Use POST when removing friends, validate input
parent
87c21a06eb
commit
e6d51a0afb
|
@ -1,11 +1,20 @@
|
||||||
<?php
|
<?php
|
||||||
if(@$_REQUEST['action'] == 'remove' && @$_REQUEST['uuid'] != '')
|
if($_SERVER['REQUEST_TYPE'] == 'POST')
|
||||||
{
|
{
|
||||||
$statementMembership = $RUNTIME['PDO']->prepare("DELETE FROM Friends WHERE Friend = ? AND PrincipalID = ?");
|
if(isset($_POST['remove'])) {
|
||||||
$statementMembership->execute(array($_REQUEST['uuid'], $_SESSION['UUID']));
|
include '../app/FormValidator.php';
|
||||||
|
$validator = new FormValidator(array(
|
||||||
|
'uuid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
|
||||||
|
));
|
||||||
|
|
||||||
$statementMembership = $RUNTIME['PDO']->prepare("DELETE FROM Friends WHERE PrincipalID = ? AND Friend = ?");
|
if($validator->isValid($_POST)) {
|
||||||
$statementMembership->execute(array($_REQUEST['uuid'], $_SESSION['UUID']));
|
$statementMembership = $RUNTIME['PDO']->prepare("DELETE FROM Friends WHERE Friend = ? AND PrincipalID = ?");
|
||||||
|
$statementMembership->execute(array($_REQUEST['uuid'], $_SESSION['UUID']));
|
||||||
|
|
||||||
|
$statementMembership = $RUNTIME['PDO']->prepare("DELETE FROM Friends WHERE PrincipalID = ? AND Friend = ?");
|
||||||
|
$statementMembership->execute(array($_REQUEST['uuid'], $_SESSION['UUID']));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
header('Location: index.php?page=friends');
|
header('Location: index.php?page=friends');
|
||||||
die();
|
die();
|
||||||
|
@ -35,7 +44,7 @@
|
||||||
$FriendData[1] = str_replace("http://", "", $FriendData[1]);
|
$FriendData[1] = str_replace("http://", "", $FriendData[1]);
|
||||||
$FriendData[1] = str_replace("https://", "", $FriendData[1]);
|
$FriendData[1] = str_replace("https://", "", $FriendData[1]);
|
||||||
$FriendData[1] = str_replace("/", "", $FriendData[1]);
|
$FriendData[1] = str_replace("/", "", $FriendData[1]);
|
||||||
$entry = '<tr><td>'.htmlspecialchars(trim($opensim->getUserName($Friend)).' @ '.strtolower($FriendData[1])).'</td><td><a href="index.php?page=friends&action=remove&uuid='.urlencode($row['Friend']).'">LÖSCHEN</a></td></tr>';
|
$entry = '<tr><td>'.htmlspecialchars(trim($opensim->getUserName($Friend)).' @ '.strtolower($FriendData[1])).'</td><td><form action="index.php?page=friends" method="post">%%CSRF%%<input type="hidden" name="uuid" value="'.htmlspecialchars($row['Friend']).'"><button type="submit" name="remove" class="btn btn-danger btn-sm">LÖSCHEN</button></form></td></tr>';
|
||||||
}
|
}
|
||||||
|
|
||||||
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
||||||
|
|
Loading…
Reference in New Issue