防止PHP中的CSRF

为了防止CSRF，您需要验证一次令牌，该令牌已过POST，并与当前会话相关联。类似以下内容。。。

在用户请求删除记录的页面上：

/confirm/i.php

<?php session_start(); $token = isset($_SESSION['delete_customer_token']) ? $_SESSION['delete_customer_token'] : ""; if (!$token) {     // generate token and persist for later verification     // - in practice use openssl_random_pseudo_bytes() or similar instead of uniqid()      $token = md5(uniqid());     $_SESSION['delete_customer_token']= $token; } session_write_close();?><html><body><form method="post" action="/confirm/i_save.php"> <input type="hidden" name="token" value="<?php echo $token; ?>" />Do you really want to delete?<input type="submit" value=" Yes " /><input type="button" value=" No " onclick="history.go(-1);" /></form></body></html>

然后，要真正删除记录：

/confirm/i_save.php

<?php session_start(); // validate token $token = isset($_SESSION['delete_customer_token']) ? $_SESSION['delete_customer_token'] : ""; if ($token && $_POST['token'] === $token) {   // delete the record   ...   // remove token after successful delete   unset($_SESSION['delete_customer_token']); } else {   // log potential CSRF attack. } session_write_close();?>

令牌应该很难猜测，对于每个删除请求都是唯一的，只能通过$ _POST接受，并且在几分钟后过期（此示例中未显示过期）。