PHP form token usage and handling

by

this is to prevent CSRF attacks

http://en.wikipedia.org/wiki/Cross-site_request_forgery

a malicious site could theoretically display a form that posts to your application. the form might contain instructions that cause a data breach or some unwanted action. the user might be deceived into submitting the form which the app would accept because the user is already logged in. a form token ensures the form was created by your site and not some other site.

checking the HTTP_REFERER is often good enough, but not as complete a solution (https for instance won’t send the referrer string).

if you really want to secure all forms with a token, you can create some convenience functions like emitToken() and checkToken() that will make it work site-wide.

some examples:

http://phpsec.org/projects/guide/2.html

http://www.rodsdot.com/php/CSRF_Form_Protection.php

More Related Contents:

  1. Logging In To Joomla 1.5 Using External Form (not within joomla folder, but on same server)
  2. Form submit file attach
  3. w3 schools form tutorial doesnt send email
  4. Notice: undifined index, but why?
  5. Understanding the “post/redirect/get” pattern
  6. HTTP authentication logout via PHP
  7. Using a string path to set nested array data [duplicate]
  8. How to set HTML value attribute (with spaces)
  9. PHP login system: Remember Me (persistent cookie) [duplicate]
  10. Send value of submit button when form gets posted
  11. Can you get a Windows (AD) username in PHP?
  12. Cannot connect to MySQL 4.1+ using old authentication
  13. Redirecting to previous page after login? PHP
  14. Form input field names containing square brackets like field[index]
  15. PHP form send email to multiple recipients
  16. How to add a delete button to a PHP form that will delete a row from a MySQL table
  17. getting a checkbox array value from POST
  18. How to redirect back to form with input – Laravel 5
  19. How to set a class attribute to a Symfony2 form input
  20. Laravel form html with PUT method for PUT routes
  21. Auth::user() returns null
  22. Laravel 5.2 Auth not Working
  23. PHP File Upload
  24. Authenticating in PHP using LDAP through Active Directory
  25. Print $_POST variable name along with value
  26. Using windows authentication with php?
  27. PHP ZIP files on the fly
  28. Laravel Auth:attempt() will not persist login
  29. POST arrays not showing unchecked Checkboxes
  30. Limiting user login attempts in PHP [duplicate]

Leave a Comment