-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check token correctly #78
Conversation
If we use `$this->getField('form_token')->getValue();` it will use the field that is automagically added, instead of the real submitted value.
spoon/form/form.php
Outdated
if ($this->getMethod() === 'get' && !isset($_GET['form_token']) | ||
|| $this->getMethod() === 'post' && !isset($_POST['form_token'])) { | ||
$submittedToken = ''; | ||
if ($this->getMethod() === 'get' && !isset($_GET['form_token']) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think there is still something wrong here. You are checking if the method is get and if there isn't a form token in $_GET. If that is the case you try to get the not existing token out of $_GET.
The same happens with $_POST
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You also forgot to close a ) here and with the post one
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 68eb811
spoon/form/form.php
Outdated
if ($this->getMethod() === 'get' && !isset($_GET['form_token']) | ||
|| $this->getMethod() === 'post' && !isset($_POST['form_token'])) { | ||
$submittedToken = ''; | ||
if ($this->getMethod() === 'get' && !isset($_GET['form_token']) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You also forgot to close a ) here and with the post one
The previous fix only fixed checking if the token was submitted.
Further on in the code the submitted value was not used, instead the value of the automagically added field was used. Which made the check useless as it will alway be the same...