Permalink
Browse files

Use unique identifier to authenticate profile changes

git-svn-id: https://ai-contest.googlecode.com/svn/trunk@612 9d0e4ec5-6d14-e29b-3149-cabf4038ef1e
  • Loading branch information...
Janzert committed Nov 27, 2010
1 parent 15e5f5d commit 816b26f700988b3f641162657c9910354a6fe192
Showing with 30 additions and 5 deletions.
  1. +12 −5 planet_wars/www/profile.php
  2. +18 −0 planet_wars/www/save_profile.php
@@ -43,7 +43,9 @@
o.org_id,
o.name as org_name,
c.country_id,
- c.name as country_name
+ c.name as country_name,
+ u.email,
+ u.activation_code
from
users u
left outer join organizations o on o.org_id = u.org_id
@@ -74,13 +76,18 @@
}
if (logged_in_with_valid_credentials() && current_user_id() == $user_id) {
$logged_in = true;
+ $chk = mt_rand();
+ $update_key = sha1(
+ $chk . $userdata["activation_code"] . $userdata["email"]);
} else {
$logged_in = false;
}
if (!$userresult) {
echo "<p>Invalid User ID</p>";
} else {
-echo <<<EOT
+echo " <h2>Profile for $username</h2>";
+if ($logged_in) {
+echo <<< EOT
<script>
function toggle_change_org() {
if (document.getElementById('orgchange').style.display == 'none') {
@@ -101,10 +108,10 @@ function toggle_change_country() {
}
}
</script>
- <h2>Profile for $username</h2>
+ <form method="post" action="save_profile.php">
+ <input type="hidden" name="chk" value="$chk" />
+ <input type="hidden" name="update_key" value="$update_key" />
EOT;
-if ($logged_in) {
- echo ' <form method="post" action="save_profile.php">';
}
echo <<<EOT
<p><strong>Country:</strong>&nbsp;
@@ -27,8 +27,26 @@ function check_valid_country($id) {
if (!logged_in_with_valid_credentials())
die ("Nice try.. but the bad robot WILL get you");
+if (!array_key_exists('chk', $_POST)
+ || !array_key_exists('update_key', $_POST)) {
+ die("Check keys not found.");
+}
+
$user_id = current_user_id();
+$query = "SELECT email, activation_code FROM users WHERE user_id=".$user_id;
+$result = mysql_query($query);
+if ($row = mysql_fetch_assoc($result)) {
+ $chk = $_POST['chk'];
+ $update_key = $_POST['update_key'];
+ $local_key = sha1($chk . $row['activation_code'] . $row['email']);
+ if ($local_key != $update_key) {
+ die("Bad update key found.");
+ }
+} else {
+ die("User data query failed.");
+}
+
if (array_key_exists('user_country', $_POST)) {
$country_id = $_POST['user_country'];
if (!check_valid_country($country_id))

0 comments on commit 816b26f

Please sign in to comment.