Hello every body !
I want create a Private Messaging, but I have a problem !
my script is :
<?php
public function actionAdmin()
{ //from punBB
if (!preg_match('#^'.preg_quote(str_replace('www.', '', Yii::app()->params['mainUrl'].Yii::app()->request->baseUrl), '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
exit('Une erreure est survenue');
if (Yii::app()->request->isPostRequest)
{
// mark mp as read
if( isset($_POST['action']) && $_POST['action'] == 'read' )
{
foreach ($_POST['selected_messages'] as $id)
{ //for update $read
$model = message::model()->findByPk( intval($id) );
$model->read = true;
$model->save();
}
}
//mark mp as unread
else if( isset($_POST['action']) && $_POST['action'] == 'unread' )
{
foreach ($_POST['selected_messages'] as $id)
{ //for update read
$model = message::model()->findByPk( intval($id) ) ;
$model->read = false;
$model->save()or die('Une erreur est apparue');
}
exit('condition ok');
}
//delete mp
else if( isset($_POST['action']) && $_POST['action'] == 'delete' )
{
foreach ($_POST['selected_messages'] as $id)
{ // for delete
$model = message::model()->findByPk( intval($id) );
$model->delete();
}
}
}
I am aware that there must be more optimized to execute this kind of operation but I do not know!
I think there must be another method to prevent such csrf attacks that:
//isue from punBB
if (!preg_match('#^'.preg_quote(str_replace('www.', '', Yii::app()->params['mainUrl'].Yii::app()->request->baseUrl), '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
exit('Une erreure est survenue');
but I do not know
Can you help me ?