thinkphp Token Validation Instance _php instance

The Thinkphp built-in form token verification feature, which effectively protects against the security of forms such as remote submissions.
The configuration parameters associated with the form token validation are:

' token_on ' =>true,//whether to open token authentication 
' token_name ' => ' __hash__ ',//token-verified form hidden field name 

If the form token verification feature is turned on, the system automatically generates a hidden field with the Token_name name in the template file with the form, and the value is the Token_type-generated hash string that implements the form's automatic token verification.

Automatically generated hidden fields before the form end flag, if you want to control the location of the hidden fields, you can manually add the __token__ identity to the form page, and the system will automatically replace the template when it is output. If, in the case of a form token validation, an individual form does not require the use of token authentication and can add __notoken__ to the form page, the system ignores the token validation of the current form.

If multiple forms exist on a page, it is recommended that you add __token__ identities and make sure that only one form requires token validation.

Model classes automatically perform form token validation while creating data objects, and if you do not create a data object using the Create method, you need to manually invoke the model's Autochecktoken method for form token validation. If False, the form token validation error is represented. For example:

$User = M ("User"); Instantiate the User object 
//manual token verification 
if (! $User->autochecktoken ($_post)) { 
//token validation error 

A common template replacement function is defined in the View.class.php of the thinkphp framework

protected function Templatecontentreplace ($content) {//system default special variable substitution $replace = Array ('.  /public ' => app_public_path,//Project public directory ' __public__ ' => web_public_path,//site Public directory ' __tmpl__ ' => APP_TMPL_PATH,/ Project template catalog ' __root__ ' => __root__,//Current website address ' __app__ ' => __app__,//Current project address ' __upload__ ' => __root__. ' /uploads ', ' __action__ ' => __action__,//Current operation address ' __self__ ' => __self__,//Current page address ' __url__ ' => __url__, ' __i
 Nfo__ ' => __info__,); if (defined (' Group_name ')) {$replace [' __group__ '] = __group__;//Current project Address} if (C (' token_on ')) {if (Strpos ($content, ' {__
 TOKEN__} ') {//Specifies the form token hidden field location $replace [' {__token__} '] = $this->buildformtoken ();
 }elseif (Strpos ($content, ' {__notoken__} ')) {//is marked as not requiring token validation $replace [' {__notoken__} '] = '; }elseif (Preg_match ('/<\/form (\s*) >/is ', $content, $match)) {//Smart Generate form token hidden field $replace [$match [0]] = $this->
 Buildformtoken (). $match [0]; }//allow the user to customize the template's string replacement if (Is_array (' tmpl_parse_string ')) $replace = arrAy_merge ($replace, C (' tmpl_parse_string '));
 $content = Str_replace (Array_keys ($replace), Array_values ($replace), $content);
 return $content; }

The above if (C (' token_on ')) is to judge the opening state of the token verification, if it is invoked Buildformtoken () method, $_session[$tokenName] = $tokenValue; is actually assigning value to $_session[' __hash__ '. If you do not want to make token verification, just add {__notoken__} to the page before </form>, it will be replaced by the function empty.

The validation function of the token is defined in the Model.class.php class of thinkphp

Form token Verification
 if (C (' token_on ') &&! $this->autochecktoken ($data)) {
 $this->error = L (' _token_error_ ');
 return false;
 }

 Automatic form token validation public
 function Autochecktoken ($data) {
 $name = C (' token_name ');
 if (Isset ($_session[$name])) {
 //currently requires token authentication
 if (empty [$name]) | | $_session[$name]!= $data [$name]) {
 //Illegal commit return
 false;
 Verify complete Destroy session
 unset ($_session[$name]);
 return true;
 }