We are currently creating a simple voting system with dot installation.
http://dotinstall.com/lessons/poll_php_v2/9710
Maybe because the if statement below doesn't work well,
"Even if you vote normally, it's always ""unauthorized manipulation!"US>" appears, but
Which part is wrong?
I will also list the source.
require_once('config.php');
require_once('functions.php');
session_start();
if($_SERVER['REQUEST_METHOD']!='POST'){
// Before Posting
// CSRF countermeasures
if(!isset($_SESSION['token'])){
$_SESSION['token'] = sha1(uniqid(mt_land(), true));
}
} else{
// After Posting
if(empty($_POST['token'])||$_POST['token']!=$_SESSION['token']){
echo "Unauthorized operation!"";
exit;
}
// error checking
if(!in_array($_POST['answer'], array(1,2,3,4)))){
$err="Please select a photo!";
}
if(empty($err)){
$dbh = connectDb();
$sql="insert into answers
(answer, remote_addr, user_agent, answer_date, created, modified)
values
(:answer,:remote_addr,:user_agent,:answer_date, now(), now())";
$stmt = $dbh->prepare($sql);
$params=array(
":answer" = > $_POST ['answer'],
":remote_addr" = > $_SERVER ['REMOTE_ADDR',
":user_agent" = > $_SERVER ['HTTP_USER_AGENT',
":answer_date" = > date("Y-m-d")
);
if($stmt->execute($params)){
$msg="Thank you for your vote!";
} else{
$err="Vote only once a day!";
}
}
}
?>
<!DOCTYPE html>
<html lang="ja">
<head>
<metacharset="UTF-8">
<title>Voting System</title>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.8.2/jquery.min.js"></script>
<style>
.selected{
border —4px solid red;
}
</style>
</head>
<body>
<?php if(!empty($msg))): ?>
<p style="color:green"><?phpechoh($msg);?>/p>
<?php endif;?>
<?php if(!empty($err))): ?>
<p style="color:red"><?phpechoh($err);?>/p>
<?php endif;?>
<h1>Cooking Contest</h1>
<form action="method="POST">
<img src="photo1.jpg" class="candidate" data-id="1">
<img src="photo2.jpg" class="candidate" data-id="2">
<img src="photo3.jpg" class="candidate" data-id="3">
<img src="photo4.jpg" class="candidate" data-id="4">
<p><input type="submit" value="Vote!">/p>
<input type="hidden" id="answer" name="answer" value="">
<input type="hidden" name="token" value="<?phpechoh($_SESSION['token']);?>">
</form>
<script>
$(function(){
$('.candidate').click(function(){
$('.candidate').removeClass('selected');
$(this).addClass('selected');
$('#answer').val($(this).data('id'));
});
});
</script>
</body>
</html>
<?php
define('DSN','mysql:host=localhost;dbname=dotinstall_poll_php');
define('DB_USER', 'dbuser');
define('DB_PASSWORD', 'dayama0328');
define('SITE_URL', 'http://localhost/dotinstall/poll_php/');
error_reporting(E_ALL&~E_NOTICE);
session_set_cookie_params(0,'/poll_php/');
?>
<?php
function connectDb(){
try{
return new PDO (DSN, DB_USER, DB_PASSWORD);
} catch(PDOException$e){
echo$e->getMessage();
exit;
}
}
function h($s){
return html specialchars($s,ENT_QUOTES,'UTF-8');
}
?>
In config.php, session_set_cookie_params indicates that the path of the session cookie is /poll_php/.
This is to make the path where session cookies are enabled /poll_php/, but from other descriptions, isn't it /dotinstall/poll_php/ that we are actually testing?
Therefore, the session cookie is not enabled because the actual environment is /dotinstall/poll_php/ and not /poll_php/, the session is not maintained, the $_SESSION['token'] is empty, and the conditional expression in the if statement is false.
© 2024 OneMinuteCode. All rights reserved.