PHP CSRF 表单令牌 + 验证建议
[英]PHP CSRF Form token + validation advice
问题描述
I've got a submission form, with 9 fields, 6 of which require validation, including a upload field with file size and file type validation.
我有一个提交表单,有 9 个字段,其中 6 个需要验证,包括一个带有文件大小和文件类型验证的上传字段。
Generating a random token, to prevent CSRF is working, but what is the correct way to validate when using a token?生成随机令牌以防止 CSRF 正常工作,但是使用令牌时验证的正确方法是什么?
If I do the validation within the same file, the token is regenerated with the validation reload.如果我在同一个文件中进行验证,则会通过重新加载验证重新生成令牌。 (can this be prevented? I've tried isset() but still regenerates.) However using the same file prevents the users Name and Email from being stored in a session. (这可以避免吗?我已经尝试过isset()但仍然会重新生成。)但是,使用相同的文件会阻止用户 Name 和 Email 存储在 session 中。
Is it best to do the validation within a separate file, which then redirects back to the form with basic variables in the URL for each error, ie http://www.example.com/form?n=1是否最好在单独的文件中进行验证,然后针对每个错误重定向回 URL 中的基本变量的表单,即http://www.example.com/form?n=1
Using a separate file would also mean storing the form data within session, so the form can be repopulated if errors exist on the redirect.使用单独的文件还意味着将表单数据存储在 session 中,因此如果重定向中存在错误,可以重新填充表单。
Any help gratefully received.感激地收到任何帮助。
1 个解决方案
解决方案1
1 2011-06-30 10:47:29
From experience, CodeIgntier does great CSRF implementation , among other security mesures.根据经验, CodeIgntier在 CSRF实现方面做得很好,以及其他安全措施。 I would suggest that you go over their code to gain a good understanding of the whole process.我建议你 go 对他们的代码有一个很好的理解整个过程。 Also see this .也看到这个。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.