Code is the best language.
The code is as follows |
Copy Code |
<?php #demo for Prevent CSRF /** * ENC */ function Encrypt ($token _time) { return MD5 ('!@##$@$$#%43′. $token _time); } $token _time = time (); $token = Encrypt ($token _time); $expire _time = 10; if ($_post) { $_token_time = $_post[' token_time ']; $_token = $_post[' token ']; if ((Time () –$_token_time) > $expire _time) { echo "Expired token"; echo "<br/>"; } Echo $_token; echo "<br/>"; $_token_real = Encrypt ($_token_time); Echo $_token_real; Compare $_token and $_token_real } ?> <! DOCTYPE html> <meta http-equiv= "Content-type" content= "text/html; Charset=utf-8″/> <title>test for Csrf</title> <meta http-equiv= "" content= ""/> <body> <form method= "POST" action= "" > <input type= "text" name= "text" id= "value=" Hello "/> <input type= "hidden" name= "token" id= "value=" <?php echo $token?> "/> <input type= "hidden" name= "Token_time" id= "value=" <?php echo $token _time?> "/>" <input type= "Submit" name= "Submit" id= "" value= "Submit"/> </form> </body>
|
By including the verification code in your form, you have actually eliminated the risk of a cross station request forgery attack. You can use this process in any form that needs to be done
Of course, it's better to store the token in session, and here's just a simple example
Simple analysis:
Token anti-attack also called (token), we visited the page when the user generated a random token save session and form, users submit if we get the token and session is not the same can be submitted to re-enter the submission of data