LoginSignup

エンジニアとしての市場価値を測りませんか?PR

企業からあなたに合ったオリジナルのスカウトを受け取って、市場価値を測りましょう

無料でForkwellに登録する
44
47

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@yoh-nak(中野 洋介)

PHPでクロスサイトリクエストフォージェリ(CSRF)対策するときのメモ

Last updated at Posted at 2014-07-10
<?php
session_start();

//トークンをセッションにセット
function setToken(){
    $token = sha1(uniqid(mt_rand(), true));
    $_SESSION['token'] = $token;
}

//トークンをセッションから取得
function checkToken(){
    //セッションが空か生成したトークンと異なるトークンでPOSTされたときは不正アクセス
    if(empty($_SESSIOIN['token']) || ($_SESSION['token'] != $_POST['token'])){
        echo '不正なPOSTが行われました', PHP_EOL;
        exit;
    }
}

//エスケープ
function h($s){
    return htmlspecialchars($s, ENT_QUOTES, "UTF-8");
}

//GETでアクセスされたとき
if($_SERVER['REQUEST_METHOD'] != 'POST'){
    setToken();
}
//POSTでアクセスされたとき
else{
    checkToken();
}

<!DOCTYPE html>
<html lang="ja">
...
<body>
...
<form method="post" action="">
...
<!--hiddenで生成したワンタイムトークンの文字列をPOST送信-->
<input type="hidden" name="token" value="<?php echo h($_SESSION['token']); ?>">
<input type="submit" value="登録">
...
</form>

...
</body>
</html>
44
47
2

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin

Qiita Conference 2025 will be held!: 4/23(wed) - 4/25(Fri)

Qiita Conference is the largest tech conference in Qiita!

Keynote Speaker

ymrl、Masanobu Naruse, Takeshi Kano, Junichi Ito, uhyo, Hiroshi Tokumaru, MinoDriven, Minorun, Hiroyuki Sakuraba, tenntenn, drken, konifar

View event details
44
47

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?