firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

게시글 댓글 삭제 때 토큰 체크 추가

Browse Source
This commit is contained in:
chicpro
2016-06-24 17:17:02 +09:00
parent e724ef7291
commit 2a9e72da41
5 changed files with 20 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
bbs/delete.php
View File

@ -1,11 +1,11 @@
<?php <?php
include_once('./_common.php'); include_once('./_common.php');
if ($is_admin) $delete_token = get_session('ss_delete_token');
{ set_session('ss_delete_token', '');
if (!($token && get_session('ss_delete_token') == $token))
alert('토큰 에러로 삭제 불가합니다.'); if (!($token && $delete_token == $token))
} alert('토큰 에러로 삭제 불가합니다.');
//$wr = sql_fetch(" select * from $write_table where wr_id = '$wr_id' "); //$wr = sql_fetch(" select * from $write_table where wr_id = '$wr_id' ");

10
bbs/delete_comment.php
View File

@ -2,11 +2,11 @@
// 코멘트 삭제 // 코멘트 삭제
include_once('./_common.php'); include_once('./_common.php');
if ($is_admin) $delete_comment_token = get_session('ss_delete_comment_token');
{ set_session('ss_delete_comment_token', '');
if (!($token && get_session("ss_delete_token") == $token))
alert('토큰 에러로 삭제 불가합니다.'); if (!($token && $delete_comment_token == $token))
} alert('토큰 에러로 삭제 불가합니다.');
// 4.1 // 4.1
@include_once($board_skin_path.'/delete_comment.head.skin.php'); @include_once($board_skin_path.'/delete_comment.head.skin.php');

6
bbs/password.php
View File

@ -9,11 +9,13 @@ switch ($w) {
$return_url = './board.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id; $return_url = './board.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id;
break; break;
case 'd' : case 'd' :
$action = './delete.php'; set_session('ss_delete_token', $token = uniqid(time()));
$action = './delete.php?token='.$token;
$return_url = './board.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id; $return_url = './board.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id;
break; break;
case 'x' : case 'x' :
$action = './delete_comment.php'; set_session('ss_delete_comment_token', $token = uniqid(time()));
$action = './delete_comment.php?token='.$token;
$row = sql_fetch(" select wr_parent from $write_table where wr_id = '$comment_id' "); $row = sql_fetch(" select wr_parent from $write_table where wr_id = '$comment_id' ");
$return_url = './board.php?bo_table='.$bo_table.'&amp;wr_id='.$row['wr_parent']; $return_url = './board.php?bo_table='.$bo_table.'&amp;wr_id='.$row['wr_parent'];
break; break;

8
bbs/view.php
View File

@ -72,12 +72,8 @@ $update_href = $delete_href = '';
// 로그인중이고 자신의 글이라면 또는 관리자라면 비밀번호를 묻지 않고 바로 수정, 삭제 가능 // 로그인중이고 자신의 글이라면 또는 관리자라면 비밀번호를 묻지 않고 바로 수정, 삭제 가능
if (($member['mb_id'] && ($member['mb_id'] == $write['mb_id'])) || $is_admin) { if (($member['mb_id'] && ($member['mb_id'] == $write['mb_id'])) || $is_admin) {
$update_href = './write.php?w=u&amp;bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;page='.$page.$qstr; $update_href = './write.php?w=u&amp;bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;page='.$page.$qstr;
$delete_href = './delete.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;page='.$page.urldecode($qstr); set_session('ss_delete_token', $token = uniqid(time()));
if ($is_admin) $delete_href ='./delete.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;token='.$token.'&amp;page='.$page.urldecode($qstr);
{
set_session("ss_delete_token", $token = uniqid(time()));
$delete_href ='./delete.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;token='.$token.'&amp;page='.$page.urldecode($qstr);
}
} }
else if (!$write['mb_id']) { // 회원이 쓴 글이 아니라면 else if (!$write['mb_id']) { // 회원이 쓴 글이 아니라면
$update_href = './password.php?w=u&amp;bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;page='.$page.$qstr; $update_href = './password.php?w=u&amp;bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;page='.$page.$qstr;

10
bbs/view_comment.php
View File

@ -9,11 +9,6 @@ if ($is_guest && $board['bo_comment_level'] < 2) {
@include_once($board_skin_path.'/view_comment.head.skin.php'); @include_once($board_skin_path.'/view_comment.head.skin.php');
// 코멘트를 새창으로 여는 경우 세션값이 없으므로 생성한다.
if ($is_admin && !$token) {
set_session("ss_delete_token", $token = uniqid(time()));
}
$list = array(); $list = array();
$is_comment_write = false; $is_comment_write = false;
@ -72,10 +67,13 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
$list[$i]['is_del'] = false; $list[$i]['is_del'] = false;
if ($is_comment_write || $is_admin) if ($is_comment_write || $is_admin)
{ {
$token = '';
if ($member['mb_id']) if ($member['mb_id'])
{ {
if ($row['mb_id'] == $member['mb_id'] || $is_admin) if ($row['mb_id'] == $member['mb_id'] || $is_admin)
{ {
set_session('ss_delete_comment_token', $token = uniqid(time()));
$list[$i]['del_link'] = './delete_comment.php?bo_table='.$bo_table.'&amp;comment_id='.$row['wr_id'].'&amp;token='.$token.'&amp;page='.$page.$qstr; $list[$i]['del_link'] = './delete_comment.php?bo_table='.$bo_table.'&amp;comment_id='.$row['wr_id'].'&amp;token='.$token.'&amp;page='.$page.$qstr;
$list[$i]['is_edit'] = true; $list[$i]['is_edit'] = true;
$list[$i]['is_del'] = true; $list[$i]['is_del'] = true;
@ -84,7 +82,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
else else
{ {
if (!$row['mb_id']) { if (!$row['mb_id']) {
$list[$i]['del_link'] = './password.php?w=x&amp;bo_table='.$bo_table.'&amp;comment_id='.$row['wr_id'].'&amp;page='.$page.$qstr; $list[$i]['del_link'] = './password.php?w=x&amp;bo_table='.$bo_table.'&amp;comment_id='.$row['wr_id'].'&amp;token='.$token.'&amp;page='.$page.$qstr;
$list[$i]['is_del'] = true; $list[$i]['is_del'] = true;
} }
} }