<?php
# Basic protection against XSRF attacks
# (C)opyleft 2005 by Frank Denis <j@pureftpd.org> - Public domain.
# Just include this file in first lines of form-related scripts.
# Yes, checking referers sucks, but in real life, it works pretty well.

# List of authorized domains, for instance : 'localhost|example.com|c9x.org'
define('AUTHORIZED_XSRF_DOMAINS', 'localhost');

function _anti_xsrf() {
    @ini_set('url_rewriter.tags', '');
    if (empty($_POST) || empty($_SERVER['HTTP_REFERER']) ||
	preg_match('#^http(s)?://([^/]+[.])?(' .
		   preg_quote($_SERVER['HTTP_HOST']) .
		   '|' . AUTHORIZED_XSRF_DOMAINS .
		   ')($|/)#i', $_SERVER['HTTP_REFERER']) > 0) {
	return;
    }
    foreach (array_keys($_POST) as $k) {
	unset($_REQUEST[$k]);
    }
    $_POST = array(); 
}

_anti_xsrf();

?>