为了防止CSRF,您需要验证一次令牌,该令牌已过POST,并与当前会话相关联。类似以下内容。。。
在用户请求删除记录的页面上:
/confirm/i.php
<?php session_start(); $token = isset($_SESSION['delete_customer_token']) ? $_SESSION['delete_customer_token'] : ""; if (!$token) { // generate token and persist for later verification // - in practice use openssl_random_pseudo_bytes() or similar instead of uniqid() $token = md5(uniqid()); $_SESSION['delete_customer_token']= $token; } session_write_close();?><html><body><form method="post" action="/confirm/i_save.php"> <input type="hidden" name="token" value="<?php echo $token; ?>" />Do you really want to delete?<input type="submit" value=" Yes " /><input type="button" value=" No " onclick="history.go(-1);" /></form></body></html>然后,要真正删除记录:
/confirm/i_save.php
<?php session_start(); // validate token $token = isset($_SESSION['delete_customer_token']) ? $_SESSION['delete_customer_token'] : ""; if ($token && $_POST['token'] === $token) { // delete the record ... // remove token after successful delete unset($_SESSION['delete_customer_token']); } else { // log potential CSRF attack. } session_write_close();?>令牌应该很难猜测,对于每个删除请求都是唯一的,只能通过$ _POST接受,并且在几分钟后过期(此示例中未显示过期)。
