MENU

防范表单欺骗

• October 2, 2017 • Read: 154 • PHP

解决方案:
增加一个隐藏的表单域,包含一个一次性 token,将会在个 token 储存在用户会话中。 

<html> 
<body> 
<?php 
session_start(); 
$_SESSION['token']=md5(uniqid(mt_rand(),true)); 
?> 
<form action="b.php" method="POST"> 
<input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>"> 
<p>名称:<input type="text" name="name"></p> 
<p>数量:<input type="password" name="password"></p> 
<p><input type="submit" value="提交"></p> 
</form> 
</body> 
</html>


接收到一个表示表单提交的请求时,检查 token,确保它们是匹配的: 

<?php 
session_start(); 
if((!isset($_SESSION['token'])) || ($_POST['token'] != $_SESSION['token'])){ 
//提示输入密码 
}else{ 
//继续 
} 
?>


Tags: None
Archives QR Code
QR Code for this page
Tipping QR Code
Leave a Comment