PHP WebShell

• .. (вверх)
• [DIR] ..
• [FILE] approve.php
• [FILE] index.php
• [FILE] view.php

Просмотр файла: approve.php

<?php
// backyard/user/transactions/approve.php
// ACTION HANDLER: must not output anything before redirect.

// 1) Start session (only, no HTML)
if (session_status() === PHP_SESSION_NONE) {
    session_start();
}

// Optional: If you have an admin auth check function, call it here.
// Example:
// require_once '../common/auth.php';
// admin_require_login();

// 2) DB + models only (NO header include)
require_once '../../config/db_config.php';
require_once '../../models/dashboard/index.php';

function redirect_back(int $trans_id): void {
    header("Location: view.php?trans_id=" . urlencode((string)$trans_id));
    exit;
}

$trans_id = isset($_POST['trans_id']) ? (int)$_POST['trans_id'] : 0;

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    $_SESSION['flash_error'] = 'Invalid request method.';
    redirect_back($trans_id);
}

if ($trans_id <= 0) {
    $_SESSION['flash_error'] = 'Invalid transaction.';
    redirect_back($trans_id);
}

// CSRF check
$csrf = $_POST['csrf_token'] ?? '';
if (empty($_SESSION['csrf_token']) || !hash_equals($_SESSION['csrf_token'], $csrf)) {
    $_SESSION['flash_error'] = 'Security check failed. Please refresh and try again.';
    redirect_back($trans_id);
}

// Execute approval
$result = dash_approve_transaction($conn, $trans_id);

if (!empty($result['ok'])) {
    $_SESSION['flash_success'] = $result['msg'] ?? 'Transaction approved.';
} else {
    $_SESSION['flash_error'] = $result['msg'] ?? 'Approval failed.';
}

redirect_back($trans_id);

Выполнить команду