From c3397a2c73273ba5414d976ab7f45ae5e71a8a33 Mon Sep 17 00:00:00 2001 From: nikrou Date: Sun, 15 Jan 2006 13:45:42 +0000 Subject: Improve security of sessions: - use only cookies to store session id on client side - use default php session system with database handler to store sessions on server side git-svn-id: http://piwigo.org/svn/trunk@1004 68402e56-0260-453c-a942-63ccdbb3a9ee --- picture.php | 47 ++++++++++++++++++----------------------------- 1 file changed, 18 insertions(+), 29 deletions(-) (limited to 'picture.php') diff --git a/picture.php b/picture.php index 69c8e9b8e..f34c6b3c3 100644 --- a/picture.php +++ b/picture.php @@ -76,7 +76,7 @@ while ($row = mysql_fetch_array($result)) if (!$belongs) { echo '
'.$lang['access_forbiden'].'
'; - echo ''; + echo ''; echo $lang['thumbnails'].'
'; exit(); } @@ -323,18 +323,17 @@ if ( isset( $_GET['add_fav'] ) ) { // there is no favorite picture anymore we redirect the user to the // category page - $url = add_session_id($url_up); - redirect($url); + redirect($url_up); } else if (!$has_prev) { $url = str_replace( '&', '&', $picture['next']['url'] ); - $url = add_session_id( $url, true); + redirect( $url ); } else { $url = str_replace('&', '&', $picture['prev']['url'] ); - $url = add_session_id( $url, true); + redirect( $url ); } redirect( $url ); } @@ -522,12 +521,12 @@ $template->assign_vars(array( 'L_UP_HINT' => $lang['home_hint'], 'L_UP_ALT' => $lang['home'], - 'U_HOME' => add_session_id(PHPWG_ROOT_PATH.'category.php'), - 'U_UP' => add_session_id($url_up), - 'U_METADATA' => add_session_id($url_metadata), - 'U_ADMIN' => add_session_id($url_admin), - 'U_SLIDESHOW'=> add_session_id($url_slide), - 'U_ADD_COMMENT' => add_session_id(str_replace( '&', '&', $_SERVER['REQUEST_URI'] )) + 'U_HOME' => (PHPWG_ROOT_PATH.'category.php'), + 'U_UP' => $url_up, + 'U_METADATA' => $url_metadata, + 'U_ADMIN' => $url_admin, + 'U_SLIDESHOW'=> $url_slide, + 'U_ADD_COMMENT' => str_replace( '&', '&', $_SERVER['REQUEST_URI'] ) ) ); @@ -584,10 +583,8 @@ if ('admin' == $user['status']) 'caddie', array( 'URL' => - add_session_id( PHPWG_ROOT_PATH.'picture.php' .get_query_string_diff(array('caddie')).'&caddie=1') - ) ); } @@ -645,7 +642,7 @@ if ($has_prev) array( 'TITLE_IMG' => $picture['prev']['name'], 'IMG' => $picture['prev']['thumbnail'], - 'U_IMG' => add_session_id($picture['prev']['url']) + 'U_IMG' => $picture['prev']['url'] )); } @@ -656,7 +653,7 @@ if ($has_next) array( 'TITLE_IMG' => $picture['next']['name'], 'IMG' => $picture['next']['thumbnail'], - 'U_IMG' => add_session_id($picture['next']['url']) + 'U_IMG' => $picture['next']['url'] )); } @@ -679,11 +676,9 @@ if (!empty($picture['current']['author'])) { $infos['INFO_AUTHOR'] = ''.$picture['current']['author'].''; + .'">'.$picture['current']['author'].''; } else { @@ -695,11 +690,9 @@ if (!empty($picture['current']['date_creation'])) { $infos['INFO_CREATION_DATE'] = ''.format_date($picture['current']['date_creation']).''; + .'">'.format_date($picture['current']['date_creation']).''; } else { @@ -709,12 +702,10 @@ else // date of availability $infos['INFO_AVAILABILITY_DATE'] = ''. + .'">'. format_date($picture['current']['date_available'], 'mysql_datetime'). ''; @@ -763,10 +754,8 @@ if (!empty($picture['current']['keywords'])) preg_replace( '/([^,]+)/', '$1', + .'">$1', $picture['current']['keywords'] ); } @@ -890,7 +879,7 @@ if ( isset( $_GET['slideshow'] ) ) if ( !is_numeric( $_GET['slideshow'] ) ) $_GET['slideshow'] = $conf['slideshow_period']; $template->assign_block_vars('stop_slideshow', array( - 'U_SLIDESHOW'=>add_session_id( $picture['current']['url'] ) + 'U_SLIDESHOW'=>$picture['current']['url'] )); } @@ -1043,7 +1032,7 @@ if ($page['show_comments']) { $template->assign_block_vars( 'comments.comment.delete', - array('U_COMMENT_DELETE'=>add_session_id( $url.'&del='.$row['id']) + array('U_COMMENT_DELETE'=> $url.'&del='.$row['id'] )); } } -- cgit v1.2.3