Hello, friends today we are going to learn Cross-Site Request Forgery (CSRF) Prevention in PHP by using random token in each request. In Cross-Site Request Forgery (CSRF) attack the victim unintentionally sends web request that takes advantage of their logged in session on a particular site to leak server data, change session state or to manipulate user’s account. To prevent CSRF attack a unique, secret, unpredictable CSRF token is generated by the server-side and transmitted to the client-side in such a way that it is included in a subsequent HTTP request made by the client and if request made without token then that request will be treated as illegitimate request and action will not be performed. So, Here is the example code :-
config.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<?php function generateCsrfToken($formName) { $secretKey = 'hsfps154ae5gz2#'; if (!session_id()) { session_start(); } $sessionId = session_id(); return sha1($formName . $sessionId . $secretKey); } function isCsrfTokenValid($token, $formName) { return $token === generateCsrfToken($formName); } |
index.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
<?php include_once 'config.php'; ?> <?php $msg = ""; if (isset($_POST['submit'])) { if (!isset($_POST['token'])) { $msg = '<div class="alert alert-danger">Security Token Not Provided</div>'; } else if (!isCsrfTokenValid($_POST['token'], "myform")) { $msg = '<div class="alert alert-danger">Security Token Invalid</div>'; } else { $name = filter_var(trim($_POST['name']), FILTER_SANITIZE_STRING); $email = filter_var(trim($_POST['email']), FILTER_SANITIZE_EMAIL); $phone = filter_var(trim($_POST['phone']), FILTER_SANITIZE_STRING); //SQL Query goes here if data needs to be stored $msg = '<div class="alert alert-success">' . 'Submitted Successfully<br/>' . '[Name: ' . $name . ' | Email: ' . $email . ' | Phone: ' . $phone . ']' . '</div>'; } } ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>CSRF Prevention</title> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"> </head> <body> <div class="container" style="padding: 25px;"> <h2 class="text-center">Contact Form</h2> <?= $msg ?> <div class="row"> <div class="col-md-6"> <div class="card"> <div class="card-header"> With CSRF Token </div> <div class="card-body"> <form name="myform" method="post" action=""> <div class="form-group"> <label>Name</label> <input type="text" name="name" class="form-control"/> </div> <div class="form-group"> <label>Email</label> <input type="email" name="email" class="form-control"/> </div> <div class="form-group"> <label>Phone</label> <input type="text" name="phone" class="form-control"/> </div> <input type="hidden" name="token" value="<?= generateCsrfToken('myform') ?>"/> <input type="submit" name="submit" value="Submit" class="btn btn-success"/> </form> </div> </div> </div> <div class="col-md-6"> <div class="card"> <div class="card-header"> Without CSRF Token </div> <div class="card-body"> <form name="myform" method="post" action=""> <div class="form-group"> <label>Name</label> <input type="text" name="name" class="form-control"/> </div> <div class="form-group"> <label>Email</label> <input type="email" name="email" class="form-control"/> </div> <div class="form-group"> <label>Phone</label> <input type="text" name="phone" class="form-control"/> </div> <input type="submit" name="submit" value="Submit" class="btn btn-success"/> </form> </div> </div> </div> </div> </div> <script src="https://code.jquery.com/jquery-3.4.1.min.js" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script> </body> </html> |
Output
NetBeans Project Download
CSRF Prevention
Thank you for stopping by
Please don’t forget share if you like it
Comments