PHP prevents remote submission of form examples from outside the station

Example one, each time we open the Submit page to generate a token and then save in session, when the form is submitted we will determine whether the current token value and session is consistent, if it is a normal submission otherwise is invalid submission.

Code

The code is as follows

Copy Code

<?php Session_Start (); if ($_post[' submit '] = = "Go") { Check token if ($_post[' token '] = = $_session[' token ']) { Strip_tags $name = strip_tags ($_post[' name ')); $name = substr ($name, 0,40); Clean out any potential hexadecimal characters $name = Cleanhex ($name); Continue processing ..... }else{ Stop all processing! Remote form Posting attempt! } } $token = MD5 (Uniqid (rand (), true); $_session[' token ']= $token; function Cleanhex ($input) { $clean = Preg_replace ("![ \][XX] ([a-fa-f0-9]{1,3})! "," ", $input); return $clean; } ?> <form action= "<?php echo $_server[' php_self '";? > "method=" Post > <p><label for= "Name" >Name</label> <input type= "text" name= "name" id= "name" size= "Maxlength=" <input type= "hidden" name= token "value=" <?php echo $token;? > "/> <p><input type= "Submit" name= "submit" value= "Go"/></p> </form>

There is also a more obvious way is to use the verification code, this type of verification code is the same as the other way oh, let's look at a simple example

Add Verification Code

The form submission time increases the verification code, may effectively prevent the irrigation machine to submit the data. But as the graphic image recognition program becomes more powerful, the verification code recognition is also constantly improving his difficulty, some of the verification code even added to the recognition of the voice, some small sites can use such a way.

The code is as follows	Copy Code
if ($_post[' Vcode ']!= get_vcode ()) { Exit (' Verify code checksum fails, cannot be stored '); }

Concrete examples do not introduce many examples of validation on the Web.