Cross-site request forgery (CSRF) $_GET - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: Cross-site request forgery (CSRF) $_GET (/showthread.php?tid=55828) |
Cross-site request forgery (CSRF) $_GET - El Forum - 11-11-2012 [eluser]behnampmdg3[/eluser] Hello; How can I make it so only visitors from this website can call this function (and delete the photos)? Thanks Code: public function delete($photo) Cross-site request forgery (CSRF) $_GET - El Forum - 11-11-2012 [eluser]ojcarga[/eluser] Maybe you can test using the User Agente Class, I am not sure if that is the best way but guess it would work: http://ellislab.com/codeigniter/user-guide/libraries/user_agent.html Also, you should not leave that method open for calling it, you should validate if the user has permissions to delete it. Cheers! Cross-site request forgery (CSRF) $_GET - El Forum - 11-11-2012 [eluser]solid9[/eluser] Maybe he is trying to say member not visitors. If this is what you meant. Then you should create a method. Code: $this->member_login($member); then do the deletion. Or if you really want to give permission the visitors to delete as well, then you can implement a captcha. Cross-site request forgery (CSRF) $_GET - El Forum - 11-11-2012 [eluser]behnampmdg3[/eluser] Guys thanks for your reply but not really. I am fine if anyone deletes things that is not the issue here. The issue is how can I make sure the link has been originated from my own website. For example this link: http://www.website.com/gallery/delete/22 I want this link to work only if clicked from my own site Thanks Cross-site request forgery (CSRF) $_GET - El Forum - 11-11-2012 [eluser]solid9[/eluser] Well here is a hint, get the URL of the referrer and compare it to your base_url() If it did not matched then don't call the unlink(). else unlink(). Hope that helped you. Cross-site request forgery (CSRF) $_GET - El Forum - 11-12-2012 [eluser]solid9[/eluser] I think you need the $_SERVER['HTTP_REFERER']. Not sure the equivalent command to CI. If it doesn't have, it still will work. |