PHPToken is designed to avoid repeated data submission. check whether an external commit matches the action to be executed. (if multiple logics are implemented on the same page, such as adding, deleting, and modifying them, put them in a php file) the token mentioned here is a hidden FORM item (typehidden) written to FORM when the page is displayed ). the token cannot be in plain text. if it is in plain text, it is too dangerous to use a certain encryption method. the ciphertext must be reversible. the algorithm is very idiotic, so I adopted a ready-made method on the Internet. how to achieve the goal:
How to avoid repeated submission?
You need to store an array in the SESSION, which is saved as the token successfully submitted. when processing in the background, first determine whether the token is in this array. If yes, it indicates repeated submission.
How do I check the routes?
Optional. The current session_id is added when the token is generated. if someone else copies your html (token one burst copy), the session_id contained in the token is not equal to the current session_id theoretically during submission, you can determine that this submission is an external commit.
How to match the action to be executed?
During the token operation, you need to write the token action name into the token. in this way, you can parse the action and compare it during processing.
The GToken I wrote earlier cannot reach the second one mentioned above. I modified it today and added function 2. I personally feel that it is okay.
Let's take a look at the code and tell us what is unreasonable! Thank you.
I am looking for a method on the Internet to encrypt it. I made a slight modification.
GEncrypt. inc. php:
GToken. inc. php
Method:
A, granteToken parameter: formName, that is, action name. key is the encryption/decryption key.
Returns a string in the format of encryption (formName: session_id)
B. isToken parameter: indicates the result generated by granteToken, formName, action name, and fromCheck. if it is true, check whether the session_id in the token is the same as the current session_id.
C. dropToken. after a successful action is executed, call this function to record the token to the session,
If you want to determine whether the matching action is executed, you can change the formName in isToken to run it. it is very good and does not match. this proves successful.
Can I avoid repeated submission? I didn't verify it. it's too simple logic.
The rest is to determine whether the road check is normal.
Copy the html generated in the preceding example to a local webpage (for the purpose of different domains), run the script, and check whether the origin is unknown, no action is executed (set the third parameter of isToken to true ).
Set the third parameter of isToken to false, submit, and the specified action is executed!
Okay, so far, I don't know where there is a BUG, so I have to debug and modify it for a long time!