PHP token (token) Design application

Source: Internet
Author: User

PHP token (token) design goal: avoid repeating data submissions. Check the routing, whether it is an external commit match to perform the action (if there are multiple logic in the same page implementation, such as new, delete, modify and put into a PHP file operation) Here the token is in the page display, write to the form of a hidden form item (Type=hidden). Token is not clear, if it is clear, it is too dangerous, so to use a certain encryption. Ciphertext to be reversible. I'm an idiot, so I used a ready-made method on the Web.

How to achieve the goal:

How do I avoid repeating submissions?
in the session, an array is stored with the token that was successfully submitted. In the background processing, the first to determine whether the token is in this array, if present, the description is repeated commit.
How do I check the route?
Optional, this token is added to the current session_id when it is generated. If someone copied your HTML (token a copy), in the case of the submission, the theoretical token contains the session_id is not equal to the current session_id,  You can tell that this commit is an external submission.
How do I match the action to be performed?
in token, the action name of this token is written into this token, so that, in the process of processing, the action is solved to compare on the line.
I used to write the Gtoken can not reach the above mentioned in the second, today modified a bit, the function 2 plus. Personal feeling is OK.
please look at the code, feel where there is unreasonable place, also please enlighten!

encryption I was looking for a method on the web, a little bit of modification.


<?php
Class Gencrypt extends Gsuperclass {
protected static function KeyED ($txt, $encrypt _key) {
$encrypt _key = MD5 ($encrypt _key);
$ctr = 0;
$tmp = "";
for ($i =0; $i <strlen ($txt); $i + +) {
if ($ctr ==strlen ($encrypt _key)) $ctr = 0;
$tmp. = substr ($txt, $i, 1) ^ substr ($encrypt _key, $ctr, 1);
$ctr + +;
}
return $tmp;
}

public static function Encrypt ($txt, $key) {
$encrypt _key = MD5 (rand (0,32000));
$encrypt _key = MD5 ((float) Date ("Ymdhis") + rand (10000000000000000,99999999999999999)). Rand (100000,999999));
$ctr = 0;
$tmp = "";
for ($i =0; $i <strlen ($txt); $i + +) {
if ($ctr ==strlen ($encrypt _key)) $ctr = 0;
$tmp. = substr ($encrypt _key, $ctr, 1). (Substr ($txt, $i, 1) ^ substr ($encrypt _key, $ctr, 1));
$ctr + +;
}
Return Base64_encode (self::keyed ($tmp, $key));
}

    public static function decrypt ($txt, $key) { 
         $txt = self::keyed (Base64_decode ($txt), $key);    
         $tmp = ""; 
        for ($i =0; $i <strlen ($txt); $i + +) {     
            $MD 5 = substr ($txt , $i, 1);    
            $i + +;     
            $tmp. = (substr ($ TXT, $i, 1) ^ $md 5);    
       } 
         return $tmp; 
   }     
}  
?>

GToken.inc.php
Method:

a,grantetoken parameter: FormName, which is the action name, key is the encryption/decryption key.
returns a string in the form: Encryption (FORMNAME:SESSION_ID)

B,istoken Parameters: Token is the result of Grantetoken, FormName, action name, fromcheck whether to check the origin, if true, but also to determine whether the session_id in token and the current session_ ID one to.

C,droptoken, when a successful action is executed, the function is called and the token is credited to the session,

Copy the Code code as follows:


<?php
/**
* Principle: When requesting token assignment, find a way to assign a unique token, base64 (time + rand + action)
* If submitted, this token record, stating that token is used, can be followed by it to avoid duplication of submissions.
*
*/
Class GToken {

/**
* Get all current tokens
*
* @return Array
*/
public static function Gettokens () {
$tokens = $_session[gconfig::session_key_token];
if (Empty ($tokens) &&!is_array ($tokens)) {
$tokens = Array ();
}
return $tokens;
}

/**
* Generate a new token
*
* @param string $formName
* @param encryption Key $key
* @return String
*/

public static function Grantetoken ($formName, $key = Gconfig::encrypt_key) {
$token = Gencrypt::encrypt ($formName. ":". session_id (), $key);
return $token;
}

/**
* Deleting tokens is actually adding an element to an array in the session stating that the token has been used to avoid repeated data submissions.
*
* @param string $token
*/
public static function Droptoken ($token) {
$tokens = Self::gettokens ();
$tokens [] = $token;
Gsession::set (Gconfig::session_key_token, $tokens);
}

/**
* Check if the token is specified
*
* @param string $token The token value to check
* @param string $formName
* @param boolean $fromCheck whether to check for routing, or true to determine if the session_id attached to token is the same as the current session_id.
* @param string $key encryption key
* @return Boolean
*/

public static function Istoken ($token, $formName, $fromCheck = False, $key = Gconfig::encrypt_key) {
$tokens = Self::gettokens ();

if (In_array ($token, $tokens))//If present, the description is used token
return false;

$source = Split (":", Gencrypt::d ecrypt ($token, $key));

if ($fromCheck)
return $source [1] = = session_id () && $source [0] = = $formName;
Else
return $source [0] = = $formName;
}
}
?>

Example:

first take the token from the $_post and judge it with Istoken.

It all looked as if there was no problem.
if you want to determine whether the execution of the matching action, you can change the Istoken in the FormName, run, very good, no match. Prove this success.

is it possible to avoid repeating commits, I have no validation, too simple logic.

the rest is to determine whether the route checks are working properly.
The HTML copy generated from the above example to a local Web page (for the purpose of different domains), run, check the origin of the unknown, no execution action (need to set the third parameter of Istoken to true).
set the third parameter of Istoken to False, commit, and execute the specified action!

PHP token (token) Design application

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.