Cross-site request forgery (CSRF) $_GET / Forums / Community / EllisLab

Forum Logo

Cross-site request forgery (CSRF) $_GET

Posted: 12 November 2012 12:44 AM

[ Ignore ]

Joined: 2012-10-29
123 posts

Hello;

How can I make it so only visitors from this website can call this function (and delete the photos)?

Thanks

public function delete($photo)
  {
   $this->load->model('load_photos_model');
   $delete = $this->load_photos_model->delete($photo);
   if($delete)
    {
     unlink('uploads/'.$photo.'.jpg');
     redirect(site_url()."gallery");
    }
   else
    {
     redirect(site_url()."gallery");
    }
  } 

Posted: 12 November 2012 02:23 AM

[ Ignore ] [ # 1 ] [ Rating: 0 ]

Joined: 2012-04-02
85 posts

Maybe you can test using the User Agente Class, I am not sure if that is the best way but guess it would work:
http://ellislab.com/codeigniter/user-guide/libraries/user_agent.html

Also, you should not leave that method open for calling it, you should validate if the user has permissions to delete it.

Cheers!

Posted: 12 November 2012 02:28 AM

[ Ignore ] [ # 2 ] [ Rating: 0 ]

Joined: 2011-08-08
524 posts

Maybe he is trying to say member not visitors.
If this is what you meant.
Then you should create a method.


$this->member_login($member);

then do the deletion.

Or if you really want to give permission the visitors to delete as well,
then you can implement a captcha.

Signature

Stick with it, practice it and have fun with it.

Posted: 12 November 2012 02:31 AM

[ Ignore ] [ # 3 ] [ Rating: 0 ]

Joined: 2012-10-29
123 posts

Guys thanks for your reply but not really.

I am fine if anyone deletes things that is not the issue here.

The issue is how can I make sure the link has been originated from my own website.

For example this link:

http://www.website.com/gallery/delete/22

I want this link to work only if clicked from my own site

Thanks

Posted: 12 November 2012 02:46 AM

[ Ignore ] [ # 4 ] [ Rating: 0 ]

Joined: 2011-08-08
524 posts

Well here is a hint,

get the URL of the referrer and compare it to your base_url()
If it did not matched then don’t call the unlink().
else unlink().

Hope that helped you.

Signature

Stick with it, practice it and have fun with it.

Posted: 12 November 2012 03:14 AM

[ Ignore ] [ # 5 ] [ Rating: 0 ]

Joined: 2011-08-08
524 posts

I think you need the $_SERVER[‘HTTP_REFERER’].
Not sure the equivalent command to CI.
If it doesn’t have, it still will work.

Signature

Stick with it, practice it and have fun with it.