infacq · January 13, 2014 04:01 · May 30, 2013 · May 29, 2013 · May 29, 2013 · May 29, 2013
diff --git a/form.php b/form.php
@@ -2,21 +2,21 @@
 
 require dirname(__FILE__) . '/functions.php';
 
-$module   = md5( 'module' );
-$page_url = sanitize( $_SERVER['PHP_SELF'] );
+$module   = md5('MODULE_NAME');
+$page_url = sanitize($_SERVER['PHP_SELF']);
 
-if ( isset($_POST['firstname']) )
-    require dirname(__FILE__).'/save.php';
+if (isset($_POST['firstname']))
+    require dirname(__FILE__) . '/save.php';
 
-if ( isset( $_SESSION[$module]['firstname'] ) )
-    extract( $_SESSION[$module] );
+if (isset( $_SESSION[$module]['firstname']))
+    extract($_SESSION[$module]);
 
-$csrf = md5( uniqid(rand(), true) );
-$_SESSION[$module]['csrf'] = $csrf;
+$csrf_salt = base64_encode(openssl_random_pseudo_bytes(16));
+$_SESSION[$module]['csrf_salt'] = $csrf_salt;
 ?>
 
 <form class="signup" action="<?php echo $page_url ?>" method="post">
-    <input type="hidden" name="csrf" id="csrf" value="<?php echo $csrf ?>"/>
+    <input type="hidden" name="csrf_salt" id="csrf_salt" value="<?php echo $csrf_salt ?>"/>
     <table>
         <tr>
             <td><label for="email">E-mail <span class="asterix">*</span></label></td>

diff --git a/functions.php b/functions.php
@@ -1,8 +1,8 @@
 <?php
 
-function sanitize( $input, $strip = 1, $charset = 'UTF-8' )
+function sanitize($input, $strip = true, $charset = 'UTF-8')
 {
-    if ( is_array($input) ) {
+    if (is_array($input)) {
         $output = array();
         foreach ( $input as $key => $data ) {
             $output[$key] = sanitize($data, $strip, $charset);
@@ -11,13 +11,12 @@ function sanitize( $input, $strip = 1, $charset = 'UTF-8' )
     }
     else {
         // Strip HTML tags if set
-        if ($strip > 0)
-            $input = strip_tags($input);
+        if ($strip) $input = strip_tags($input);
 
         // Encode special chars
         $input = htmlspecialchars($input, ENT_QUOTES, $charset);
 
-        if ( get_magic_quotes_gpc() )
+        if (get_magic_quotes_gpc())
             return mysql_real_escape_string(stripslashes($input));
         else
             return mysql_real_escape_string($input);

diff --git a/save.php b/save.php
@@ -2,44 +2,44 @@
 
 $secured = array();
 $secured = sanitize($_POST);
-extract( $secured );
+extract($secured);
 
-foreach ( $secured as $key => $value ) {
+foreach ($secured as $key => $value) {
     $_SESSION[$module][$key] = $value;
 }
 
 // idea from http://stackoverflow.com/a/10469574/289404
-if ( $csrf !== $_SESSION[$module]['csrf'] ) {
+if ($csrf_salt !== $_SESSION[$module]['csrf_salt']) {
     echo '<br class="clr"><p class="notice">Bad request token. Please try again.</p>';
     return false;
 }
 
 // Check required
 $required = array(
     'firstname' => 'First name',
-    'surname' => 'Last name',
-    'zip' => 'ZIP',
-    'email' => 'E-mail',
-    'password' => 'Password',
+    'surname'   => 'Last name',
+    'zip'       => 'ZIP',
+    'email'     => 'E-mail',
+    'password'  => 'Password',
     'password2' => 'Confirm password',
-    'agree' => 'Agreement',
+    'agree'     => 'Agreement',
 );
 
-foreach ( $required as $key => $value ) {
-    if ( empty(${$key}) ) {
+foreach ($required as $key => $value) {
+    if (empty(${$key})) {
         echo '<br class="clr"><p class="notice">Please enter: '.$value.'.</p>';
         return false;
     }
 }
 
-if ( $password != $password2 ) {
+if ($password != $password2) {
     echo '<br class="clr"><p class="notice">Passwords missmatch.</p>';
     return false;
 }
 
-if ( !valid_email($email) ) {
+if (!valid_email($email)) {
     echo '<br class="clr"><p class="notice">Bad e-mail.</p>';
     return false;
 }
 
-unset( $_SESSION[$module] );
+unset($_SESSION[$module]);
diff --git a/save.php b/save.php
@@ -40,4 +40,6 @@
 if ( !valid_email($email) ) {
     echo '<br class="clr"><p class="notice">Bad e-mail.</p>';
     return false;
-}
+}
+
+unset( $_SESSION[$module] );
diff --git a/save.php b/save.php
@@ -32,7 +32,12 @@
     }
 }
 
-if ($password != $password2) {
+if ( $password != $password2 ) {
     echo '<br class="clr"><p class="notice">Passwords missmatch.</p>';
     return false;
 }
+
+if ( !valid_email($email) ) {
+    echo '<br class="clr"><p class="notice">Bad e-mail.</p>';
+    return false;
+}
diff --git a/form.php b/form.php
@@ -17,8 +17,6 @@
 
 <form class="signup" action="<?php echo $page_url ?>" method="post">
     <input type="hidden" name="csrf" id="csrf" value="<?php echo $csrf ?>"/>
-    <h2><?php echo PAGE_TITLE ?></h2>
-    <button type="submit">Submit</button>
     <table>
         <tr>
             <td><label for="email">E-mail <span class="asterix">*</span></label></td>
@@ -32,5 +30,9 @@
             <td><label for="password2">Confirm password <span class="asterix">*</span></label></td>
             <td><input type="password" name="password2" id="password2" maxlength="20" /></td>
         </tr>
+        <tr>
+            <td>&nbsp;</td>
+            <td><button type="submit">Submit</button></td>
+        </tr>
     </table>
 </form>
diff --git a/form.php b/form.php
@@ -0,0 +1,36 @@
+<?php
+
+require dirname(__FILE__) . '/functions.php';
+
+$module   = md5( 'module' );
+$page_url = sanitize( $_SERVER['PHP_SELF'] );
+
+if ( isset($_POST['firstname']) )
+    require dirname(__FILE__).'/save.php';
+
+if ( isset( $_SESSION[$module]['firstname'] ) )
+    extract( $_SESSION[$module] );
+
+$csrf = md5( uniqid(rand(), true) );
+$_SESSION[$module]['csrf'] = $csrf;
+?>
+
+<form class="signup" action="<?php echo $page_url ?>" method="post">
+    <input type="hidden" name="csrf" id="csrf" value="<?php echo $csrf ?>"/>
+    <h2><?php echo PAGE_TITLE ?></h2>
+    <button type="submit">Submit</button>
+    <table>
+        <tr>
+            <td><label for="email">E-mail <span class="asterix">*</span></label></td>
+            <td><input type="text" name="email" id="email" maxlength="255" value="<?php if (isset($email)) echo $email ?>"/></td>
+        </tr>
+        <tr>
+            <td><label for="password">Password <span class="asterix">*</span></label></td>
+            <td><input type="password" name="password" id="password" maxlength="20" /></td>
+        </tr>
+        <tr>
+            <td><label for="password2">Confirm password <span class="asterix">*</span></label></td>
+            <td><input type="password" name="password2" id="password2" maxlength="20" /></td>
+        </tr>
+    </table>
+</form>
diff --git a/functions.php b/functions.php
@@ -0,0 +1,25 @@
+<?php
+
+function sanitize( $input, $strip = 1, $charset = 'UTF-8' )
+{
+    if ( is_array($input) ) {
+        $output = array();
+        foreach ( $input as $key => $data ) {
+            $output[$key] = sanitize($data, $strip, $charset);
+        }
+        return $output;
+    }
+    else {
+        // Strip HTML tags if set
+        if ($strip > 0)
+            $input = strip_tags($input);
+
+        // Encode special chars
+        $input = htmlspecialchars($input, ENT_QUOTES, $charset);
+
+        if ( get_magic_quotes_gpc() )
+            return mysql_real_escape_string(stripslashes($input));
+        else
+            return mysql_real_escape_string($input);
+    }
+}
diff --git a/save-form.php → save.php b/save-form.php → save.php
@@ -1,3 +1,5 @@
+<?php
+
 $secured = array();
 $secured = sanitize($_POST);
 extract( $secured );
@@ -6,6 +8,12 @@
     $_SESSION[$module][$key] = $value;
 }
 
+// idea from http://stackoverflow.com/a/10469574/289404
+if ( $csrf !== $_SESSION[$module]['csrf'] ) {
+    echo '<br class="clr"><p class="notice">Bad request token. Please try again.</p>';
+    return false;
+}
+
 // Check required
 $required = array(
     'firstname' => 'First name',
@@ -28,27 +36,3 @@
     echo '<br class="clr"><p class="notice">Passwords missmatch.</p>';
     return false;
 }
-
-function sanitize( $input, $strip = 1, $charset = 'UTF-8' )
-{
-    if ( is_array($input) ) {
-        $output = array();
-        foreach ( $input as $key => $data ) {
-            $output[$key] = sanitize($data, $strip, $charset);
-        }
-        return $output;
-    }
-    else {
-        // Strip HTML tags if set
-        if ($strip > 0)
-            $input = strip_tags($input);
-
-        // Encode special chars
-        $input = htmlspecialchars($input, ENT_QUOTES, $charset);
-
-        if ( get_magic_quotes_gpc() )
-            return mysql_real_escape_string(stripslashes($input));
-        else
-            return mysql_real_escape_string($input);
-    }
-}
diff --git a/save-form.php b/save-form.php
@@ -0,0 +1,54 @@
+$secured = array();
+$secured = sanitize($_POST);
+extract( $secured );
+
+foreach ( $secured as $key => $value ) {
+    $_SESSION[$module][$key] = $value;
+}
+
+// Check required
+$required = array(
+    'firstname' => 'First name',
+    'surname' => 'Last name',
+    'zip' => 'ZIP',
+    'email' => 'E-mail',
+    'password' => 'Password',
+    'password2' => 'Confirm password',
+    'agree' => 'Agreement',
+);
+
+foreach ( $required as $key => $value ) {
+    if ( empty(${$key}) ) {
+        echo '<br class="clr"><p class="notice">Please enter: '.$value.'.</p>';
+        return false;
+    }
+}
+
+if ($password != $password2) {
+    echo '<br class="clr"><p class="notice">Passwords missmatch.</p>';
+    return false;
+}
+
+function sanitize( $input, $strip = 1, $charset = 'UTF-8' )
+{
+    if ( is_array($input) ) {
+        $output = array();
+        foreach ( $input as $key => $data ) {
+            $output[$key] = sanitize($data, $strip, $charset);
+        }
+        return $output;
+    }
+    else {
+        // Strip HTML tags if set
+        if ($strip > 0)
+            $input = strip_tags($input);
+
+        // Encode special chars
+        $input = htmlspecialchars($input, ENT_QUOTES, $charset);
+
+        if ( get_magic_quotes_gpc() )
+            return mysql_real_escape_string(stripslashes($input));
+        else
+            return mysql_real_escape_string($input);
+    }
+}