Use the security class provided by CI to prevent cross-site requests from adding hidden fields to the form.

Use the security class provided by CI to prevent cross-site requests from adding hidden fields to the form.

First we see the document: http://codeigniter.org.cn/user_guide/libraries/security.html
The last few lines are described as follows:
Cross-site request forgery (Cross-site request forgery, CSRF)

Open your application/config. php file and perform the following settings to enable csrf protection:

PHP copy code $ config ['csrf _ protection '] = TRUE; copy code

If you use a form helper function, the form_open () function automatically inserts a hidden csrf field in your form.

This is the method described in this document:
You must use form_open () to generate form hidden fields to prevent cross-site requests.

So I checked the source code of form_open ().

 

/** * Form Declaration * * Creates the opening portion of the form. * * @access        public * @param        string        the URI segments of the form destination * @param        array        a key/value pair of attributes * @param        array        a key/value pair hidden data * @return        string */if ( ! function_exists('form_open')){        function form_open($action = '', $attributes = '', $hidden = array())        {                $CI =& get_instance();                 if ($attributes == '')                {                        $attributes = 'method="post"';                }                 // If an action is not a full URL then turn it into one                if ($action && strpos($action, '://') === FALSE)                {                        $action = $CI->config->site_url($action);                }                 // If no action is provided then set to the current url                $action OR $action = $CI->config->site_url($CI->uri->uri_string());                 $form = '<form action="'.$action.'"';                 $form .= _attributes_to_string($attributes, TRUE);                 $form .= '>';                 // Add CSRF field if enabled, but leave it out for GET requests and requests to external websites                        if ($CI->config->item('csrf_protection') === TRUE AND ! (strpos($action, $CI->config->base_url()) === FALSE OR strpos($form, 'method="get"')))                        {                        $hidden[$CI->security->get_csrf_token_name()] = $CI->security->get_csrf_hash();                }                 if (is_array($hidden) AND count($hidden) > 0)                {                        $form .= sprintf("<div style=\"display:none\">%s</div>",form_hidden($hidden));                }                 return $form;        }}

It is found that the hidden fields of the generated form focus on these rows.

// Add CSRF field if enabled, but leave it out for GET requests and requests to external websites        if ($CI->config->item('csrf_protection') === TRUE AND ! (strpos($action, $CI->config->base_url())=== FALSE OR strpos($form, 'method="get"')))        {    $hidden[$CI->security->get_csrf_token_name()] = $CI->security->get_csrf_hash();}

As a result, it is not difficult to find that we can use it directly in the template as follows:

<?php if ($this->config->item('csrf_protection') === TRUE) { ?>    <input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash(); ?>" /><?php } ?>

Or in the controller, convert the hidden domain into a hidden domain, and then directly output the hidden domain in the template.
Controller:

 

$data['token'] = '';if ($this->config->item('csrf_protection') === TRUE) {        $data['token'] = '<input type="hidden" name="' . $this->security->get_csrf_token_name() .'" value="' . $this->security->get_csrf_hash() . '" />';}$this->load->view('reg_index', $data);

The template directly outputs the variables:

<? Php echo $ token;?>

Note: it can only be applied to post requests.