diff options
-rw-r--r-- | includes/admin/views/_new_venue_form.php | 1 | ||||
-rw-r--r-- | includes/admin/views/giglog_admin_page.php | 7 |
2 files changed, 8 insertions, 0 deletions
diff --git a/includes/admin/views/_new_venue_form.php b/includes/admin/views/_new_venue_form.php index d17f5e0..13d70f6 100644 --- a/includes/admin/views/_new_venue_form.php +++ b/includes/admin/views/_new_venue_form.php @@ -15,6 +15,7 @@ if ( !class_exists( "GiglogAdmin_NewVenueForm" ) ) . '<p><strong>VENUE DETAILS</strong></p>' . '<form method="POST" action="" class="venue">' . ' <fieldset>' + . wp_nonce_field( plugin_basename( __FILE__ ), 'giglog_new_venue_nonce' ) . ' <div class="field venue_name_field">' . ' <label for="venue">Venue Name:</label>' . ' <input type="text" id="venuename" name="venuename">' diff --git a/includes/admin/views/giglog_admin_page.php b/includes/admin/views/giglog_admin_page.php index b7f6247..13c08b9 100644 --- a/includes/admin/views/giglog_admin_page.php +++ b/includes/admin/views/giglog_admin_page.php @@ -167,6 +167,13 @@ if ( !class_exists( 'GiglogAdmin_AdminPage' ) ) { if(isset($_POST['newvenue'])) { + if (!isset($_POST['giglog_new_venue_nonce']) + || wp_verify_nonce($_POST['giglog_new_venue_nonce'], plugin_basename( __FILE__ ))) + { + header("{$_SERVER['SERVER_PROTOCOL']} 403 Forbidden"); + wp_die('CSRF validation failed.', 403); + } + if (empty($_POST['venuename']) || empty($_POST['venuecity'])) { echo '<script language="javascript">alert("You are missing a value, venue was not created"); </script>'; } |