diff options
| -rw-r--r-- | includes/common.inc | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/includes/common.inc b/includes/common.inc index 28d975e61..f8922ab2d 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -1040,6 +1040,53 @@ function form($form, $method = 'post', $action = NULL, $attributes = NULL) { } /** + * Set a hidden 'form_token' field to be included in a form, used to validate + * that the resulting submission was actually generated by a local form. + * + * @param $key + * A unique key to identify the form that is currently being displayed. + * This identical key is later used to validate that the resulting submission + * actually originated with this form. + * @result + * A themed HTML string representing the hidden token field. + */ +function form_token($key) { + // this private key should always be kept secret + if (!variable_get('drupal_private_key', '')) { + variable_set('drupal_private_key', mt_rand()); + } + + // the verification token is an md5 hash of the form key and our private key + return form_hidden('form_token', md5($key . variable_get('drupal_private_key', ''))); +} + +/** + * Verify that the hidden 'form_token' field was actually generated with our + * private key. + * + * @param $edit + * An array containing the form that needs to be validated. + * @param $key + * The same key that was used to generate the 'form_token'. + * @param $error_message + * An optional error message to display if the form does not validate. + * @result + * There is nothing returned from this function, but if the 'form_token' does + * not validate an error is generated, preventing the submission. + */ +function form_validate($edit, $key, $error_message = NULL) { + if ($error_message == NULL) { + // set a generic default error message + $error = t('Validation error, please try again. If this error persists, please contact the site administrator.'); + } + + if ($edit['form_token'] != md5($key . variable_get('drupal_private_key', ''))) { + // setting this error will cause the form to fail validation + form_set_error('form_token', $error); + } +} + +/** * File an error against the form element with the specified name. */ function form_set_error($name, $message) { |