ok - thx, so I think it should be something like that:
link_to( 'delete', '/profil/friends', 'onclick=acceptDeleteFriend('.$z-
>getId().'); return true;', array('method' => 'post') )
and in actions.class.php: $request->checkCSRFProtection()
:)
On 12 Kwi, 00:01, Alexandru-Emil Lupu <[email protected]> wrote:
> if you check just friendship id ... then no.
> you should also that the one who want to cancel friendship is the right
> user.
> for instance i had a system like ..
> table friendships: id, user id, friend_id, created_at
> Id is unique.
> When i would add / accept friends then i insert 2 records in db
>
> 1, me, you, now
>
> when you accept
>
> 2. you, me, now
>
> after that, i just check by select from table friendships where "id=1 and
> user_id = me". if this returns an instance of the friendship object then i
> just delete-it. and of course all the algorithm is checked via post.
> if you would insert the link "/profil/users/notaccept/2", then if i would
> enter on that page, i would not be able to reset your friendship request ...
>
> if you would insert the link "/profil/users/notaccept/1", the post check
> would make the job.
> Alecs
>
> On Sat, Apr 11, 2009 at 4:18 PM, dziobacz <[email protected]> wrote:
>
> > Ok so I turned on escaping strategy and used in show users comments
> > function htmlspecialchars_decode() to show their links.
> > I also used javascript - user must confirm delete action, so now <IMG
> > src="/profil/users/notaccept/22"> doesn't work. But is it a good
> > solution to CSRF attacks ?
>
> > On 11 Kwi, 10:50, Alexandru-Emil Lupu <[email protected]> wrote:
> > > Hi!
> > > You might want to implement a liking system for "unaccepting" friends:
> > > like:
> > > <a href="/profil/users/notaccept/22"><IMG src="/profil/users/*images*
> > > /notaccept/22"></a>
> > > and also a javascript confirmation ...
> > > also .. .it would be a good ideea that system to use unique friends id
> > ...
> > > and also ... unacceping friend may be done via ajax using post.
> > > and also ... try disable htmlentites and use a BB code or Wiki syntax ...
> > > would be better.. and painless against user input ...
> > > Alecs
>
> > > On Sat, Apr 11, 2009 at 10:47 AM, dziobacz <[email protected]>
> > wrote:
>
> > > > But I would like to make that users can add links so in settings.yml I
> > > > have made escaping_strategy: false.
> > > > User with id=1 adds comment:
> > > > <IMG src="/profil/users/notaccept/22">
> > > > User with id=5 goes to page with <IMG src="/profil/users/notaccept/
> > > > 22"> and it deletes from database his friend with id=22 :(
> > > > My application isn't safe :( !! What can I do ? :((((
>
> > > > On 11 Kwi, 08:38, "[email protected]"
> > > > <[email protected]> wrote:
> > > > > I think you misunderstood the concept behind it.
> > > > > CSRFProtection is used in forms, not in simple links.
>
> > > > > Michael
>
> > > > > On 10 Apr., 15:40, dziobacz <[email protected]> wrote:
>
> > > > > > I have read about csrf protection but I still don't understand
> > > > > > everything.
>
> > > > > > I have in settings.yml:
> > > > > > csrf_secret: secret12
>
> > > > > > I have something like that in template:
> > > > > > User A adds user B to fiends. User B can accept it - then I have
> > link:
> > > > > > <a href="/profile/users/accept/<?php echo $z->getId() ?>"
> > >accept</a>
> > > > > > or not accept it - then link:
> > > > > > <a href="/profile/users/notaccept/<?php echo $z->getId() ?>" >not
> > > > > > accept</a>
>
> > > > > > Then I in file actions.class.php take id like that:
> > > > > > $id = (int)$request->getParameter('accept');
> > > > > > $id = (int)$request->getParameter('notaccept');
>
> > > > > > and add or delete row to/from database. Should I in both cases
> > write:
> > > > > > $request->checkCSRFProtection() ??
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"symfony users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
-~----------~----~----~----~------~----~------~--~---
