Of Stack

Case Analysis of php Cross site Attack

  • 2021-07-24 10:17:29
  • OfStack

This paper describes the principle and prevention skills of php cross-station attack with examples. Share it for your reference. Specific methods are analyzed as follows:

Cross-site attacks are carried out by using 1 detail of program or bug problem, so how can we prevent cross-site attacks? The following is an example to prevent cross-site attacks, hoping to help you. 

<?php

#demo for prevent csrf

/**

* enc

*/

function encrypt($token_time) {

return md5('!@##$@$$#%43' . $token_time);

}

$token_time = time();

$token = encrypt($token_time);

$expire_time = 10;

if ($_POST) {

$_token_time = $_POST['token_time'];

$_token = $_POST['token'];

if ((time()  In fact, in fact, the  $_token_time) > $expire_time) {

echo  " expired token " ;

echo  " <br /> " ;

}

echo $_token;

echo  " <br /> " ;

$_token_real = encrypt($_token_time);

echo $_token_real;

//compare $_token and $_token_real

}

?>

<!DOCTYPE html>

<html>

<head>

<meta http-equiv= " content-type "  content= " text/html; charset=utf-8 "  />

<title>test for csrf</title>

<meta http-equiv= " " content= " " />

</head>

<body>

<form method= " post "  action= " ">

<input type= " text "  name= " text "  id= " " value= " hello "  />

<input type= " hidden "  name= " token "  id= " " value= " <?php echo $token ?> "  />

<input type= " hidden "  name= " token_time "  id= " " value= " <?php echo $token_time ?> "  />

<input type= " submit "  name= " submit "  id= " " value= " submit "  />

</form>

</body>

</html>


By including a verification code in your form, you have virtually eliminated the risk of cross-site request forgery attacks. You can use this process in any form that needs to perform an action
Of course, it is better to store token to session, which is just a simple example

Simple analysis:

token anti-attack is also called token. We generate a random token to save session and form when users visit the page. If the token and session we get are not 1, we can submit and re-input the submission data

I hope this article is helpful to everyone's php programming.

Related articles: