TwoTalesDev/4WDCSA.co.za
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3247d15ce7de244b5f3905944bdefa2e57fc6ddf
4WDCSA.co.za/add_campsite.php
twotalesanimation 3247d15ce7 Task 9: Add CSRF tokens to form templates and backend processors 
Updated forms with hidden CSRF token fields:
- comment_box.php - Comment form
- course_details.php - Course booking form
- campsites.php - Campsite addition modal form
- bar_tabs.php - Bar tab creation modal form
- membership_application.php - Membership application form

Updated backend processors with CSRF validation:
- create_bar_tab.php - Bar tab AJAX processor
- add_campsite.php - Campsite form processor
- submit_order.php - Order submission processor

All forms now require validated CSRF tokens before processing, preventing cross-site request forgery attacks.
2025-12-03 11:47:26 +02:00

62 lines
2.1 KiB
PHP
Raw Blame History

<?php include_once('connection.php');
include_once('functions.php');
require_once("env.php");
session_start();
$user_id = $_SESSION['user_id']; // assuming you're storing it like this
// CSRF Token Validation
if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
http_response_code(403);
die('Security token validation failed. Please try again.');
}
// campsites.php
$conn = openDatabaseConnection();
// Get text inputs
$name = $_POST['name'];
$desc = $_POST['description'];
$lat = $_POST['latitude'];
$lng = $_POST['longitude'];
$website = $_POST['website'];
$telephone = $_POST['telephone'];
// Handle file upload
$thumbnailPath = null;
if (isset($_FILES['thumbnail']) && $_FILES['thumbnail']['error'] == 0) {
$uploadDir = "assets/uploads/campsites/";
if (!is_dir($uploadDir)) {
mkdir($uploadDir, 0777, true);
}
$filename = time() . "_" . basename($_FILES["thumbnail"]["name"]);
$targetFile = $uploadDir . $filename;
if (move_uploaded_file($_FILES["thumbnail"]["tmp_name"], $targetFile)) {
$thumbnailPath = $targetFile;
}
}
$id = isset($_POST['id']) ? intval($_POST['id']) : 0;
if ($id > 0) {
// UPDATE
if ($thumbnailPath) {
$stmt = $conn->prepare("UPDATE campsites SET name=?, description=?, latitude=?, longitude=?, website=?, telephone=?, thumbnail=? WHERE id=?");
$stmt->bind_param("ssddsssi", $name, $desc, $lat, $lng, $website, $telephone, $thumbnailPath, $id);
} else {
$stmt = $conn->prepare("UPDATE campsites SET name=?, description=?, latitude=?, longitude=?, website=?, telephone=? WHERE id=?");
$stmt->bind_param("ssddssi", $name, $desc, $lat, $lng, $website, $telephone, $id);
}
} else {
// INSERT
$stmt = $conn->prepare("INSERT INTO campsites (name, description, latitude, longitude, website, telephone, thumbnail, user_id)
VALUES (?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("ssddsssi", $name, $desc, $lat, $lng, $website, $telephone, $thumbnailPath, $user_id);
}
$stmt->execute();
header("Location: campsites.php");
?>
Reference in New Issue View Git Blame Copy Permalink