The new version of ThinkPHP provides the form token verification function, which effectively prevents security protection such as remote submission of forms. This article mainly introduces ThinkPHP token verification. if you need ThinkPHP, you can refer to the built-in form token verification function provided by ThinkPHP to effectively prevent form remote submission and other security protection.
Configuration parameters related to form token verification include:
'Token _ on' => true, // whether to enable TOKEN verification 'token _ name' => '_ hash __', // The hidden field name 'token _ type' => 'md5' in the TOKEN verification form. // The default value of the TOKEN hash verification rule is md5.
If the form token verification function is enabled, the system automatically generates a hidden field named TOKEN_NAME in the template file with the form. The value is a hash string generated in TOKEN_TYPE mode, used for automatic token verification of forms.
The automatically generated hidden fields are located before the Form End flag. if you want to manually control the hidden fields, you can manually add the _ TOKEN _ identifier on the Form page, the system will automatically replace the output template. If you do not need to use the token verification function for some forms when form token verification is enabled, you can add _ NOTOKEN __on the form page. The system will ignore the token verification of the current form.
If multiple forms exist on the page, we recommend that you add the _ TOKEN _ identifier and ensure that only one form requires TOKEN verification.
The model class automatically performs form token verification when creating a data object. if you do not use the create method to create a data object, you need to manually call the autoCheckToken method of the model for form token verification. If false is returned, the form token verification is incorrect. For example:
$ User = M ("User"); // instantiate the User object // manually verify the token if (! $ User-> autoCheckToken ($ _ POST) {// token verification error}
A common template replacement function is defined in View. class. php of the ThinkPHP framework.
Protected function templateContentReplace ($ content) {// replace $ replace = array ('/cms/tpl/Index/public' => APP_PUBLIC_PATH, // Project Public Directory '/public' => WEB_PUBLIC_PATH, // site Public directory'/cms/tpl/Index/'=> APP_TMPL_PATH, // project template directory ''=>, // Current website address '/index. php '=>/index. php, // Current project Address '_ UPLOAD _' =>. '/uploads','/index. php/Article/detail '=>/index. php/Article/detail, // Current operation Address '/php-weizijiaocheng-32005.html' =>/php-weizijiaocheng-32005.html, // Current page address '/index. php/Article '=>/index. php/Article, '_ INFO _' => _ INFO __,); if (defined ('group _ name') {$ replace ['/index. php'] =/index. php; // Current project address} if (C ('token _ on') {if (strpos ($ content ,'')) {// specify the form token to hide the field location $ replace [''] = $ this-> buildFormToken ();} elseif (strpos ($ content, '{__ NOTOKEN __}') {// indicates that no token verification is required. $ replace ['{__ NOTOKEN __}'] = '';} elseif (preg_match ('/<\/form (\ s *)>/is', $ content, $ match )) {// intelligently generate a form token to hide the field $ replace [$ match [0] = $ this-> buildFormToken (). $ match [0] ;}}// allow the user to replace the custom template string with if (is_array (C ('tmpl _ PARSE_STRING ') $ replace = array_merge ($ replace, C ('tmpl _ PARSE_STRING '); $ content = str_replace (array_keys ($ replace), array_values ($ replace), $ content); return $ content ;}
The above if (C ('token _ on') is to judge the enabling status of TOKEN verification. if it is enabled, the buildFormToken () method is called, $ _ SESSION [$ tokenName] = $ tokenValue; in fact, it is to assign a value to $ _ SESSION ['_ hash. If you do not want to perform token verificationJust add {__notoken __}, and it will be replaced with null by the function.
The token verification function is defined in the Model. class. php class of ThinkPHP.
// Form TOKEN verification if (C ('token _ on ')&&! $ This-> autoCheckToken ($ data) {$ this-> error = L ('_ TOKEN_ERROR _'); return false ;} // automatic form TOKEN verification public function autoCheckToken ($ data) {$ name = C ('token _ name'); if (isset ($ _ SESSION [$ NAME]) {// token verification if (empty ($ data [$ name]) | $ _ SESSION [$ name]! = $ Data [$ name]) {// return false for illegal submission;} // The unset ($ _ session [$ name]) of the destroyed SESSION is verified;} return true ;}