diff options
| author | Dries Buytaert <dries@buytaert.net> | 2005-09-18 11:50:22 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2005-09-18 11:50:22 +0000 |
| commit | 2ef6b52c8304aaa360e47402e6aa66c7db9fc149 (patch) | |
| tree | 1eae264453ad2d6daffaa051272a36f058321cef /includes | |
| parent | fe5f70b61bc919b7962a62cdda6beac762132b6e (diff) | |
| download | brdo-2ef6b52c8304aaa360e47402e6aa66c7db9fc149.tar.gz brdo-2ef6b52c8304aaa360e47402e6aa66c7db9fc149.tar.bz2 | |
- Patch #28420 by Jeremy: provide a more generic interface that can be used
to validate other form submissions, not just comments. Two new functions
are introduced, form_token() and form_validate(). The first function uses
a private key and a public key to set a token in a hidden field. The second
function validates the token. The comment and contect module are updated to
use these functions.
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/common.inc | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/includes/common.inc b/includes/common.inc index 28d975e61..f8922ab2d 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -1040,6 +1040,53 @@ function form($form, $method = 'post', $action = NULL, $attributes = NULL) { } /** + * Set a hidden 'form_token' field to be included in a form, used to validate + * that the resulting submission was actually generated by a local form. + * + * @param $key + * A unique key to identify the form that is currently being displayed. + * This identical key is later used to validate that the resulting submission + * actually originated with this form. + * @result + * A themed HTML string representing the hidden token field. + */ +function form_token($key) { + // this private key should always be kept secret + if (!variable_get('drupal_private_key', '')) { + variable_set('drupal_private_key', mt_rand()); + } + + // the verification token is an md5 hash of the form key and our private key + return form_hidden('form_token', md5($key . variable_get('drupal_private_key', ''))); +} + +/** + * Verify that the hidden 'form_token' field was actually generated with our + * private key. + * + * @param $edit + * An array containing the form that needs to be validated. + * @param $key + * The same key that was used to generate the 'form_token'. + * @param $error_message + * An optional error message to display if the form does not validate. + * @result + * There is nothing returned from this function, but if the 'form_token' does + * not validate an error is generated, preventing the submission. + */ +function form_validate($edit, $key, $error_message = NULL) { + if ($error_message == NULL) { + // set a generic default error message + $error = t('Validation error, please try again. If this error persists, please contact the site administrator.'); + } + + if ($edit['form_token'] != md5($key . variable_get('drupal_private_key', ''))) { + // setting this error will cause the form to fail validation + form_set_error('form_token', $error); + } +} + +/** * File an error against the form element with the specified name. */ function form_set_error($name, $message) { |