i'm generate a token for my form like this:
/*** set a form token ***/
$token = md5( uniqid(rand(), true) );
/*** set the session form token ***/
$_SESSION['form_token'] = $token;
and put hidden input in my form like this:
<input type="hidden" name="token" value="<?php echo $token; ?>" />
but when i submit the pages and compare the token it give me a different token id. can anyone tell me am i doing something wrong?
分享 Make sure you only (re)generate a token if the form is not submitted yet.
<?php
// Process request OR show form..
if($_SERVER['REQUEST_METHOD'] === 'POST')
{
// check if we receive a token
if(isset($_POST['form_token']))
{
// compare the token
if($_POST['form_token'] === $_SESSION['form_token'])
{
// do the magic here...
unset($_SESSION['form_token']);
} else {
die('No token match');
}
} else {
die('No token found');
}
} else {
$token = md5( uniqid(rand(), true));
$_SESSION['form_token'] = $token;
// print form with hidden token..
}
