = validateInteger($_POST['course_id'] ?? 0, 1, 999999);
if ($course_id === false) {
http_response_code(400);
header('Content-Type: application/json');
echo json_encode(['error' => 'Invalid course ID.']);
exit();
}
checkAndRedirectCourseBooking($course_id);
// Fetch trip costs from the database
$query = "SELECT date, cost_members, cost_nonmembers, course_type FROM courses WHERE course_id = ?";