0
我使用此PHP class防止CSRF攻擊。php防止csrf攻擊多次提交
CODE:
$token = NoCSRF::generate('csrf_token');
<form name="csrf_form" action="#" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $token; ?>">
...Other form inputs...
<input type="submit" value="Send form">
</form>
進行檢查CSRF:
try
{
// Run CSRF check, on POST data, in exception mode, with a validity of 10 minutes, in one-time mode.
NoCSRF::check('csrf_token', $_POST, true, 60*10, false);
// form parsing, DB inserts, etc.
}
catch (Exception $e)
{
// CSRF attack detected
}
這個工作對我來說,當我有一個在我的網頁但是,當我在我的網頁有兩種形式只有一種形式合作並以其他形式提交始終顯示CSRF attack detected。
PHP檢查FORM 1:
if($_POST['submit'] == "from") && !empty($_POST['username'])){
try
{
// Run CSRF check, on POST data, in exception mode, with a validity of 10 minutes, in one-time mode.
NoCSRF::check('csrf_token', $_POST, true, 60*10, false);
// form parsing, DB inserts, etc.
}
catch (Exception $e)
{
// CSRF attack detected
}
}
PHP檢查表格2:
if($_POST['submit'] == "from2") && !empty($_POST['username'])){
try
{
// Run CSRF check, on POST data, in exception mode, with a validity of 10 minutes, in one-time mode.
NoCSRF::check('csrf_token', $_POST, true, 60*10, false);
// form parsing, DB inserts, etc.
}
catch (Exception $e)
{
// CSRF attack detected
}
}
HTML表單:
<form name="csrf_form" action="#" method="post">
<?PHP $token = NoCSRF::generate('csrf_token');?>
<input type="hidden" name="csrf_token" value="<?php echo $token; ?>">
<input type="text" name="username">
<input type="submit" value="form">
</form>
<form name="csrf_form" action="#" method="post">
<?PHP $token = NoCSRF::generate('csrf_token');?>
<input type="hidden" name="csrf_token" value="<?php echo $token; ?>">
<input type="text" name="badname">
<input type="submit" value="form2">
</form>
如何解決這個問題或如何做的工作該類多個形成?!
類源here
爲什麼你檢查isset($ _ POST ['from2']),在你的html代碼中沒有這樣一個名字爲from2的輸入。 – daredesm 2014-10-04 23:39:00
http://stackoverflow.com/questions/20587746/one-token-vs-multiple-tokens-to-prevent-csrf-attacks – 2014-10-05 07:18:43