dsljpwi494719
2010-09-18 10:14
浏览 20
已采纳

Zend form_element_hash

When generating a hash for a form token, I've seen a few different versions:

$hash = new Zend_Form_Element_Hash('hihacker', array('salt' => 'exitsalt'));

and 

$hash = new Zend_Form_Element_Hash('hash', 'no_csrf_foo', array('salt' => 'unique'));

First of all, does the salt have to be unique for each form render? The second one suggests so, but I'm not sure.

Also which is the better way of doing it?

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dsarttv037029 2010-09-18 15:14
    已采纳

    A unique salt would be better, as it would change each time making it nearly impossible for any would be spammers to auto submit your form.

    Even with a constant salt, any would be hacker would be unlikely to be able to break this.

    I would suggest creating the element this way

     $hash = new Zend_Form_Element_Hash('hash', 'no_csrf_foo', array('salt' => 'unique'));
    

    This way you know that the name of the element is no_csrf_foo, so you can easily get it back later if need be by doing

    $form->getElement("no_csrf_foo");
    

    Is there some specific scenario you are afraid of that would make this method of stopping auto form submission insufficient?

    已采纳该答案
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题