From 3247d15ce7de244b5f3905944bdefa2e57fc6ddf Mon Sep 17 00:00:00 2001
From: twotalesanimation <80506065+twotalesanimation@users.noreply.github.com>
Date: Wed, 3 Dec 2025 11:47:26 +0200
Subject: [PATCH] Task 9: Add CSRF tokens to form templates and backend
 processors

Updated forms with hidden CSRF token fields:
- comment_box.php - Comment form
- course_details.php - Course booking form
- campsites.php - Campsite addition modal form
- bar_tabs.php - Bar tab creation modal form
- membership_application.php - Membership application form

Updated backend processors with CSRF validation:
- create_bar_tab.php - Bar tab AJAX processor
- add_campsite.php - Campsite form processor
- submit_order.php - Order submission processor

All forms now require validated CSRF tokens before processing, preventing cross-site request forgery attacks.
---
 add_campsite.php           | 6 ++++++
 bar_tabs.php               | 1 +
 campsites.php              | 1 +
 comment_box.php            | 3 ++-
 course_details.php         | 1 +
 create_bar_tab.php         | 7 +++++++
 membership_application.php | 1 +
 submit_order.php           | 8 ++++++++
 8 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/add_campsite.php b/add_campsite.php
index 73608405..6d2ca28c 100644
--- a/add_campsite.php
+++ b/add_campsite.php
@@ -4,6 +4,12 @@ require_once("env.php");
 session_start();
 $user_id = $_SESSION['user_id']; // assuming you're storing it like this
 
+// CSRF Token Validation
+if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
+    http_response_code(403);
+    die('Security token validation failed. Please try again.');
+}
+
 // campsites.php
 $conn = openDatabaseConnection();
 
diff --git a/bar_tabs.php b/bar_tabs.php
index fd5faada..7c40ff7a 100644
--- a/bar_tabs.php
+++ b/bar_tabs.php
@@ -155,6 +155,7 @@ unset($_SESSION['cart']);
             </div>
             <div class="modal-body">
                 <form id="barTabForm">
+                    <input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">
                     <div class="form-group">
                         <label for="userSelect">Select User</label>
                         <input type="text" id="userSelect" class="form-control" placeholder="Search User" required>
diff --git a/campsites.php b/campsites.php
index 81acbb3a..1642abf8 100644
--- a/campsites.php
+++ b/campsites.php
@@ -64,6 +64,7 @@ if (!empty($bannerImages)) {
 <div class="modal fade" id="addCampsiteModal" tabindex="-1">
                     <div class="modal-dialog">
                         <form id="addCampsiteForm" method="POST" action="add_campsite.php" enctype="multipart/form-data">
+                            <input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">
                             <div class="modal-content">
                                 <div class="modal-header">
                                     <h5 class="modal-title">Add Campsite</h5>
diff --git a/comment_box.php b/comment_box.php
index 61516689..d19a81c1 100644
--- a/comment_box.php
+++ b/comment_box.php
@@ -59,9 +59,10 @@ $result = $stmt->get_result();
       </div>
 
     <?php endwhile; ?>
-  </div>
+  </form>
   <!-- <h5>Add A Comment</h5> -->
   <form method="POST" id="comment-form" class="comment-form bgc-lighter z-1 rel mt-30" name="review-form" action="" data-aos="fade-up" data-aos-duration="1500" data-aos-offset="50">
+    <input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">
     <div class="row gap-20">
       <div class="col-md-12">
         <div class="form-group">
diff --git a/course_details.php b/course_details.php
index 1fa055cf..b8bea27c 100644
--- a/course_details.php
+++ b/course_details.php
@@ -71,6 +71,7 @@ $result = $conn->query($sql);
                     <p>Our 4x4 Basic Training Course equips you with the essential skills and knowledge to confidently tackle off-road terrains. Learn vehicle mechanics, driving techniques, obstacle navigation, and recovery methods while promoting safe and responsible off-road practices. Perfect for beginners and new 4x4 owners!</p>
                     <hr class="mt-40">
                     <form action="#" class="add-to-cart pt-15 pb-30">
+                        <input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">
                         <label for="course_date">Select a Date:</label>
                         <select name="course_date" id="course_date" required>
                             <!-- <option value="" disabled selected>-- Select a Date --</option> -->
diff --git a/create_bar_tab.php b/create_bar_tab.php
index 467d355a..60c1a97f 100644
--- a/create_bar_tab.php
+++ b/create_bar_tab.php
@@ -3,6 +3,13 @@ require_once("session.php");
 require_once("connection.php");
 require_once("functions.php");
 
+// CSRF Token Validation
+if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
+    http_response_code(403);
+    echo json_encode(['status' => 'error', 'message' => 'Security token validation failed.']);
+    exit();
+}
+
 // Check if user_id is set in the POST request
 if (isset($_POST['user_id']) && !empty($_POST['user_id'])) {
     // Sanitize the input to prevent SQL injection
diff --git a/membership_application.php b/membership_application.php
index 1e00a9f6..516e84ef 100644
--- a/membership_application.php
+++ b/membership_application.php
@@ -55,6 +55,7 @@ if (!empty($bannerImages)) {
             <div class="col-lg-12">
                 <div class="comment-form bgc-lighter z-1 rel mb-30 rmb-55">
                     <form id="registerForm" name="registerForm" action="process_application.php" method="post" data-aos="fade-left" data-aos-duration="1500" data-aos-offset="50">
+                        <input type="hidden" name="csrf_token" value="<?php echo generateCSRFToken(); ?>">
                         <div class="section-title">
                             <div id="responseMessage"></div> <!-- Message display area -->
                         </div>
diff --git a/submit_order.php b/submit_order.php
index 2fbe3830..e36f5a73 100644
--- a/submit_order.php
+++ b/submit_order.php
@@ -1,6 +1,14 @@
 <?php
 session_start();
 require_once("connection.php");
+require_once("functions.php");
+
+// CSRF Token Validation
+if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
+    http_response_code(403);
+    echo json_encode(['status' => 'error', 'message' => 'Security token validation failed.']);
+    exit();
+}
 
 if (isset($_POST['tab_id']) && isset($_SESSION['cart'][$_POST['tab_id']])) {
     $tab_id = (int) $_POST['tab_id']; // Ensure it's an integer