1
我正在尋找一種方法來確保我的Quickform2
中的CSRF-Protection
。PEAR QuickForm2 CSRF保護
我發現這個link但它是QuickForm1
。
任何想法,我可以適應QF2
?
感謝,
羅恩
我正在尋找一種方法來確保我的Quickform2
中的CSRF-Protection
。PEAR QuickForm2 CSRF保護
我發現這個link但它是QuickForm1
。
任何想法,我可以適應QF2
?
感謝,
羅恩
經過一番擺弄周圍,我想出了這個解決方案。
也許它可以幫助其他人,以及:
<?php
/**
* @uses HTML_QuickForm
* @desc Add automatic CSRF mitigation to all forms by incorporating a token that must be matched in the session and forcing the use of POST method
* Based on: http://www.zapoyok.info/2010/07/17/csrf-et-quickform-de-pear/
*/
require_once "QuickForm2.php";
class HTML_QuickForm2s extends HTML_QuickForm2
{
/**
* @property string $_sessionTokenKey The name of the session variable containing the token
*/
private $_sessionTokenKey;
/**
* @method __construct
* @desc Override the method to always use post and pass it on to the parent constructor. Create a session key for the token based on the form name.
* @param $id
* @param string $method
* @param mixed $attributes
* @param boolean $trackSubmit
*/
public function __construct($id, $method = 'post', $attributes = null, $trackSubmit = true)
{
$this->_sessionTokenKey = "QuickForm2s_" . md5($id);
parent::__construct($id, $method, $attributes, $trackSubmit);
//A token hasn't been created so do so
if (!isset($_SESSION[$this->_sessionTokenKey])) {
$_SESSION[$this->_sessionTokenKey] = md5(uniqid(rand(), true) . session_id()); //requires the session id to be known in order to add extra difficulty to compromising
}
//Hide the token at the end of the form
$this->addElement("hidden", "qfS_csrf");
$qfsCsrf= $this->getElementsByName('qfS_csrf');
$qfsCsrf[0]->setValue($_SESSION[$this->_sessionTokenKey]);
}
/**
* @method validate
* @desc Check if the passed token matches the session before allowing validation
* @return boolean
*/
public function validate()
{
$submitValues = $this->getValue();
//The token was not passed or does not match
if (!isset($submitValues['qfS_csrf']) || $submitValues['qfS_csrf'] != $_SESSION[$this->_sessionTokenKey]) {
$this->setError("Anti-CSRF token does not match");
}
return parent::validate();
}
}