Welcome Guest, Not a member yet? Register   Sign In
Cross-site request forgery (CSRF) $_GET
#1

[eluser]behnampmdg3[/eluser]
Hello;

How can I make it so only visitors from this website can call this function (and delete the photos)?

Thanks

Code:
public function delete($photo)
  {
   $this->load->model('load_photos_model');
   $delete = $this->load_photos_model->delete($photo);
   if($delete)
    {
     unlink('uploads/'.$photo.'.jpg');
     redirect(site_url()."gallery");
    }
   else
    {
     redirect(site_url()."gallery");
    }
  }
#2

[eluser]ojcarga[/eluser]
Maybe you can test using the User Agente Class, I am not sure if that is the best way but guess it would work:
http://ellislab.com/codeigniter/user-gui...agent.html

Also, you should not leave that method open for calling it, you should validate if the user has permissions to delete it.

Cheers!
#3

[eluser]solid9[/eluser]
Maybe he is trying to say member not visitors.
If this is what you meant.
Then you should create a method.

Code:
$this->member_login($member);

then do the deletion.

Or if you really want to give permission the visitors to delete as well,
then you can implement a captcha.



#4

[eluser]behnampmdg3[/eluser]
Guys thanks for your reply but not really.

I am fine if anyone deletes things Smile that is not the issue here.

The issue is how can I make sure the link has been originated from my own website.

For example this link:

http://www.website.com/gallery/delete/22

I want this link to work only if clicked from my own site Smile

Thanks
#5

[eluser]solid9[/eluser]
Well here is a hint,

get the URL of the referrer and compare it to your base_url()
If it did not matched then don't call the unlink().
else unlink().

Hope that helped you.
#6

[eluser]solid9[/eluser]
I think you need the $_SERVER['HTTP_REFERER'].
Not sure the equivalent command to CI.
If it doesn't have, it still will work.




Theme © iAndrew 2016 - Forum software by © MyBB