This article describes the PHP cross-station attack principle and prevention techniques. Share to everyone for your reference. The specific methods are analyzed as follows:
When a cross-site attack is made using some details or bugs in the program, how can we prevent a cross station attack? Here is an example to prevent a cross-station attack to illustrate, I hope to help you.
Copy Code code as follows:
<?php
#demo for Prevent CSRF
/**
* ENC
*/
function Encrypt ($token _time) {
return MD5 ('!@##$@$$#%43 '. $token _time);
}
$token _time = time ();
$token = Encrypt ($token _time);
$expire _time = 10;
if ($_post) {
$_token_time = $_post[' token_time '];
$_token = $_post[' token '];
if ((Time () –$_token_time) > $expire _time) {
echo "Expired token";
echo "<br/>";
}
Echo $_token;
echo "<br/>";
$_token_real = Encrypt ($_token_time);
Echo $_token_real;
Compare $_token and $_token_real
}
?>
<! DOCTYPE html>
<meta http-equiv= "Content-type" content= "text/html; Charset=utf-8″/>
<title>test for Csrf</title>
<meta http-equiv= "" content= ""/>
<body>
<form method= "POST" action= "" >
<input type= "text" name= "text" id= "value=" Hello "/>
<input type= "hidden" name= "token" id= "value=" <?php echo $token?> "/>
<input type= "hidden" name= "Token_time" id= "value=" <?php echo $token _time?> "/>"
<input type= "Submit" name= "Submit" id= "" value= "Submit"/>
</form>
</body>
By including the verification code in your form, you have actually eliminated the risk of a cross station request forgery attack. You can use this process in any form that needs to be done
Of course, it's better to store the token to the session, which is just a simple example
Simple analysis:
Token attack also called as token, we visit the page when the user generated a random token save session and form, users submit if we get the token and session is not the same can be submitted to re-enter the submission of data
I hope this article will help you with your PHP program design.