twotalesanimation
7b1c20410c
updated CSRF tokens
2025-12-03 13:26:57 +02:00
twotalesanimation
3247d15ce7
Task 9: Add CSRF tokens to form templates and backend processors
...
Updated forms with hidden CSRF token fields:
- comment_box.php - Comment form
- course_details.php - Course booking form
- campsites.php - Campsite addition modal form
- bar_tabs.php - Bar tab creation modal form
- membership_application.php - Membership application form
Updated backend processors with CSRF validation:
- create_bar_tab.php - Bar tab AJAX processor
- add_campsite.php - Campsite form processor
- submit_order.php - Order submission processor
All forms now require validated CSRF tokens before processing, preventing cross-site request forgery attacks.
2025-12-03 11:47:26 +02:00
twotalesanimation
ce6c8e257a
Add Phase 1 progress documentation and Task 9 quick-start guide
...
- PHASE_1_PROGRESS.md: Comprehensive progress report (66% complete)
- Documents all 7 completed security tasks
- Lists remaining 4 tasks with estimates
- Security improvements summary
- Database changes required
- Files modified and testing verification
- TASK_9_ADD_CSRF_FORMS.md: Quick-start guide for adding CSRF tokens
- Step-by-step instructions for form modification
- List of ~40 forms that need tokens (prioritized)
- Common patterns and examples
- Validation reference
- Troubleshooting guide
- Testing checklist
Ready for Task 9 implementation (form template updates)
2025-12-03 11:31:09 +02:00
twotalesanimation
1ef4d06627
Phase 1: Implement CSRF protection, input validation, and rate limiting
...
Major security improvements:
- Added CSRF token generation, validation, and cleanup functions
- Implemented comprehensive input validators (email, phone, name, date, amount, ID, file uploads)
- Added rate limiting with login attempt tracking and account lockout (5 failures = 15 min lockout)
- Implemented session fixation protection with session_regenerate_id() and 30-min timeout
- Fixed SQL injection in getResultFromTable() with whitelisted columns/tables
- Added audit logging for security events
- Applied CSRF validation to all 7 process_*.php files
- Applied input validation to critical endpoints (login, registration, bookings, application)
- Created database migration for login_attempts, audit_log tables and locked_until column
Modified files:
- functions.php: +500 lines of security functions
- validate_login.php: Added CSRF, rate limiting, session hardening
- register_user.php: Added CSRF, input validation, registration rate limiting
- process_*.php (7 files): Added CSRF token validation
- Created migration: 001_phase1_security_schema.sql
Next steps: Add CSRF tokens to form templates, harden file uploads, create testing checklist
2025-12-03 11:28:53 +02:00
twotalesanimation
062dc46ffd
small updates
2025-12-02 18:17:20 +02:00
twotalesanimation
b69f8f5f1b
local changes.
2025-07-24 07:20:51 +02:00
twotalesanimation
53c29b62ca
Merge branch 'main' of http://192.168.0.107:30008/TwoTalesDev/4WDCSA.co.za
2025-06-13 10:45:41 +02:00
twotalesanimation
c8c8dfb9c7
Update .gitignore on live server
2025-06-13 10:40:46 +02:00
561592bc0d
Merge branch 'feature/pop_submit'
2025-06-13 10:30:27 +02:00
d1dc0b4ad0
Pop submit ready
2025-06-13 10:22:14 +02:00
twotalesanimation
4bdfbff0b6
Member info update
2025-06-08 16:29:50 +02:00
twotalesanimation
85ce1b29e7
Merge branch 'main' of http://192.168.0.107:30008/TwoTalesDev/4WDCSA.co.za
2025-05-23 14:35:32 +02:00
5e88b10221
dotenv implementation cont
2025-05-23 14:31:07 +02:00
twotalesanimation
07d75bc004
More ENV updates
2025-05-23 14:25:27 +02:00
488e3c156d
New POP Uploads
2025-05-23 14:19:25 +02:00
fb1407af3f
dotenv implementation cont
2025-05-23 13:11:51 +02:00
twotalesanimation
a103c5e272
dotenv implementation
2025-05-23 11:50:53 +02:00
twotalesanimation
ac357402ca
homepage update
2025-05-23 10:50:59 +02:00
Local Administrator
b83134aca3
Initial commit
2025-04-18 10:32:42 +02:00
