Create method and automatic token verification in thinkphp

User table structure

Id Username Password

\ Aoli \ home \ TPL \ Default \ User \ create.html

<Form action = "_ URL _/addit" method = "Post">
 <Input type = "text" name = "ID"/>
 <Input type = "text" name = "username"/>
 <Input type = "password" name = "password"/>
 <Input type = "Submit" name = "sub" value = "Submit"/>
</Form>

\ Aoli \ home \ Lib \ action

<? PHP
  Class useraction extends action {
      Function create (){
            $ This-> display ();    
      }
     
      Function addit (){
            // Add the form content to the table user
                $ User = m ('user ');
            $ User-> Create ();
            $ User-> Add ();
    // Determine whether token verification exists
          If (! $ User-> autochecktoken ($ _ post )){
                        Dump ('no ');  
          } Else {
                Dump ('yes ');    
          }
  }
?>

1. Before performing operations on the data submitted by the form, we often need to manually create the required data, such as the form data submitted above:
 
  // Instantiate the user model
      $ User = m ('user ');
 
  // Obtain the form's post data
      $ Data ['username'] = $ _ post ['username']
      $ Data ['Password'] = $ _ post ['Password']
 
  // Write data to the database
    $ User-> data ($ data)-> Add ();

 Note: Data objects created using the data method will not be automatically verified and filtered. They must be processed by themselves. If you just want to create a data object and do not need to complete some additional functions, you can use the data method to create a data object.

2. thinkphp can help us quickly create data objects. The most typical application is to automatically create Data Objects Based on form data. The data objects created by the create method are stored in the memory and are not actually written to the database.

  // Instantiate the user model
      $ User = m ('user ');
    
    // Create a data object based on the post data submitted by the form and save it in the memory. You can view it through dump ($ user ).
      $ User = create ();

    // Write the created data object to the database
      $ User-> Add ();

3. The create method allows you to create data objects from other methods, such as other data objects or arrays.

    $ Data ['name'] = 'thinkphp ';
    $ Data ['eamil '] = 'thinkphp @ gmail.com ';
    $ User-> Create ($ data );

    You can even create new data objects from objects, such as creating new Member Data Objects from user data objects.
    $ User = m ('user ');
    $ User-> Find (1 );
    $ Member = m ('member ');
    $ Member-> Create ($ user );

4. The create method also makes some meaningful work while creating data objects, including token verification, automatic data verification, field type search, and automatic data completion.
  
  Because, we are familiar with the token verification, automatic verification and Automatic completion functions, in fact, they must use the Create method to take effect.

5. Token Verification:
  
  Function: effectively prevents forms from being submitted remotely.

  Add the following configuration to config. php:

  'Token _ on'   => True, // whether to enable token Verification
    'Token _ name' => 'Token', // name of the hidden field in the form for token Verification
    'Token _ type' => 'Md5', // hash rule for token Verification

The automatic token will put an MD5 encrypted string in the current session. And insert the string in the form of hidden fields before the form. This string appears in two places, one in the session and the other in the form. After you submit a form, the first thing on the server is to compare the session information. If the session information is correct, you are allowed to submit the form. Otherwise, you are not allowed to submit the form.

TheSource codeAn automatically generated hidden field is added before the Form end flag.

 
<InputType="Hidden"Name="Token"Value="Eef419c3d14c9c93caa7627eedaba4a5"/>

(1) If you want to manually control the location of the hidden field, you can manually add the {__token __} identifier on the form page. The system will automatically replace it when outputting the template.

(2) If form token verification is enabled, some forms do not require token verification.
Function, you can add {__notoken __} on the form page, the system will ignore the token verification of the current form.

(3) If multiple forms exist on the page, we recommend that you add the {__token __} identifier and ensure that only one form requires token verification.

(4) If you use the Create method to create a data object, Form Verification is automatically performed at the same time. If you do not use this method, you need to manually call the autochecktoken method of the model for form verification.
 

If (! $ User->Autochecktoken($ _ Post)){

// Token verification error

}