TwoTalesDev/4WDCSA.co.za
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
20 Commits 12 Branches 0 Tags
b120415d53286c5768c66cc3862c38bd23882f1b
Commit Graph

10 Commits

Author SHA1 Message Date
twotalesanimation
b120415d53 Task 10: Harden file upload validation 
Enhanced validateFileUpload() function in functions.php with comprehensive security:
- Hardcoded MIME type whitelist per file type (profile_picture, proof_of_payment, document)
- Strict file size limits per type (5MB images, 10MB documents)
- Extension validation against whitelist
- Double extension prevention (e.g., shell.php.jpg)
- MIME type verification using finfo
- Image validation with getimagesize()
- is_uploaded_file() verification
- Random filename generation to prevent path traversal

Updated file upload handlers:
- upload_profile_picture.php - Profile picture uploads (JPEG, PNG, GIF, WEBP, 5MB max)
- submit_pop.php - Proof of payment uploads (PDF only, 10MB max) + CSRF validation + audit logging
- add_campsite.php - Campsite thumbnail uploads + input validation + CSRF validation + audit logging

Security improvements:
- All uploads use random filenames to prevent directory traversal
- All uploads use secure file permissions (0644)
- File validation occurs before move_uploaded_file()
- Comprehensive error logging for failed uploads
- Audit logging for successful file operations
 2025-12-03 13:30:45 +02:00
twotalesanimation
1ef4d06627 Phase 1: Implement CSRF protection, input validation, and rate limiting 
Major security improvements:
- Added CSRF token generation, validation, and cleanup functions
- Implemented comprehensive input validators (email, phone, name, date, amount, ID, file uploads)
- Added rate limiting with login attempt tracking and account lockout (5 failures = 15 min lockout)
- Implemented session fixation protection with session_regenerate_id() and 30-min timeout
- Fixed SQL injection in getResultFromTable() with whitelisted columns/tables
- Added audit logging for security events
- Applied CSRF validation to all 7 process_*.php files
- Applied input validation to critical endpoints (login, registration, bookings, application)
- Created database migration for login_attempts, audit_log tables and locked_until column

Modified files:
- functions.php: +500 lines of security functions
- validate_login.php: Added CSRF, rate limiting, session hardening
- register_user.php: Added CSRF, input validation, registration rate limiting
- process_*.php (7 files): Added CSRF token validation
- Created migration: 001_phase1_security_schema.sql

Next steps: Add CSRF tokens to form templates, harden file uploads, create testing checklist
 2025-12-03 11:28:53 +02:00
twotalesanimation
062dc46ffd small updates 2025-12-02 18:17:20 +02:00
twotalesanimation
b69f8f5f1b local changes. 2025-07-24 07:20:51 +02:00
Chris Pinto
561592bc0d Merge branch 'feature/pop_submit' 2025-06-13 10:30:27 +02:00
Chris Pinto
d1dc0b4ad0 Pop submit ready 2025-06-13 10:22:14 +02:00
twotalesanimation
4bdfbff0b6 Member info update 2025-06-08 16:29:50 +02:00
twotalesanimation
07d75bc004 More ENV updates 2025-05-23 14:25:27 +02:00
twotalesanimation
a103c5e272 dotenv implementation 2025-05-23 11:50:53 +02:00
Local Administrator
b83134aca3 Initial commit 2025-04-18 10:32:42 +02:00