Changeset 14949


Ignore:
Timestamp:
2007/06/28 11:15:24 (13 years ago)
Author:
adati
Message:

CSRF対策:マイページで退会手続きが実行されないように修正

Location:
branches/rel/html
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/rel/html/install/user_data/templates/default1/templates/mypage/refusal_confirm.tpl

    r12157 r14949  
    88<form name="form1" method="post" action="<!--{$smarty.server.PHP_SELF|escape}-->"> 
    99<input type="hidden" name="mode" value="complete"> 
     10<input type="hidden" name="uniqid" value="<!--{$tpl_uniqid}-->"> 
    1011    <tr> 
    1112        <td align="center" bgcolor="#ffffff"> 
  • branches/rel/html/install/user_data/templates/mypage/refusal_confirm.tpl

    r12157 r14949  
    88<form name="form1" method="post" action="<!--{$smarty.server.PHP_SELF|escape}-->"> 
    99<input type="hidden" name="mode" value="complete"> 
     10<input type="hidden" name="uniqid" value="<!--{$tpl_uniqid}-->"> 
    1011    <tr> 
    1112        <td align="center" bgcolor="#ffffff"> 
  • branches/rel/html/mypage/refusal.php

    r12157 r14949  
    2222$objCustomer = new SC_Customer(); 
    2323$objQuery = new SC_Query(); 
     24$objSiteSess = new SC_SiteSession(); 
    2425 
    2526//¥í¥°¥¤¥óȽÄê 
     
    3940switch ($_POST['mode']){ 
    4041    case 'confirm': 
     42     
    4143    $objPage->tpl_mainpage = USER_PATH . 'templates/mypage/refusal_confirm.tpl'; 
    4244    $objPage->tpl_title = "MY¥Ú¡¼¥¸/Âà²ñ¼ê³¤­(³Îǧ¥Ú¡¼¥¸)"; 
    43  
     45     
     46    // ³Îǧ¥Ú¡¼¥¸¤ò·Ðͳ¤·¤¿¤³¤È¤òÅÐÏ¿ 
     47    $objSiteSess->setRegistFlag(); 
     48    // hidden¤Ëuniqid¤òËä¤á¹þ¤à 
     49    $objPage->tpl_uniqid = $objSiteSess->getUniqId(); 
     50     
    4451    break; 
    4552     
    4653    case 'complete': 
     54    // Àµ¤·¤¤Á«°Ü¤«¤É¤¦¤«¤ò¥Á¥§¥Ã¥¯ 
     55    lfIsValidMovement($objSiteSess); 
     56     
    4757    //²ñ°÷ºï½ü 
    4858    $objQuery->exec("UPDATE dtb_customer SET del_flg=1, update_date=now() WHERE customer_id=?", array($objCustomer->getValue('customer_id'))); 
     
    5767$objView->display(SITE_FRAME); 
    5868 
     69// Àµ¤·¤¤Á«°Ü¤«¤É¤¦¤«¤ò¥Á¥§¥Ã¥¯ 
     70function lfIsValidMovement($objSiteSess) { 
     71    // ³Îǧ¥Ú¡¼¥¸¤«¤é¤ÎÁ«°Ü¤«¤É¤¦¤«¤ò¥Á¥§¥Ã¥¯ 
     72    sfIsPrePage($objSiteSess); 
     73     
     74    // uniqid ¤¬POST¤µ¤ì¤Æ¤¤¤ë¤«¤ò¥Á¥§¥Ã¥¯ 
     75    $uniqid = $objSiteSess->getUniqId(); 
     76    if ( !empty($_POST['uniqid']) && ($_POST['uniqid'] === $uniqid) ) { 
     77        return; 
     78    } else { 
     79        sfDispSiteError(PAGE_ERROR, $objSiteSess); 
     80    } 
     81} 
    5982?> 
Note: See TracChangeset for help on using the changeset viewer.