Yii Framework Forum: How to update my record and prevent csrf attacks? - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

How to update my record and prevent csrf attacks? Rate Topic: -----

#1 User is offline   Co-k-ine 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 88
  • Joined: 29-March 10

Posted 28 July 2010 - 08:29 AM

Hello every body !

I want create a Private Messaging, but I have a problem !

my script is :


 <?php

public function actionAdmin()
	{       //from punBB
		if (!preg_match('#^'.preg_quote(str_replace('www.', '', Yii::app()->params['mainUrl'].Yii::app()->request->baseUrl), '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
			exit('Une erreure est survenue');
			
		if (Yii::app()->request->isPostRequest)
		{
			 // mark mp as read 
			 if( isset($_POST['action']) && $_POST['action'] == 'read' )
			 {
				 
				 foreach ($_POST['selected_messages'] as $id)
				 {       //for update $read 
					 $model = message::model()->findByPk( intval($id) );
					 $model->read = true;
					 $model->save();
				}
					 
			 }
			 
			 //mark mp as unread
			 else if( isset($_POST['action']) && $_POST['action'] == 'unread' )
			 {
				 foreach ($_POST['selected_messages'] as $id)
				 {       //for update read
					 $model = message::model()->findByPk( intval($id) ) ;
					 $model->read = false;
					 $model->save()or die('Une erreur est apparue');
					
				}
				exit('condition ok');
			 }
			 
			 //delete mp 
			 else if( isset($_POST['action']) && $_POST['action'] == 'delete' )
			 {
				 foreach ($_POST['selected_messages'] as $id)
				 {       // for delete
					 $model = message::model()->findByPk( intval($id) );
					 $model->delete();
					
				}
			 }
			 		
		}




I am aware that there must be more optimized to execute this kind of operation but I do not know!

I think there must be another method to prevent such csrf attacks that:
//isue from punBB
if (!preg_match('#^'.preg_quote(str_replace('www.', '', Yii::app()->params['mainUrl'].Yii::app()->request->baseUrl), '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
			exit('Une erreure est survenue');


but I do not know

Can you help me ?
0

#2 User is offline   frantic 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 172
  • Joined: 01-March 10
  • Location:Saint-Petersburg

Posted 28 July 2010 - 11:37 AM

http://www.yiiframew...topics.security

In your view make the form via CHTML::form and enable the csrf in config
0

#3 User is offline   Co-k-ine 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 88
  • Joined: 29-March 10

Posted 28 July 2010 - 02:55 PM

There is no cookbook available for use as be an example?
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users