summaryrefslogtreecommitdiff
path: root/includes/pages/user_questions.php
diff options
context:
space:
mode:
authorIgor Scheller <igor.scheller@igorshp.de>2018-11-20 16:02:03 +0100
committermsquare <msquare@notrademark.de>2018-11-21 19:24:36 +0100
commit944c29b96429ec95ac1371cb33cc43704a60c7b1 (patch)
tree7be99e68d8c15fc7e210a4b3ccc44861a8d1de64 /includes/pages/user_questions.php
parentfd37c9d60ea818dc9a562fa88ff5f9a50132506f (diff)
Require POST for sending forms
* Ensure that the form is submitted with a post request * Replaced several links with forms Closes #494 (Security Vulnerability)
Diffstat (limited to 'includes/pages/user_questions.php')
-rw-r--r--includes/pages/user_questions.php8
1 files changed, 6 insertions, 2 deletions
diff --git a/includes/pages/user_questions.php b/includes/pages/user_questions.php
index 9027ada7..19999577 100644
--- a/includes/pages/user_questions.php
+++ b/includes/pages/user_questions.php
@@ -43,7 +43,7 @@ function user_questions()
switch ($request->input('action')) {
case 'ask':
$question = strip_request_item_nl('question');
- if ($question != '') {
+ if ($question != '' && $request->hasPostData('submit')) {
DB::insert('
INSERT INTO `Questions` (`UID`, `Question`)
VALUES (?, ?)
@@ -60,7 +60,11 @@ function user_questions()
}
break;
case 'delete':
- if ($request->has('id') && preg_match('/^\d{1,11}$/', $request->input('id'))) {
+ if (
+ $request->has('id')
+ && preg_match('/^\d{1,11}$/', $request->input('id'))
+ && $request->hasPostData('submit')
+ ) {
$question_id = $request->input('id');
} else {
return error(__('Incomplete call, missing Question ID.'), true);