首頁 探索 說明
登入
fusionpbx
/
fusionpbx-app-sql_query
镜像来自 https://github.com/fusionpbx/fusionpbx-app-sql_query.git
2
0
複刻 0
檔案 問題管理 0 Wiki
瀏覽代碼

Use token instead of captcha

FusionPBX 2 年之前
父節點
554c4dbba4
當前提交
0921717ead
共有 2 個文件被更改,包括 10 次插入25 次删除
統一視圖 顯示文件統計
  1. 4 17
      sql_query.php
  2. 6 8
      sql_query_result.php

+ 4 - 17
sql_query.php
查看文件 

@@ -53,14 +53,6 @@
 
 	$code = trim($_POST["code"] ?? '');
 
 	$code = trim($_POST["code"] ?? '');
 
 	$command = trim($_POST["command"] ?? '');
 
 	$command = trim($_POST["command"] ?? '');
 
 
 
-//check the captcha
 
-	$command_authorized = false;
 
-	if (strlen($code) > 0) {
 
-		if (strtolower($_SESSION['captcha']) == strtolower($code)) {
 
-			$command_authorized = true;
 
-		}
 
-	}
 
-
 
 //set editor moder
 
 //set editor moder
 
 	$mode = 'sql';
 
 	$mode = 'sql';
 
 
 
@@ -157,11 +149,9 @@
 
 
 
 <?php
 
 <?php
 
 
 
-//generate the captcha image
 
-	$_SESSION['captcha'] = generate_password(7, 2);
 
-	$captcha = new captcha;
 
-	$captcha->code = $_SESSION['captcha'];
 
-	$image_base64 = $captcha->image_base64();
 
+//create token
 
+	$object = new token;
 
+	$token = $object->create($_SERVER['PHP_SELF']);
 
 
 
 //show the header
 
 //show the header
 
 	echo "<form method='post' name='frm' id='frm' action='exec.php' style='margin: 0;' onsubmit='return submit_check();'>\n";
 
 	echo "<form method='post' name='frm' id='frm' action='exec.php' style='margin: 0;' onsubmit='return submit_check();'>\n";
 
@@ -172,10 +162,6 @@
 
 	echo "		</td>";
 
 	echo "		</td>";
 
 	echo "		<td valign='top' align='right' nowrap='nowrap'>";
 
 	echo "		<td valign='top' align='right' nowrap='nowrap'>";
 
 
 
-	//add the captcha
 
-	echo "				<img src=\"data:image/png;base64, ".$image_base64."\" /><input type='text' class='txt' style='width: 150px; margin-left: 15px;' name='code' id='code' value=''>\n";
 
-	echo "				&nbsp; &nbsp; &nbsp;\n";
 
-
 
 	//sql controls
 
 	//sql controls
 
 	echo "				<span class='sql_controls'>";
 
 	echo "				<span class='sql_controls'>";
 
 	//echo "					".$text['label-table']."<br />";
 
 	//echo "					".$text['label-table']."<br />";
 
@@ -221,6 +207,7 @@
 
 //html form
 
 //html form
 
 	echo "<input type='hidden' name='id' value='".escape($_REQUEST['id'] ?? '')."'>\n"; //sql db id
 
 	echo "<input type='hidden' name='id' value='".escape($_REQUEST['id'] ?? '')."'>\n"; //sql db id
 
 	echo "<textarea name='command' id='command' style='display: none;'></textarea>";
 
 	echo "<textarea name='command' id='command' style='display: none;'></textarea>";
 
+	echo "<input type='hidden' name='".$token['name']."' value='".$token['hash']."'>\n";
 
 	echo "<table cellpadding='0' cellspacing='0' border='0' style='width: 100%;'>\n";
 
 	echo "<table cellpadding='0' cellspacing='0' border='0' style='width: 100%;'>\n";
 
 	echo "	<tr>";
 
 	echo "	<tr>";
 
 	echo "		<td style='width: 280px;' valign='top' nowrap>";
 
 	echo "		<td style='width: 280px;' valign='top' nowrap>";

+ 6 - 8
sql_query_result.php
查看文件 

@@ -46,14 +46,10 @@
 
 		require_once "sql_query_pdo.php";
 
 		require_once "sql_query_pdo.php";
 
 	}
 
 	}
 
 
 
-//check the captcha
 
-	$code = trim($_REQUEST["code"]);
 
-	$command_authorized = false;
 
-	if (strtolower($_SESSION['captcha']) == strtolower($code)) {
 
-		$command_authorized = true;
 
-	}
 
-	if (!$command_authorized) {
 
-		//catpcha invalid
 
+//validate the token
 
+	$token = new token;
 
+	if (!$token->validate($_SERVER['PHP_SELF'])) {
 
+		message::add($text['message-invalid_token'],'negative');
 
 		exit;
 
 		exit;
 
 	}
 
 	}
 
 
 
@@ -74,6 +70,8 @@
 
 
 
 //show the content
 
 //show the content
 
 	if (is_array($_POST)) {
 
 	if (is_array($_POST)) {
 
+
 
+		//get the sql type, command and name
 
 		$sql_type = trim($_POST["sql_type"]);
 
 		$sql_type = trim($_POST["sql_type"]);
 
 		$sql_cmd = trim($_POST["command"]);
 
 		$sql_cmd = trim($_POST["command"]);
 
 		$table_name = trim($_POST["table_name"]);
 
 		$table_name = trim($_POST["table_name"]);