csrf防御 · AAPHP開發手冊

### csrf防御驗證器 ~~~ <?php namespace application\example\validate; use aaphp\Validate; /** * csrf 表單token驗證 * Class CsrfValidate * @package application\example\validate */ class CsrfValidate extends Validate { protected $rule = [ '_token_' => [ 'token', ], ]; } ~~~ 控制器 ~~~ /** * csrf 跨域表單驗證 * @return string */ public function csrf() { $request = Request::instance(); if (!$request->isPost()) { return $this->fetch(); } $data = [ 'usernamea' => $request->post('usernamea'), 'password' => $request->post('password'), // 隱藏的token值 '_token_' => $request->post('_token_'), ]; $validate = new CsrfValidate(); if ($validate->check($data)) { echo '驗證通過<br/>'; } else { echo '驗證未通過，錯誤信息：<br/>'; var_dump($validate->getError()); } } ~~~ 視圖 ~~~ <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>csrf</title> </head> <body> <form action="" method="POST" style="border: 2px solid #00ffff;width: 500px"> <p>我有隱藏input，name="_token_" ，能通過token驗證" </p> <input type="hidden" name="_token_" value="{:aaphp\Validate::token()}"/> <input type="text" name="username" value="aaphp"/> <br/> <br/> <input type="text" name="password" value="123456"/> <br/> <br/> <input type="submit" value="提交"> </form> <hr> <form action="" method="POST" style="border: 2px solid #ff0000;width: 500px"> <p>我沒有隱藏input，不能通過token驗證" </p> <input type="text" name="username" value="aaphp"/> <br/> <br/> <input type="text" name="password" value="123456"/> <br/> <br/> <input type="submit" value="提交"> </form> </body> </html> ~~~