From 9d6404ad36375079e815979bd4bf476a5195df5e Mon Sep 17 00:00:00 2001 From: nikrou Date: Sun, 15 Jan 2006 12:52:55 +0000 Subject: Improve security of sessions: - use only cookies to store session id on client side - use default php session system with database handler to store sessions on server side git-svn-id: http://piwigo.org/svn/branches/branch-1_5@1003 68402e56-0260-453c-a942-63ccdbb3a9ee --- picture.php | 47 ++++++++++++++++++----------------------------- 1 file changed, 18 insertions(+), 29 deletions(-) (limited to 'picture.php') diff --git a/picture.php b/picture.php index b59cb1a87..5009e101a 100644 --- a/picture.php +++ b/picture.php @@ -82,7 +82,7 @@ while ($row = mysql_fetch_array($result)) if (!$belongs) { echo '
'.$lang['access_forbiden'].'
'; - echo ''; + echo ''; echo $lang['thumbnails'].'
'; exit(); } @@ -329,18 +329,17 @@ if ( isset( $_GET['add_fav'] ) ) { // there is no favorite picture anymore we redirect the user to the // category page - $url = add_session_id($url_up); - redirect($url); + redirect($url_up); } else if (!$has_prev) { $url = str_replace( '&', '&', $picture['next']['url'] ); - $url = add_session_id( $url, true); + redirect( $url ); } else { $url = str_replace('&', '&', $picture['prev']['url'] ); - $url = add_session_id( $url, true); + redirect( $url ); } redirect( $url ); } @@ -533,12 +532,12 @@ $template->assign_vars(array( 'L_UP_HINT' => $lang['home_hint'], 'L_UP_ALT' => $lang['home'], - 'U_HOME' => add_session_id(PHPWG_ROOT_PATH.'category.php'), - 'U_UP' => add_session_id($url_up), - 'U_METADATA' => add_session_id($url_metadata), - 'U_ADMIN' => add_session_id($url_admin), - 'U_SLIDESHOW'=> add_session_id($url_slide), - 'U_ADD_COMMENT' => add_session_id(str_replace( '&', '&', $_SERVER['REQUEST_URI'] )) + 'U_HOME' => (PHPWG_ROOT_PATH.'category.php'), + 'U_UP' => $url_up, + 'U_METADATA' => $url_metadata, + 'U_ADMIN' => $url_admin, + 'U_SLIDESHOW'=> $url_slide, + 'U_ADD_COMMENT' => str_replace( '&', '&', $_SERVER['REQUEST_URI'] ) ) ); @@ -595,10 +594,8 @@ if ('admin' == $user['status']) 'caddie', array( 'URL' => - add_session_id( PHPWG_ROOT_PATH.'picture.php' .get_query_string_diff(array('caddie')).'&caddie=1') - ) ); } @@ -656,7 +653,7 @@ if ($has_prev) array( 'TITLE_IMG' => $picture['prev']['name'], 'IMG' => $picture['prev']['thumbnail'], - 'U_IMG' => add_session_id($picture['prev']['url']) + 'U_IMG' => $picture['prev']['url'] )); } @@ -667,7 +664,7 @@ if ($has_next) array( 'TITLE_IMG' => $picture['next']['name'], 'IMG' => $picture['next']['thumbnail'], - 'U_IMG' => add_session_id($picture['next']['url']) + 'U_IMG' => $picture['next']['url'] )); } @@ -690,11 +687,9 @@ if (!empty($picture['current']['author'])) { $infos['INFO_AUTHOR'] = ''.$picture['current']['author'].''; + .'">'.$picture['current']['author'].''; } else { @@ -706,11 +701,9 @@ if (!empty($picture['current']['date_creation'])) { $infos['INFO_CREATION_DATE'] = ''.format_date($picture['current']['date_creation']).''; + .'">'.format_date($picture['current']['date_creation']).''; } else { @@ -720,12 +713,10 @@ else // date of availability $infos['INFO_AVAILABILITY_DATE'] = ''. + .'">'. format_date($picture['current']['date_available'], 'mysql_datetime'). ''; @@ -774,10 +765,8 @@ if (!empty($picture['current']['keywords'])) preg_replace( '/([^,]+)/', '$1', + .'">$1', $picture['current']['keywords'] ); } @@ -901,7 +890,7 @@ if ( isset( $_GET['slideshow'] ) ) if ( !is_numeric( $_GET['slideshow'] ) ) $_GET['slideshow'] = $conf['slideshow_period']; $template->assign_block_vars('stop_slideshow', array( - 'U_SLIDESHOW'=>add_session_id( $picture['current']['url'] ) + 'U_SLIDESHOW'=>$picture['current']['url'] )); } @@ -1054,7 +1043,7 @@ if ($page['show_comments']) { $template->assign_block_vars( 'comments.comment.delete', - array('U_COMMENT_DELETE'=>add_session_id( $url.'&del='.$row['id']) + array('U_COMMENT_DELETE'=> $url.'&del='.$row['id'] )); } } -- cgit v1.2.3