How secured actions work

Using secured actions is a 2-step process. You must first generate a link with the security key, and then later verify that key when the user clicks on the action that will execute a file function in the action/ directory.

The securiser_action() function

This securiser_action function, stored in the ecrire/inc/securiser_action.php file, creates or verifies an action. During creation, depending on the $mode argument, it will create a URL, a form or simply return an array with the requested parameters and the generated key. During verification, it compares the elements submitted with a GET (URL) or POST (form) and kills the script with an error message and exits if the key does not match the current author.

Generating a key

To generate a key, you need to call the function with the right parameters:

$securiser_action = charger_fonction('securiser_action','inc');
$securiser_action($action, $arg, $redirect, $mode);

These four parameters are the main ones used:

  • $action is the name of the action file and the corresponding action(action/name.php and the associated function action_name_dist())
  • $arg is a passed argument, for example supprimer/article/3 which will be used, among other things, to generate the security key.
  • $redirect is a URL for redirection after the action has been performed.
  • $mode indicates what should be returned:
    • false: a URL
    • -1: an array of parameters
    • a content text: a form to be submitted (the content is then added into the form)

Inside an action, verifying and retrieving the argument

Within an action function (action_name_dist()), we verify the security key by calling the function without an argument. It returns the argument (otherwise displays an error and kills the script):

$securiser_action = charger_fonction('securiser_action','inc');
$arg = $securiser_action();
// from here on, we know that the author is the right person!

Author Mark Baber Published : Updated : 12/05/17

Translations : English, français