php 防跨站表单提交
1 crub.class.php
<?php class Crumb { CONST SALT = "your-secret-salt"; static $ttl = 1; //$ttl表示这个随机串的有效时间(秒) static public function challenge($data) { return hash_hmac('md5', $data, self::SALT); } static public function issueCrumb($uid, $action = -1) { $i = ceil(time() / self::$ttl); return substr(self::challenge($i . $action . $uid), -12, 10); } static public function verifyCrumb($uid, $crumb, $action = -1) { //var_Dump( $uid); $i = ceil(time() / self::$ttl); if(substr(self::challenge($i . $action . $uid), -12, 10) == $crumb || substr(self::challenge(($i - 1) . $action . $uid), -12, 10) == $crumb) return true; return false; } }
应用示例 构造表单 在表单中插入一个隐藏的随机串crumb <formmethod="post"action="demo.php"> <input type="hidden" name="crumb" value="<?php echo Crumb::issueCrumb($uid)?>"> <inputtype="text"name="content"><inputtype="submit"></form> 处理表单 demo.php 对crumb进行检查 <?php if(Crumb::verifyCrumb($uid, $_POST['crumb'])){ //按照正常流程处理表单 }else{ //crumb校验失败,错误提示流程 } 如果是ajax,也可以应用crumb,以jquery的ajax提交为例: $.ajax({ type: "POST", url: "some.php", data: "name=blah&crumb=<?php echo Crumb::issueCrumb($uid)?>", success: function(msg){ alert( "Data Saved: " + msg ); } }); 同理,crumb也可以在get方式的ajax请求中应用
转自:http://www.ooso.net/archives/581/comment-page-1#comment-34128