doudandui1592 2017-08-23 08:17
浏览 7
已采纳

如何防止其他网站在PHP中将帖子数据发送到我的网站

What is the best method to stop other websites from sending data to my website in PHP?

I googled it and found I need to use Hash. But there are different Hashes, which one to use? Let's say, I pick sha1

Now, how exactly can I prevent other websites from sending post data to my website with sha1

I am bit confused, can someone show me a little demo code.

This is the code, I thought, but it is not flawless..

Index.php page:

$password = sha1("toby123");

<form method="post" action="insert.php" />
<input type="text" name="username"/>
<input type="password" name="password"/>
<input type="hidden" name="hiddenpass" value=" ".$password." "/>
</form>

Insert Into Database PHP Page:

$hiddenpass = "toby123" 

if (  $_POST["hiddenpass"] == "sha1($hiddenpass )"  )

{
// INSERT THE DATA
}

But the problem here is, hash code in the form will be visiable to everyone. What if someone crack it?

I mean, by using a Hit & Trial method???

Is my method 100% safe??

Edit:

This is my new code after looking at one of the answer, but the If condition is always false.

Index.php Page

<?php
// Start the session
session_start();


    $token = bin2hex(random_bytes(32));

    if (!isset($_SESSION['token'])) {
        $_SESSION['token'] = $token;
    }

?>

Insert.php Page:

session_start();

echo $_SESSION['token'];
echo '<br/>';
echo $_POST['token'];

if (  ( isset($_SESSION['token']) )  &&  ( $_POST['token'] == $_SESSION['token'] ) )

{

// Insert Data

}
else
echo "<br/>Something went wrong";


unset($_SESSION['token']);

Output:

055442be59701631db6ed88dc341027ebf2238507bb9a72f1caefd6d3b126a4b

055442be59701631db6ed88dc341027ebf2238507bb9a72f1caefd6d3b126a4b

Something went wrong

  • 写回答

2条回答 默认 最新

  • dsgnze6572 2017-08-23 08:44
    关注

    You should be securing your forms by adding using CSRF tokens. The CSRF token should always be random. CSRF stands for (Cross Site Request Frogery)

    Here is a good and secure method:

    <?php

function random_token()
{

    $token = bin2hex(random_bytes(32));

    return $token;
}


function gentoken()
{
    if (!isset($_SESSION['token'])) {
        $_SESSION['token'] = random_token();
    }
}


function checktoken($token)
{
    if (isset($_SESSION['token']) && $token === $_SESSION['token']) {
        deletetoken();
        return true;
    }
    return false; // default
}


function deletetoken()
{
    unset($_SESSION['token']);
}

?>

    And here should be your form

    <form method="post" action="insert.php"/>
<input type="text" name="username"/>
<input type="password" name="password"/>
<input type = "hidden" name="token" value="' . $_SESSION['token'] . '">
<input type = "submit" name="submit" value="Insert"/>
</form>

    When the page starts, write this:

    gentoken();

**And to check for the token do this**



if (isset($_POST['submit'])) {

    $token = $_POST['token'];
    if (checktoken($token)) {

    } else {
        echo "Something wrong happened"; //When the token is changed or doesn't match!
    }

}

    Notes:

    random_bytes() generates secure cryptographical bytes and doesn't need to be hashed!

    I hope this helped. Good luck!

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥50 切换TabTip键盘的输入法
  • ¥15 可否在不同线程中调用封装数据库操作的类
  • ¥15 微带串馈天线阵列每个阵元宽度计算
  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM
  • ¥15 划分vlan后不通了