Use the security class provided by CI to prevent cross-site requests from adding hidden fields to the form.

Source: Internet
Author: User

Use the security class provided by CI to prevent cross-site requests from adding hidden fields to the form.

First we see the document: http://codeigniter.org.cn/user_guide/libraries/security.html
The last few lines are described as follows:
Cross-site request forgery (Cross-site request forgery, CSRF)

Open your application/config. php file and perform the following settings to enable csrf protection:

PHP copy code $ config ['csrf _ protection '] = TRUE; copy code



If you use a form helper function, the form_open () function automatically inserts a hidden csrf field in your form.

This is the method described in this document:
You must use form_open () to generate form hidden fields to prevent cross-site requests.

So I checked the source code of form_open ().

 

/** * Form Declaration * * Creates the opening portion of the form. * * @access        public * @param        string        the URI segments of the form destination * @param        array        a key/value pair of attributes * @param        array        a key/value pair hidden data * @return        string */if ( ! function_exists('form_open')){        function form_open($action = '', $attributes = '', $hidden = array())        {                $CI =& get_instance();                 if ($attributes == '')                {                        $attributes = 'method="post"';                }                 // If an action is not a full URL then turn it into one                if ($action && strpos($action, '://') === FALSE)                {                        $action = $CI->config->site_url($action);                }                 // If no action is provided then set to the current url                $action OR $action = $CI->config->site_url($CI->uri->uri_string());                 $form = '<form action="'.$action.'"';                 $form .= _attributes_to_string($attributes, TRUE);                 $form .= '>';                 // Add CSRF field if enabled, but leave it out for GET requests and requests to external websites                        if ($CI->config->item('csrf_protection') === TRUE AND ! (strpos($action, $CI->config->base_url()) === FALSE OR strpos($form, 'method="get"')))                        {                        $hidden[$CI->security->get_csrf_token_name()] = $CI->security->get_csrf_hash();                }                 if (is_array($hidden) AND count($hidden) > 0)                {                        $form .= sprintf("<div style=\"display:none\">%s</div>",form_hidden($hidden));                }                 return $form;        }}


It is found that the hidden fields of the generated form focus on these rows.

// Add CSRF field if enabled, but leave it out for GET requests and requests to external websites        if ($CI->config->item('csrf_protection') === TRUE AND ! (strpos($action, $CI->config->base_url())=== FALSE OR strpos($form, 'method="get"')))        {    $hidden[$CI->security->get_csrf_token_name()] = $CI->security->get_csrf_hash();}


As a result, it is not difficult to find that we can use it directly in the template as follows:

<?php if ($this->config->item('csrf_protection') === TRUE) { ?>    <input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash(); ?>" /><?php } ?>


Or in the controller, convert the hidden domain into a hidden domain, and then directly output the hidden domain in the template.
Controller:

 

$data['token'] = '';if ($this->config->item('csrf_protection') === TRUE) {        $data['token'] = '<input type="hidden" name="' . $this->security->get_csrf_token_name() .'" value="' . $this->security->get_csrf_hash() . '" />';}$this->load->view('reg_index', $data);


The template directly outputs the variables:

<? Php echo $ token;?>


Note: it can only be applied to post requests.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.