php 防跨站表单提交
1 crub.class.php
<?php
class Crumb {
CONST SALT = "your-secret-salt";
static $ttl = 1; //$ttl表示这个随机串的有效时间(秒)
static public function challenge($data) {
return hash_hmac('md5', $data, self::SALT);
}
static public function issueCrumb($uid, $action = -1) {
$i = ceil(time() / self::$ttl);
return substr(self::challenge($i . $action . $uid), -12, 10);
}
static public function verifyCrumb($uid, $crumb, $action = -1) {
//var_Dump( $uid);
$i = ceil(time() / self::$ttl);
if(substr(self::challenge($i . $action . $uid), -12, 10) == $crumb ||
substr(self::challenge(($i - 1) . $action . $uid), -12, 10) == $crumb)
return true;
return false;
}
}
应用示例
构造表单
在表单中插入一个隐藏的随机串crumb
<formmethod="post"action="demo.php">
<input type="hidden" name="crumb" value="<?php echo Crumb::issueCrumb($uid)?>">
<inputtype="text"name="content"><inputtype="submit"></form>
处理表单 demo.php
对crumb进行检查
<?php
if(Crumb::verifyCrumb($uid, $_POST['crumb'])){
//按照正常流程处理表单
}else{
//crumb校验失败,错误提示流程
}
如果是ajax,也可以应用crumb,以jquery的ajax提交为例:
$.ajax({
type: "POST",
url: "some.php",
data: "name=blah&crumb=<?php echo Crumb::issueCrumb($uid)?>",
success: function(msg){
alert( "Data Saved: " + msg );
}
});
同理,crumb也可以在get方式的ajax请求中应用
转自:http://www.ooso.net/archives/581/comment-page-1#comment-34128
