Use the security class provided by CI to prevent cross-site requests from adding hidden fields to the form.
First we see the document: http://codeigniter.org.cn/user_guide/libraries/security.html
The last few lines are described as follows:
Cross-site request forgery (Cross-site request forgery, CSRF)
Open your application/config. php file and perform the following settings to enable csrf protection:
PHP copy code $ config ['csrf _ protection '] = TRUE; copy code
If you use a form helper function, the form_open () function automatically inserts a hidden csrf field in your form.
This is the method described in this document:
You must use form_open () to generate form hidden fields to prevent cross-site requests.
So I checked the source code of form_open ().
/** * Form Declaration * * Creates the opening portion of the form. * * @access public * @param string the URI segments of the form destination * @param array a key/value pair of attributes * @param array a key/value pair hidden data * @return string */if ( ! function_exists('form_open')){ function form_open($action = '', $attributes = '', $hidden = array()) { $CI =& get_instance(); if ($attributes == '') { $attributes = 'method="post"'; } // If an action is not a full URL then turn it into one if ($action && strpos($action, '://') === FALSE) { $action = $CI->config->site_url($action); } // If no action is provided then set to the current url $action OR $action = $CI->config->site_url($CI->uri->uri_string()); $form = '<form action="'.$action.'"'; $form .= _attributes_to_string($attributes, TRUE); $form .= '>'; // Add CSRF field if enabled, but leave it out for GET requests and requests to external websites if ($CI->config->item('csrf_protection') === TRUE AND ! (strpos($action, $CI->config->base_url()) === FALSE OR strpos($form, 'method="get"'))) { $hidden[$CI->security->get_csrf_token_name()] = $CI->security->get_csrf_hash(); } if (is_array($hidden) AND count($hidden) > 0) { $form .= sprintf("<div style=\"display:none\">%s</div>",form_hidden($hidden)); } return $form; }}
It is found that the hidden fields of the generated form focus on these rows.
// Add CSRF field if enabled, but leave it out for GET requests and requests to external websites if ($CI->config->item('csrf_protection') === TRUE AND ! (strpos($action, $CI->config->base_url())=== FALSE OR strpos($form, 'method="get"'))) { $hidden[$CI->security->get_csrf_token_name()] = $CI->security->get_csrf_hash();}
As a result, it is not difficult to find that we can use it directly in the template as follows:
<?php if ($this->config->item('csrf_protection') === TRUE) { ?> <input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash(); ?>" /><?php } ?>
Or in the controller, convert the hidden domain into a hidden domain, and then directly output the hidden domain in the template.
Controller:
$data['token'] = '';if ($this->config->item('csrf_protection') === TRUE) { $data['token'] = '<input type="hidden" name="' . $this->security->get_csrf_token_name() .'" value="' . $this->security->get_csrf_hash() . '" />';}$this->load->view('reg_index', $data);
The template directly outputs the variables:
<? Php echo $ token;?>
Note: it can only be applied to post requests.