PHP 7.2.0 Beta 3 Released

Voting

Please answer this simple SPAM challenge: min(four, four)?
(Example: nine)

The Note You're Voting On

Livingstone@stonyhills[dot]com
9 years ago
making sure your form is submitted from your page! Could also be adapted to url, by additing &token to the query string and checking this against session data(or what ever array you like) with $_GET, not that this string is randomly generated and stored. If you like you could build your own array to store the generated string if you dont want to use $_SESSION, say you could make yours like $tokens = array(), and in your easysecure class you store all the stuff in that array!

<?php

class easysecure {
   
    var
$curr_user;
    var
$curr_permission;
    var
$curr_task;
    var
$validpermission;
    var
$error;
   
   
    function &
setVar( $name, $value=null ) {
        if (!
is_null( $value )) {
           
$this->$name = $value;
        }
        return
$this->$name;
    }

    function
maketoken($formname, $id){
       
       
$token = md5(uniqid(rand(), true));
       
       
$_SESSION[$formname.$id] = $token;
       
        return
$token;
    }
   
    function
checktoken($token, $formname, $id){
       
//print_r($_SESSION);
        //echo ($token);
        //if we dont have a valid token, return invalid;
       
if(!$token){
           
$this->setVar('validpermission', 0);
           
$this->setVar('error', 'no token found, security bridgedetected');
            return
false;
        }
       
       
//if we have a valid token check that is is valid
       
$key = $_SESSION[$formname.$id];
        if(
$key !== $token ){
           
$this->setVar('validpermission', 0);
           
$this->setVar('error', 'invalid token');
            return
false;
        }
       
        if(
$this->validpermission !==1){
              echo
'invalid Permissions to run this script';
              return
false;   
        }else{
            return
true;
        }
    }
   
}

?>

<?php $userid = *** //make it what ever id you like ?>
<form name="newform" action="index.php" method="post">
<input type="text" name="potentialeveilfield" value="" size 30 />
<input type="hidden" name="token" value="<?php echo maketoken(newform, $userid); //$userid here could be user profile id ?>" />
<input type="submit" />
</form>

Now when processing the form... check the value of your token

<?php

//well you know the form name
if(!checktoken($_POST['token'], 'newform', $userid))
{
//failed
exit(); //or what ever termination and notification method best suits you.
//you could also design the class your way to get more accurate fail (error messages from the var)
}

//you can now continue with input data clean up (validation)

?>

<< Back to user notes page

To Top