TwoTalesDev/4WDCSA.co.za
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ef4d0662704c344e2b4fc0535b460722f64757a
4WDCSA.co.za/process_signature.php
twotalesanimation 1ef4d06627 Phase 1: Implement CSRF protection, input validation, and rate limiting 
Major security improvements:
- Added CSRF token generation, validation, and cleanup functions
- Implemented comprehensive input validators (email, phone, name, date, amount, ID, file uploads)
- Added rate limiting with login attempt tracking and account lockout (5 failures = 15 min lockout)
- Implemented session fixation protection with session_regenerate_id() and 30-min timeout
- Fixed SQL injection in getResultFromTable() with whitelisted columns/tables
- Added audit logging for security events
- Applied CSRF validation to all 7 process_*.php files
- Applied input validation to critical endpoints (login, registration, bookings, application)
- Created database migration for login_attempts, audit_log tables and locked_until column

Modified files:
- functions.php: +500 lines of security functions
- validate_login.php: Added CSRF, rate limiting, session hardening
- register_user.php: Added CSRF, input validation, registration rate limiting
- process_*.php (7 files): Added CSRF token validation
- Created migration: 001_phase1_security_schema.sql

Next steps: Add CSRF tokens to form templates, harden file uploads, create testing checklist
2025-12-03 11:28:53 +02:00

69 lines
2.6 KiB
PHP
Raw Blame History

<?php
require_once("env.php");
require_once("session.php");
require_once("connection.php");
require_once("functions.php");
if (!isset($_SESSION['user_id'])) {
die(json_encode(['status' => 'error', 'message' => 'User not logged in']));
}
if (isset($_POST['signature'])) {
// CSRF Token Validation
if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
auditLog($_SESSION['user_id'], 'CSRF_VALIDATION_FAILED', 'membership_application', null, ['endpoint' => 'process_signature.php']);
die(json_encode(['status' => 'error', 'message' => 'Security token validation failed']));
}
$user_id = $_SESSION['user_id']; // Get the user ID from the session
$signature = $_POST['signature']; // Base64 image data
// Decode the base64 image
$signature = str_replace('data:image/png;base64,', '', $signature);
$signature = str_replace(' ', '+', $signature);
$signatureData = base64_decode($signature);
// Create a file path for the signature image
$fileName = 'signature_' . $user_id . '.png';
$filePath = 'uploads/signatures/' . $fileName;
// Ensure the directory exists
if (!is_dir('uploads/signatures')) {
mkdir('uploads/signatures', 0777, true);
}
// Save the image file
if (file_put_contents($filePath, $signatureData)) {
// Update the database
if ($conn->connect_error) {
die(json_encode(['status' => 'error', 'message' => 'Database connection failed']));
}
// Update the signature and indemnity acceptance in the membership application table
$stmt = $conn->prepare("UPDATE membership_application SET sig = ?, accept_indemnity = 1 WHERE user_id = ?");
$stmt->bind_param('si', $filePath, $user_id);
if ($stmt->execute()) {
// Check the payment status
$paymentStatus = checkMembershipPaymentStatus($user_id) ? 'PAID' : 'NOT_PAID';
// Respond with the appropriate redirect URL based on the payment status
echo json_encode([
'status' => 'success',
'message' => 'Signature saved successfully!',
'paymentStatus' => $paymentStatus // Send payment status
]);
} else {
echo json_encode(['status' => 'error', 'message' => 'Database update failed']);
}
$stmt->close();
$conn->close();
} else {
echo json_encode(['status' => 'error', 'message' => 'Failed to save signature']);
}
} else {
echo json_encode(['status' => 'error', 'message' => 'Signature not provided']);
}
Reference in New Issue View Git Blame Copy Permalink