diff options
| author | nikrou <nikrou@piwigo.org> | 2006-01-15 12:52:55 +0000 |
|---|---|---|
| committer | nikrou <nikrou@piwigo.org> | 2006-01-15 12:52:55 +0000 |
| commit | 9d6404ad36375079e815979bd4bf476a5195df5e (patch) | |
| tree | 4e4724a9f86cdc91d31419ac5b2a2489b858a70b /picture.php | |
| parent | 6d45ca83efc0f28bb00ecab1a9b4964279cc26b5 (diff) | |
Improve security of sessions:
- use only cookies to store session id on client side
- use default php session system with database handler to store sessions on server side
git-svn-id: http://piwigo.org/svn/branches/branch-1_5@1003 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
| -rw-r--r-- | picture.php | 47 |
1 files changed, 18 insertions, 29 deletions
diff --git a/picture.php b/picture.php index b59cb1a87..5009e101a 100644 --- a/picture.php +++ b/picture.php @@ -82,7 +82,7 @@ while ($row = mysql_fetch_array($result)) if (!$belongs) { echo '<div style="text-align:center;">'.$lang['access_forbiden'].'<br />'; - echo '<a href="'.add_session_id( PHPWG_ROOT_PATH.'category.php' ).'">'; + echo '<a href="'.PHPWG_ROOT_PATH.'category.php'.'">'; echo $lang['thumbnails'].'</a></div>'; exit(); } @@ -329,18 +329,17 @@ if ( isset( $_GET['add_fav'] ) ) { // there is no favorite picture anymore we redirect the user to the // category page - $url = add_session_id($url_up); - redirect($url); + redirect($url_up); } else if (!$has_prev) { $url = str_replace( '&', '&', $picture['next']['url'] ); - $url = add_session_id( $url, true); + redirect( $url ); } else { $url = str_replace('&', '&', $picture['prev']['url'] ); - $url = add_session_id( $url, true); + redirect( $url ); } redirect( $url ); } @@ -533,12 +532,12 @@ $template->assign_vars(array( 'L_UP_HINT' => $lang['home_hint'], 'L_UP_ALT' => $lang['home'], - 'U_HOME' => add_session_id(PHPWG_ROOT_PATH.'category.php'), - 'U_UP' => add_session_id($url_up), - 'U_METADATA' => add_session_id($url_metadata), - 'U_ADMIN' => add_session_id($url_admin), - 'U_SLIDESHOW'=> add_session_id($url_slide), - 'U_ADD_COMMENT' => add_session_id(str_replace( '&', '&', $_SERVER['REQUEST_URI'] )) + 'U_HOME' => (PHPWG_ROOT_PATH.'category.php'), + 'U_UP' => $url_up, + 'U_METADATA' => $url_metadata, + 'U_ADMIN' => $url_admin, + 'U_SLIDESHOW'=> $url_slide, + 'U_ADD_COMMENT' => str_replace( '&', '&', $_SERVER['REQUEST_URI'] ) ) ); @@ -595,10 +594,8 @@ if ('admin' == $user['status']) 'caddie', array( 'URL' => - add_session_id( PHPWG_ROOT_PATH.'picture.php' .get_query_string_diff(array('caddie')).'&caddie=1') - ) ); } @@ -656,7 +653,7 @@ if ($has_prev) array( 'TITLE_IMG' => $picture['prev']['name'], 'IMG' => $picture['prev']['thumbnail'], - 'U_IMG' => add_session_id($picture['prev']['url']) + 'U_IMG' => $picture['prev']['url'] )); } @@ -667,7 +664,7 @@ if ($has_next) array( 'TITLE_IMG' => $picture['next']['name'], 'IMG' => $picture['next']['thumbnail'], - 'U_IMG' => add_session_id($picture['next']['url']) + 'U_IMG' => $picture['next']['url'] )); } @@ -690,11 +687,9 @@ if (!empty($picture['current']['author'])) { $infos['INFO_AUTHOR'] = '<a href="'. - add_session_id( PHPWG_ROOT_PATH.'category.php?cat=search'. '&search=author:'.$picture['current']['author'] - ). - '">'.$picture['current']['author'].'</a>'; + .'">'.$picture['current']['author'].'</a>'; } else { @@ -706,11 +701,9 @@ if (!empty($picture['current']['date_creation'])) { $infos['INFO_CREATION_DATE'] = '<a href="'. - add_session_id( PHPWG_ROOT_PATH.'category.php?cat=search'. '&search=date_creation:'.$picture['current']['date_creation'] - ). - '">'.format_date($picture['current']['date_creation']).'</a>'; + .'">'.format_date($picture['current']['date_creation']).'</a>'; } else { @@ -720,12 +713,10 @@ else // date of availability $infos['INFO_AVAILABILITY_DATE'] = '<a href="'. - add_session_id( PHPWG_ROOT_PATH.'category.php?cat=search'. '&search=date_available:'. substr($picture['current']['date_available'], 0, 10) - ). - '">'. + .'">'. format_date($picture['current']['date_available'], 'mysql_datetime'). '</a>'; @@ -774,10 +765,8 @@ if (!empty($picture['current']['keywords'])) preg_replace( '/([^,]+)/', '<a href="'. - add_session_id( PHPWG_ROOT_PATH.'category.php?cat=search&search=keywords:$1' - ). - '">$1</a>', + .'">$1</a>', $picture['current']['keywords'] ); } @@ -901,7 +890,7 @@ if ( isset( $_GET['slideshow'] ) ) if ( !is_numeric( $_GET['slideshow'] ) ) $_GET['slideshow'] = $conf['slideshow_period']; $template->assign_block_vars('stop_slideshow', array( - 'U_SLIDESHOW'=>add_session_id( $picture['current']['url'] ) + 'U_SLIDESHOW'=>$picture['current']['url'] )); } @@ -1054,7 +1043,7 @@ if ($page['show_comments']) { $template->assign_block_vars( 'comments.comment.delete', - array('U_COMMENT_DELETE'=>add_session_id( $url.'&del='.$row['id']) + array('U_COMMENT_DELETE'=> $url.'&del='.$row['id'] )); } } |