Phase 2: Add CSRF token protection to all forms and processors - Created CsrfMiddleware class with 8 helper methods - Added CSRF tokens to 9 POST forms across trip/course/camping/membership - Added CSRF validation to all 10 POST processors - CsrfMiddleware.requireToken() validates and dies on invalid tokens - 100% POST endpoint coverage with CSRF protection

process_application.php

@@ -4,12 +4,16 @@ require_once("session.php");
 require_once("connection.php");
 require_once("functions.php");
 
+use Middleware\CsrfMiddleware;
+
 $user_id = isset($_SESSION['user_id']) ? $_SESSION['user_id'] : null;
 $eft_id =  strtoupper($user_id." SUBS ".date("Y")." ".getInitialSurname($user_id));
 $status = 'AWAITING PAYMENT';
 $description = 'Membership Fees '.date("Y")." ".getInitialSurname($user_id);
 
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    // Validate CSRF token
+    CsrfMiddleware::requireToken($_POST);
 
     // Get all the form fields
     $first_name = $_POST['first_name'];