Question
What is the message in my php account code that can help me cross script the code Payment information Your paycheck will be deposited in
What is the message in my php account code that can help me cross script the code
// initialize global variables, authentication and database connections
include('includes/common.php');
// if the user is NOT logged in, redirect him to login page
if (!$auth->user_id()) {
header('location: /');
}
// initiate csrf prevention
if (!isset($_SESSION['csrf_token'])) $_SESSION['csrf_token'] = mt_rand();
// handle the form submission
$action = @$_POST['action'];
if ($action == 'save' && $_POST['RWFzdGVyRWdnU3ByaW5nMjAyM0ZvclRhcmdldDFOb09uZVdpbGxLbm93PT0'] == 'RWFzdGVyRWdnU3ByaW5nMjAyM0ZvclRhcmdldDFOb09uZVdpbGxLbm93PT0') {
if($_POST["varId"] != "42"){
notify("Missing the answer to life the universe and everything");
} else {
// verify CSRF protection
$expected = 1;
$teststr = $_POST['account'].$_POST['challenge'].$_POST['routing'];
for ($i = 0; $i < strlen($teststr); $i++) {
$expected = (13337 * $expected + ord($teststr[$i])) % 100000;
}
if ($_POST['response'] != $expected) {
notify('CSRF attempt prevented!'.$teststr.'--'.$_POST['response'].' != '.$expected, -1);
} else {
$accounting = ($_POST['account']).':'.($_POST['routing']);
$db->query("UPDATE users SET accounting='$accounting' WHERE user_id='".$auth->user_id()."'");
notify('Changes saved');
}
}
}
$eid = @$_GET['eid'];
if ($eid) {
$name = $db->query("SELECT name FROM users WHERE eid='$eid'")->next();
}
// grab form values from database if available
$accounting = $db->query("SELECT accounting FROM users WHERE user_id='".$auth->user_id()."'")->next();
$values = explode(':', $accounting['accounting']);
$account = @$values[0];
$routing = @$values[1];
include('includes/header.php');
?>
Payment information
Your paycheck will be deposited in the following bank account on the 35th of each month.
// fairly trivial string hashing function
String.prototype.hashCode = function(){
var hash = 1;
for (i = 0; i < this.length; i++) {
hash = (13337 * hash + this.charCodeAt(i)) % 100000;
}
return hash;
}
var a = document.getElementById('account');
var r = document.getElementById('route');
function change() {
var challenge = document.getElementById('csrfc').value;
document.getElementById('csrfr').value = (a.value+challenge+r.value).hashCode()
}
a.onkeyup = change;
r.onkeyup = change;
change();
Look up name
You may use this form to look up a user's name using their account ID
eval(document.getElementById('result-data').getAttribute('data-result'));
document.getElementById('eid-entry').innerHTML = "
This account ID is not registered.
include('includes/footer.php');
?>