mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-15 17:16:08 +00:00
addTroops and addABTroops are POSTed to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify() (after the admin access check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -53,6 +53,7 @@ if(isset($id)){
|
||||
|
||||
<div class="ab-wrap">
|
||||
<form action="../GameEngine/Admin/Mods/addABTroops.php" method="POST">
|
||||
<?php echo csrf_field(); ?>
|
||||
<input type="hidden" name="id" value="<?php echo $_GET['did']; ?>">
|
||||
<input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
|
||||
|
||||
|
||||
@@ -55,6 +55,7 @@ if(isset($id)){
|
||||
|
||||
<div class="addtroops-wrap">
|
||||
<form action="../GameEngine/Admin/Mods/addTroops.php" method="POST">
|
||||
<?php echo csrf_field(); ?>
|
||||
<input type="hidden" name="id" value="<?php echo $_GET['did']; ?>">
|
||||
<input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
|
||||
|
||||
|
||||
Reference in New Issue
Block a user