The answers will be sent to a mysql database.
Is there a better way of doing this, making it more secure?
<form action="insert.php" method="post">
1. Artist Name: <input type="text" name="artist" />
2. Song Name: <input type="text" name="song" />
<input type="submit" />
</form>
分享 If you want to secure the form from external/3rd party site submissions then you add a CSRF token to the form, plus make the form keys unrelated to the content thats being posted.
So for example, on your form:
<?php
session_start();
$_SESSION['csrf'] = uniqid(microtime(true));
$_SESSION['artistParam'] = uniqid(microtime(true));
$_SESSION['songParam'] = uniqid(microtime(true));
?>
<form action="insert.php" method="post">
<input type="hidden" name="csrf" value="<?php echo $_SESSION['csrf'];?>"/>
1. Artist Name: <input type="text" name="<?php echo $_SESSION['artistParam'];?>" />
2. Song Name: <input type="text" name="<?php echo $_SESSION['artistParam'];?>" />
<input type="submit" />
</form>
Now on the receiver file insert.php, you would check that the required parameters are set and match the session vars.. so for example:
<?php
session_start();
if(
//Check is POST
$_SERVER['REQUEST_METHOD'] == 'POST' &&
//Check required variables are set
isset($_SESSION['csrf']) &&
isset($_SESSION['artistParam']) &&
isset($_SESSION['songParam']) &&
isset($_POST['csrf']) &&
isset($_POST[$_SESSION['artistParam']]) &&
isset($_POST[$_SESSION['songParam']]) &&
//Check csrf key match the session key
$_SESSION['csrf'] == $_POST['csrf']
){
//do somthing with values
$artist = $_POST[$_SESSION['artistParam']];
$song = $_POST[$_SESSION['songParam']];
}
//Unset to stop multiple attempts
unset($_SESSION['csrf'], $_SESSION['artistParam'], $_SESSION['songParam']);
?>
You could even go as far as encoding the form using javascript (bit overkill).
<?php
$form = '<form action="insert.php" method="post">
<input type="hidden" name="csrf" value="'.$_SESSION['csrf'].'"/>
1. Artist Name: <input type="text" name="'.$_SESSION['artistParam'].'" />
2. Song Name: <input type="text" name="'.$_SESSION['artistParam'].'" />
<input type="submit" />
</form>';
$str = preg_replace('/^\s+|
||\s+$/m', '', $form);
$enc = '';
for ($i=0; $i < strlen($str); $i++){
$hex = dechex(ord($str[$i]));
$enc .= ($hex=='') ? $enc.urlencode($str[$i]) : '%'.(strlen($hex)==1 ? '0'.strtoupper($hex) : strtoupper($hex));
}
$enc = str_replace(array('.','+','_','-'),array('%2E','%20','%5F','%2D'),$enc);
$sec = substr(sha1(microtime(true)),0,10);
echo '<script type="text/javascript">var x'.$sec.'x="'.$enc.'";document.write(unescape(x'.$sec.'x));</script>
<noscript>
<style>
#noscript_notice {
text-align: center;
font-weight: bold;
color:#FF6962;
padding-top: 20px;
}
</style>
<div id="noscript_notice">
<p>Please enable JavaScript!</p>
</div>
</noscript>';
?>
Is that what you meant?
分享
