php - csrf Token class -
can explain me how protect profile page wrong user editing url see other users profile page. using token class generate random number protect against cross site request forgery. reason doesn't work suggestion or other way
also following error : undefined index: token in phpproject22_csrf\profile.php on line 12
<?php session_start(); require_once 'classes/token.php'; $tk = new token(); if(isset($_post['username'],$_post['product'],$_post['token'])){ $username = $_post['username']; $product = $_post['product']; if(!empty($product) && !empty($username)){ if(token::check($_post['token'])){ echo $_post['token'].'<br>'; $tk->get('username'); $_session['user'] = $tk->name(); echo 'process order'; } } } ?> <!doctype html> <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>csrf protection</title> </head> <body> <form action="" method="post"> <div class="product"> <strong>profile</strong> <div class='field'> username: <input type='text' name='username'> </div> <input type='submit' value='order'> <input type='hidden' name='product' value='1'> <input type='hidden' name='token' value='<?php echo token::generate();?>'> </div> </form> <?php if(isset($_post['username'])){ ?> <p>hello <a href = 'profile.php?user=<?php echo $tk->name();?>'><?php echo $tk- >name();?></a>!</p> <?php } ?> </body> </html> <?php class token{ private $_data; public static function generate(){ return $_session['token'] = base64_encode(openssl_random_pseudo_bytes(32)); } public static function check($token){ if(isset($_session['token']) && $token === $_session['token']){ unset($_session['token']); return true; } return false; } public function get($item){ if(isset($_post[$item])){ $this->_data = $_post[$item]; } } public function name(){ return $this->_data; } } ?> <?php require_once 'classes/token.php'; session_start(); ?> <form action="" method="post"> <input type='hidden' name='token' value='<?php echo token::generate();?>'> </form> <?php echo 'hello '.$_session['user'].'!<br>'; if(isset($_get['user'])){ if(token::check($_post['token'])){ echo $_get['user']; } } ?>
when checking post need following:
if($_post){ if(isset($_post['token']) && token::check($_post['token']){ code }else{ error } } if spoof post, , doesn't include token, you're going undefined index error, because $_post['token'] doesn't exist , referencing it.
Comments
Post a Comment