'; } /** * Validate a CSRF token (uses provided token or POST body if omitted). */ function csrf_check(?string $token = null): bool { $sent = $token ?? (string)($_POST['csrf'] ?? ''); $stored = (string)($_SESSION['_csrf'] ?? ($_SESSION['csrf'] ?? '')); return ($sent !== '' && $stored !== '' && hash_equals($stored, $sent)); }