我使用这个类(取自博客教程)来生成验证表单的唯一键:
class formKey {
//Here we store the generated form key
private $formKey;
//Here we store the old form key
private $old_formKey;
//The constructor stores the form key (if one excists) in our class variable
function __construct() {
//We need the previous key so we store it
if(isset($_SESSION['form_key'])) {
$this->old_formKey = $_SESSION['form_key'];
}
}
//Function to generate the form key
private function generateKey() {
//Get the IP-address of the user
$ip = $_SERVER['REMOTE_ADDR'];
//We use mt_rand() instead of rand() because it is better for generating random numbers.
//We use 'true' to get a longer string.
$uniqid = uniqid(mt_rand(), true);
//Return the hash
return md5($ip . $uniqid);
}
//Function to output the form key
public function outputKey() {
//Generate the key and store it inside the class
$this->formKey = $this->generateKey();
//Store the form key in the session
$_SESSION['form_key'] = $this->formKey;
//Output the form key
// echo "<input type='hidden' name='form_key' id='form_key' value='".$this->formKey."' />";
return $this->formKey;
}
//Function that validated the form key POST data
public function validate() {
//We use the old formKey and not the new generated version
if($_POST['form_key'] == $this->old_formKey) {
//The key is valid, return true.
return true;
}
else {
//The key is invalid, return false.
return false;
}
}
}
我网站上的所有内容都首先通过index.php,所以我把它放在index.php中:$formKey = new formKey();
然后,在每种形式中我都说:<?php $formKey->outputKey(); ?>
这会生成:<input type="hidden" name="form_key" id="form_key" value="7bd8496ea1518e1850c24cf2de8ded23" />
然后我可以查看if(!isset($_POST['form_key']) || !$formKey->validate())
我有两个问题。第一:我不能每页使用多个表单,因为只有最后生成的密钥才会生效。
第二:因为一切都先通过index.php,如果我使用ajax来验证表单,第一次会验证,但第二次不会,因为index.php会生成一个新密钥,但包含表单的页面会' t刷新,以便不更新表单键..
我已经尝试了几件事,但我无法让它工作..也许你可以更新/修改代码/类以使其工作?感谢!!!
答案 0 :(得分:4)
你可以把它放到一个类中,但这是不必要的复杂性。简单的安全系统是最好的,因为它们更容易审核。
//Put this in a header file
session_start();
if(!$_SESSION['xsrf_token']){
//Not the best but this should be enough entropy
$_SESSION['xsrf_token']=uniqid(mt_rand(),true);
}
//$_REQUEST is used because you might need it for a GET or POST request.
function validate_xsrf(){
return $_SESSION['xsrf_token']==$_REQUEST['xsrf_token'] && $_SESSION['xsrf_token'];
}
//End of header file.
额外&& $_SESSION['xsrf_token']确保填充此变量。它确保实施安全失败。 (就像你忘了头文件doah!;)
以下html / php会在您要保护的任何文件中保留XSRF,请确保您在头文件中包含上述代码。
if(validate_xsrf()){
//do somthing with $_POST
}
这就是打印表单所需的全部内容,请确保在执行任何操作之前致电session_start();,如果多次调用它并不重要。
<input type="hidden" name="xsrf_token" id="form_key" value="<?=$_SESSION['xsrf_token']?>" />
答案 1 :(得分:2)
未经测试,但应该可以使用。
class formKey {
//Here we store the generated form key
private $formKey;
//Here we store the old form key
private $old_formKey;
//The constructor stores the form key (if one excists) in our class variable
function __construct() {
//We need the previous key so we store it
if(isset($_SESSION['form_key'])) {
$this->old_formKey = $_SESSION['form_key'];
$this->formKey = $this->generateKey();
$_SESSION['form_key'] = $this->formKey;
}
}
//Function to generate the form key
private function generateKey() {
//Get the IP-address of the user
$ip = $_SERVER['REMOTE_ADDR'];
//We use mt_rand() instead of rand() because it is better for generating random numbers.
//We use 'true' to get a longer string.
$uniqid = uniqid(mt_rand(), true);
//Return the hash
return md5($ip . $uniqid);
}
//Function to output the form key
public function outputKey() {
return $this->formKey;
}
//Function that validated the form key POST data
public function validate() {
//We use the old formKey and not the new generated version
if($_POST['form_key'] == $this->old_formKey) {
//The key is valid, return true.
return true;
}
else {
//The key is invalid, return false.
return false;
}
}
}
编辑:改回单键。只需在需要时调用outputkey()即可。不要创建此类的多个实例。