How To Prevent Cross Site Request Forgery Attacks in PHP

View previous topic View next topic Go down

How To Prevent Cross Site Request Forgery Attacks in PHP

Post by jamied_uk on 1st December 2013, 19:07

Code:
Found at http://www.wikihow.com/Prevent-Cross-Site-Request-Forgery-%28CSRF%29-Attacks-in-PHP


Create csrf.class.php. Start off by create the file and saving it with the content below:

csrf.class.php


<?php
 
class csrf {

public function get_token_id() {
        if(isset($_SESSION['token_id'])) {
                return $_SESSION['token_id'];
        } else {
                $token_id = $this->random(10);
                $_SESSION['token_id'] = $token_id;
                return $token_id;
        }
}

public function get_token() {
        if(isset($_SESSION['token_value'])) {
                return $_SESSION['token_value'];
        } else {
                $token = hash('sha256', $this->random(500));
                $_SESSION['token_value'] = $token;
                return $token;
        }
 
}
public function check_valid($method) {
        if($method == 'post' || $method == 'get') {
                $post = $_POST;
                $get = $_GET;
                if(isset(${$method}[$this->get_token_id()]) && (${$method}[$this->get_token_id()] == $this->get_token())) {
                        return true;
                } else {
                        return false;       
                }
        } else {
                return false;       
        }
}
public function form_names($names, $regenerate) {
 
        $values = array();
        foreach ($names as $n) {
                if($regenerate == true) {
                        unset($_SESSION[$n]);
                }
                $s = isset($_SESSION[$n]) ? $_SESSION[$n] : $this->random(10);
                $_SESSION[$n] = $s;
                $values[$n] = $s;       
        }
        return $values;
}
private function random($len) {
        if (@is_readable('/dev/urandom')) {
                $f=fopen('/dev/urandom', 'r');
                $urandom=fread($f, $len);
                fclose($f);
        }
 
        $return='';
        for ($i=0;$i<$len;++$i) {
                if (!isset($urandom)) {
                        if ($i%2==0) mt_srand(time()%2147 * 1000000 + (double)microtime() * 1000000);
                        $rand=48+mt_rand()%64;
                } else $rand=48+ord($urandom[$i])%64;
 
                if ($rand>57)
                        $rand+=7;
                if ($rand>90)
                        $rand+=6;
 
                if ($rand==123) $rand=52;
                if ($rand==124) $rand=53;
                $return.=chr($rand);
        }
        return $return;
}
}


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Example
~~~~~~~~~~~~


<?php
session_start();
include 'csrf.class.php';
 
$csrf = new csrf();
 
 
// Generate Token Id and Valid
$token_id = $csrf->get_token_id();
$token_value = $csrf->get_token($token_id);
 
// Generate Random Form Names
$form_names = $csrf->form_names(array('user', 'password'), false);
 
 
if(isset($_POST[$form_names['user']], $_POST[$form_names['password']])) {
        // Check if token id and token value are valid.
        if($csrf->check_valid('post')) {
                // Get the Form Variables.
                $user = $_POST[$form_names['user']];
                $password = $_POST[$form_names['password']];
 
                // Form Function Goes Here
        }
        // Regenerate a new random value for the form.
        $form_names = $csrf->form_names(array('user', 'password'), true);
}
 
?>
 
<form action="index.php" method="post">
<input type="hidden" name="<?= $token_id; ?>" value="<?= $token_value; ?>" />
<input type="text" name="<?= $form_names['user']; ?>" /><br/>
<input type="text" name="<?= $form_names['password']; ?>" />
<input type="submit" value="Login"/>
</form>



jamied_uk
Admin

Posts : 1981
Join date : 2010-05-09
Age : 34
Location : UK

http://address-shortner.co.uk

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum