18 01 2018
php表单加入Token方法
简单的用php实现的代码如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
<?php/** PHP简单利用token防止表单重复提交* 此处理方法纯粹是为了给初学者参考*/session_start();function set_token() {??$_SESSION['token'] = md5(microtime(true));}function valid_token() {??$return = $_REQUEST['token'] === $_SESSION['token'] ? true : false;??set_token();??return $return;}//如果token为空则生成一个tokenif(!isset($_SESSION['token']) || $_SESSION['token']=='') {??set_token();}if(isset($_POST['test'])){??if(!valid_token()){????echo "token error";??}else{????echo '成功提交,Value:'.$_POST['test'];??}}?><form method="post" action="">??<input type="hidden" name="token" value="<?php echo $_SESSION['token']?>">??<input type="text" name="test" value="Default">??<input type="submit" value="提交" /></form> |
下面的代码更加安全一点。
Token.php
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
<?php/*?* Created on 2013-3-25?*?* To change the template for this generated file go to?* Window - Preferences - PHPeclipse - PHP - Code Templates?*/function getToken($len = 32, $md5 = true) {??# Seed random number generator??# Only needed for PHP versions prior to 4.2??mt_srand((double) microtime() * 1000000);??# Array of characters, adjust as desired??$chars = array (????'Q',????'@',????'8',????'y',????'%',????'^',????'5',????'Z',????'(',????'G',????'_',????'O',????'`',????'S',????'-',????'N',????'<',????'D',????'{',????'}',????'[',????']',????'h',????';',????'W',????'.',????'/',????'|',????':',????'1',????'E',????'L',????'4',????'&',????'6',????'7',????'#',????'9',????'a',????'A',????'b',????'B',????'~',????'C',????'d',????'>',????'e',????'2',????'f',????'P',????'g',????')',????'?',????'H',????'i',????'X',????'U',????'J',????'k',????'r',????'l',????'3',????'t',????'M',????'n',????'=',????'o',????'+',????'p',????'F',????'q',????'!',????'K',????'R',????'s',????'c',????'m',????'T',????'v',????'j',????'u',????'V',????'w',????',',????'x',????'I',????'$',????'Y',????'z',????'*'??);??# Array indice friendly number of chars;??$numChars = count($chars) - 1;??$token = '';??# Create random token at the specified length??for ($i = 0; $i < $len; $i++)????$token .= $chars[mt_rand(0, $numChars)];??# Should token be run through md5???if ($md5) {????# Number of 32 char chunks????$chunks = ceil(strlen($token) / 32);????$md5token = '';????# Run each chunk through md5????for ($i = 1; $i <= $chunks; $i++)??????$md5token .= md5(substr($token, $i * 32 - 32, 32));????# Trim the token????$token = substr($md5token, 0, $len);??}??return $token;}?> |
form.php
|
1
2
3
4
5
6
7
8
9
10
|
<?phpinclude_once("token.php");$token = getToken();session_start();$_SESSION['token'] = $token;?><form action="action.php" method="post"<input type="hidden" name="token" value="<?=$token?>" /><!-- 其他input submit之类的 --></form> |
action.php
|
1
2
3
4
5
6
7
8
9
|
<?phpsession_start();if($_POST['token'] == $_SESSION['token']){??unset($_SESSION['token']);??echo "这是一个正常的提交请求";}else{??echo "这是一个非法的提交请求";}?> |
PHP $_SERVER[’PHP_SELF’]漏洞 详解Windows Hash与破解