Jump to content





Recent Status Updates

  • Photo
      16 Apr
    Kadence

    If you're reading this, you're on my profile and I know you're on my profile because I'm probably viewing yours.

    Show comments (6)
  • Photo
      10 Apr
    Poe

    Finally (and hopefully) i'm getting a team together that knows a little of this and a little of that; and maybe all my open source projects that are half written can begin to be released. :)

View All Updates
Photo
- - - - -

Quick Tip 1 - Secure your forms against CSRF attacks


  • Please log in to reply
2 replies to this topic

#1 While1

While1

    CC Lurker

  • Just Joined
  • Pip
  • 3 posts

Posted 07 July 2010 - 09:50 AM

Read more about this type of attacks in wikipedia.

In short, we want to ensure that the form data is coming from our website.

We start by generating a token for the hidden field of the HTML form. Then we will validate the submitted form token against the token that we've set in the session.



<?php
session_start();
session_regenerate_id(true);

if (isset($_POST['submit'])) {

if (isset($_SESSION['token']) && ($_POST['token'] == $_SESSION['token'])) {
//token is ok, process data
}

}

$token = hash('sha256', uniqid(mt_rand(), true));
$_SESSION['token'] = $token;

?>



<form method="POST" action="page.php">
<input type="hidden" name="token" value="<?php echo $token; ?>">
username: <input type="text" name="username">
password: <input type="password" name="password" >
<input type="submit" name="submit">
</form>

  • 0

#2 sarkons

sarkons

    CC Resident

  • Advanced Member
  • PipPipPipPip
  • 52 posts
  • Location:British Columbia, Canada
  • Programming Language:PHP, JavaScript
  • Learning:PHP, JavaScript

Posted 22 February 2013 - 04:17 PM

Sweet, thank you for this post While1!


  • 0

#3 Kwaliyo

Kwaliyo

    CC Lurker

  • New Member
  • Pip
  • 8 posts
  • Programming Language:PHP, JavaScript
  • Learning:PHP, JavaScript, Others

Posted 30 March 2013 - 02:54 AM

nice 1


  • 0