ThinkPHP token verification instance

Source: Internet
Author: User

ThinkPHP has built-in form token verification function, which can effectively prevent security protection such as remote submission of forms.
Configuration parameters related to form token verification include:

'Token _ on' => true, // whether to enable TOKEN verification 'token _ name' => '_ hash __', // The hidden field name 'token _ type' => 'md5' In the TOKEN verification form. // The default value of the TOKEN hash verification rule is md5.

If the form token verification function is enabled, the system automatically generates a hidden field named TOKEN_NAME in the template file with the form. The value is a hash string generated in TOKEN_TYPE mode, used for automatic token verification of forms.

The automatically generated hidden fields are located before the Form end flag. If you want to manually control the hidden fields, you can manually add the _ TOKEN _ identifier on the Form page, the system will automatically replace the output template. If you do not need to use the token verification function for some forms when form token verification is enabled, you can add _ NOTOKEN __on the form page. The system will ignore the token verification of the current form.

If multiple forms exist on the page, we recommend that you add the _ TOKEN _ identifier and ensure that only one form requires TOKEN verification.

The model class automatically performs form token verification when creating a data object. If you do not use the create method to create a data object, you need to manually call the autoCheckToken method of the model for form token verification. If false is returned, the form token verification is incorrect. For example:

$ User = M ("User"); // instantiate the User object // manually verify the token if (! $ User-> autoCheckToken ($ _ POST) {// token verification error}

A common template replacement function is defined in View. class. php of the ThinkPHP framework.

Protected function templateContentReplace ($ content) {// replace $ replace = array ('.. /Public '=> APP_PUBLIC_PATH, // project PUBLIC directory' _ Public _ '=> WEB_PUBLIC_PATH, // site PUBLIC directory' _ TMPL _ '=> APP_TMPL_PATH, // Project template directory '_ ROOT _' => _ ROOT __, // current website address '_ APP _' => _ APP __, // current project address '_ UPLOAD _' => _ ROOT __. '/uploads',' _ ACTION _ '=> _ ACTION __, // current operation address' _ SELF _ '=> _ SELF __, // current page address '_ URL _' => _ URL __, '_ INFO _' => _ INFO __,); if (defined ('group _ name') {$ replace ['_ GROUP _'] = _ GROUP __; // current project address} if (C ('token _ on') {if (strpos ($ content, '{__ TOKEN __}')) {// specify the form TOKEN to hide the field location $ replace ['{__ TOKEN __}'] = $ this-> buildFormToken ();} elseif (strpos ($ content, '{__ NOTOKEN __}') {// indicates that no token verification is required. $ replace ['{__ NOTOKEN __}'] = '';} elseif (preg_match ('/<\/form (\ s *)>/is', $ content, $ match )) {// intelligently generate a form token to hide the field $ replace [$ match [0] = $ this-> buildFormToken (). $ match [0] ;}}// allow the user to replace the Custom template string with if (is_array (C ('tmpl _ PARSE_STRING ') $ replace = array_merge ($ replace, C ('tmpl _ PARSE_STRING '); $ content = str_replace (array_keys ($ replace), array_values ($ replace), $ content); return $ content ;}

The above if (C ('token _ on') is to judge the enabling status of TOKEN verification. if it is enabled, the buildFormToken () method is called, $ _ SESSION [$ tokenName] = $ tokenValue; in fact, it is to assign a value to $ _ SESSION ['_ hash. If you do not want to perform token verification, you only need to add {__notoken __} before </form> on the page, and the function will be replaced with null.

The token verification function is defined in the Model. class. php class of ThinkPHP.

// Form TOKEN verification if (C ('token _ on ')&&! $ This-> autoCheckToken ($ data) {$ this-> error = L ('_ TOKEN_ERROR _'); return false ;} // automatic form TOKEN verification public function autoCheckToken ($ data) {$ name = C ('token _ name'); if (isset ($ _ SESSION [$ NAME]) {// token verification if (empty ($ data [$ name]) | $ _ SESSION [$ name]! = $ Data [$ name]) {// return false for illegal submission;} // The unset ($ _ session [$ name]) of the destroyed SESSION is verified;} return true ;}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.