30Blog

Zblog 1.5.2 developer migration guide

Since then, security related functions have been enhanced.

Login related

The password cookie is no longer used in this version, and the user password is no longer directly exposed. Add token cookie and force it to httponly mode. Therefore:

1. It is no longer allowed to set cookie login on the front end and read password related information in the front end.

2. The logout link of front-end template needs to be updated.

For developers who use setcookie to simulate login, please use the setlogincookie ($user, $cookie time) function to pass in the user who needs to log in. If your application needs to be compatible with older versions, you can use function_ Exists.

CSRF correlation

This version of the link will cause side effects, including logoff, published articles, etc. through the CMD PHP handles the link. Therefore, if your application jumps to these links or submits data, please submit a token parameter at the same time. In addition, if your application has side effects, you must also add CSRF token.

For reference: https://github.com/zblogcn/zblogphp/commit/e84c581bb0d6f4fd9026d7fc319d4a80eeaab2eb

Submit through the get method, if your target address is CMD PHP, you can use the following functions:

 <? php echo BuildSafeCmdURL('act=TagPst');  ?>

If not, you can also

 <? php echo BuildSafeURL('main.php');  ?>

Through the post method, you can add

 echo '<input type="hidden" name="csrfToken" value="' . $zbp->GetCSRFToken() . '">';

If you need to be compatible with older versions of z-blogphp, you can use

 <? php if (function_exists('CheckIsRefererValid')) {echo '<input type="hidden" name="csrfToken" value="' . $zbp->GetCSRFToken() . '">';}?>

If you want to integrate CSRF token detection into your application (which will become a necessary requirement for the application center on the shelf in the future) and source detection in enhanced security mode, you can use the following functions directly

 CheckIsRefererValid();

If you need to be compatible with older versions of z-blogphp, you can use

 if (function_exists('CheckIsRefererValid')) CheckIsRefererValid();

reference resources: https://github.com/zblogcn/zblogphp/commit/acd2d343f857192403c82d4cfd76806eef2dd660

Of course, if you have more requirements for error reporting, then $ZBP → verifycsrftoken() may be more suitable for you.

QQ pre-sale consultation