Token method: Through a hidden variable token to increase the difficulty of the attack, each commit needs and the server proofreading, if not passed, the external commit (also can be verified by the session + hidden domain).
Code:
form.php
1<! DOCTYPE html>234<meta charset= "UTF-8" >5<title>Document</title>67<body>8<?PHP9 Define(' SECRET ', "67%$ #ap28");Ten functionM_token () { One $str=Mt_rand(1000, 9999); A $str 2=Dechex($_server[' Request_time ']-$str); - return $str.substr(MD5($str. SECRET), 0, 10).$str 2; - } the?> -<form action= "dopost.php" method= "POST" > -Name:<input type= "text" name= "name" id= "" > -<input type= "hidden" name= "token" value= "<?php Echo M_token ();? > "> +<input type= "Submit" value= "Submission" > -</form> +</body> Adopost.php
<?PHPDefine(' SECRET ', "67%$ #ap28");functionV_token ($str,$delay= 2) { $rs=substr($str, 0, 4); $middle=substr($str, 0, 14); $rs 2=substr($str, 14, 8); return($middle==$rs.substr(MD5($rs. SECRET), 0, 10)) && ($_server[' Request_time ']-Hexdec($rs 2) -$rs<=$delay);}Var_dump(V_token ($_post[' token ']);
Where $delay represents a time delay in different programs according to the business to self-modify
Output:
Boolean true
PHP forms Add hidden tokens to block external submissions