create Method and Automatic Token Verification Example Tutorial in ThinkPHP

In this paper, the create method in ThinkPHP and the implementation method of automatic token verification are demonstrated in the form of examples. The specific steps are as follows:

1. Data table structure

The user table is structured as follows:

id username password

2. view template section

The\ aoli\ Home\ Tpl\ default\ User\ create.html page reads as follows:

<form action="__URL__/addit" method="post">
 <input type="text" name="id" />
 <input type="text" name="username" />
 <input type="password" name="password" />
 <input type="submit" name="sub" value=" Submit " />
</form>

3. Part action:

The\ aoli\ Home\ Lib\ Action.php page reads as follows:

<?php
 class UserAction extends Action {
  function create(){
     $this->display();   
   }
   
   function addit(){
     // Directional table user Add form content to 
     $user=M('user');
     $user->create();
     $user->add();
     // Determining whether token authentication exists 
     if(!$user->autoCheckToken($_POST)){
       dump('no'); 
     }else{
       dump('yes');   
     }
 }
?>

1. Before operating on the data submitted by the form, we often need to manually create the required data, such as the form data submitted above:

 // Instantiation User Model 
  $user=M('user');
 
 // Object of the form POST Data 
  $data['username']=$_POST['username']
  $data['password']=$_POST['password']
 
 // Write to database 
   $user->data($data)->add();

Attachment: The data object created by data method will not be automatically verified and filtered, and needs to be handled by itself. If you just want to simply create a data object and do not need to complete some additional functions, you can use data method to simply create a data object.

2. ThinkPHP can help us create data objects quickly. The most typical application is to automatically create data objects according to form data. The data objects created by the create method are stored in memory and are not actually written to the database.

   // Instantiation user Model 
    $user=M('user');
  
   // Submitted according to the form POST Data is created and stored in memory, which can be used by dump($user) View 
    $user=create();

   // Write the created data object to the database 
    $user->add();

3. The create method supports creating data objects from other ways, such as from other data objects or arrays.

   $data['name']='ThinkPHP';
   $data['eamil']='ThinkPHP@gmail.com';
   $user->create($data);

    You can even support creating new data objects from objects, such as user Data object to create a new member Data object 
   $user=M('user');
   $user->find(1);
   $member=M('member');
   $member->create($user);

4. While creating data object, create method also completes some meaningful work, including token verification, data automatic verification, field type lookup, data automatic completion and so on.

For this reason, the familiar token authentication, automatic authentication and automatic completion functions must be implemented through create method.

5. Token verification:

Function: It can effectively prevent remote submission of forms and other security protection.

Add the following configuration to config. php:

   'TOKEN_ON'   =>  true, // Turn on token authentication 
   'TOKEN_NAME'  =>  'token',//  Form hidden field name for token validation 
   'TOKEN_TYPE'  =>  'md5',// Token validation hash rule 

The automatic token puts an md5 encrypted string into the current SESSION session. And insert this string as a hidden field before the form of the form. This string appears in two places, one in SESSION and the other in the form. When you submit the form, the first thing the server does is compare the SESSION information. If it is correct, the form is allowed to submit, otherwise it is not allowed to submit.

If you look at the source code of create. html, you will see that there is an additional auto-generated hidden field before the end flag of the form form

<input type="hidden" name="token" value="eef419c3d14c9c93caa7627eedaba4a5" />

(1) If you want to control the location of the hidden field, you can manually add the {__TOKEN__} identity to the form page, and the system will automatically replace it when outputting the template.

(2) If form token validation is turned on, individual forms do not need token validation
Function, you can add {__NOTOKEN__} to the form page, token validation for the current form is ignored.

(3) If more than one form exists on the page, it is recommended to add the {__TOKEN__} identity and ensure that only one form requires token validation.

(4) If the create method is used to create the data object, the form validation will be automatically performed at the same time. If this method is not used, the autoCheckToken method of the model needs to be manually called for form validation.

if (!$User->autoCheckToken($_POST)){
//  Token validation error 
}

I hope the examples shown in this paper are helpful to everyone's ThinkPHP programming.