Phase 2: Add CSRF token protection to all forms and processors - Created CsrfMiddleware class with 8 helper methods - Added CSRF tokens to 9 POST forms across trip/course/camping/membership - Added CSRF validation to all 10 POST processors - CsrfMiddleware.requireToken() validates and dies on invalid tokens - 100% POST endpoint coverage with CSRF protection

process_eft.php

@@ -3,10 +3,19 @@ require_once("env.php");
 require_once("session.php");
 require_once("connection.php");
 require_once("functions.php");
+
+use Middleware\CsrfMiddleware;
+
 checkAdmin();
 if (!isset($_GET['token']) || empty($_GET['token'])) {
     die("Invalid request.");
 }
+
+// Validate CSRF token if this is a POST request
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    CsrfMiddleware::requireToken($_POST);
+}
+
 $token = $_GET['token'];
 // echo $token;
 $eft_id = decryptData($token, $salt);