Hash error

Started by release, May 01, 2021, 03:38:55 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

release

Hello!

There is a small error:
Example the news.php

    $hash = h_store($newsid);
    $sure = '';
    $sure = (isset($_GET['sure']) ? (int)$_GET['sure'] : '');
    if (!$sure) {
        stderr($lang['news_del_confirm'],
            $lang['news_del_click']."<a href='staffpanel.php?tool=news&amp;mode=delete&amp;sure=1&amp;h=$hash&amp;newsid=$newsid'>{$lang['news_del_here']}</a> {$lang['news_del_if']}",
            false);
    }
    if ($_GET['h'] != $hash) {
        stderr($lang['news_error'], $lang['news_del_what']);
    }

This check does not work
if ($_GET['h'] != $hash) {
        stderr($lang['news_error'], $lang['news_del_what']);
    }

Solution:

    $hash = h_store($newsid);
    $sure = '';
    $sure = (isset($_GET['sure']) ? (int)$_GET['sure'] : '');
   
    if ($_GET['h'] != $hash) {
        stderr($lang['news_error'], $lang['news_del_what']);
    }
   
    if (!$sure) {
        stderr($lang['news_del_confirm'],
            $lang['news_del_click']."<a href='staffpanel.php?tool=news&amp;mode=delete&amp;sure=1&amp;h=$hash&amp;newsid=$newsid'>{$lang['news_del_here']}</a> {$lang['news_del_if']}",
            false);
    }

That's how it works. :-)
Where this is the case, this code should be done above.