php url跨站,php 防跨站表單提交

1 crub.class.php

class Crumb {

CONST SALT = "your-secret-salt";

static $ttl = 1; //$ttl表示這個隨機串的有效時間(秒)

static public function challenge($data) {

return hash_hmac('md5', $data, self::SALT);

}

static public function issueCrumb($uid, $action = -1) {

$i = ceil(time() / self::$ttl);

return substr(self::challenge($i . $action . $uid), -12, 10);

}

static public function verifyCrumb($uid, $crumb, $action = -1) {

//var_Dump( $uid);

$i = ceil(time() / self::$ttl);

if(substr(self::challenge($i . $action . $uid), -12, 10) == $crumb ||

substr(self::challenge(($i - 1) . $action . $uid), -12, 10) == $crumb)

return true;

return false;

}

}

應用示例

構造表單

在表單中插入一個隱藏的隨機串crumb

處理表單 demo.php

對crumb進行檢查

if(Crumb::verifyCrumb($uid, $_POST['crumb'])){

//按照正常流程處理表單

}else{

//crumb校驗失敗，錯誤提示流程

}

如果是ajax，也可以應用crumb，以jquery的ajax提交為例:

$.ajax({

type: "POST",

url: "some.php",

data: "name=blah&crumb=<?php echo Crumb::issueCrumb($uid)?>",

success: function(msg){

alert( "Data Saved: " + msg );

}

});

同理，crumb也可以在get方式的ajax請求中應用