47
Help us understand the problem. What are the problem?

More than 5 years have passed since last update.

posted at

updated at

PHPでクロスサイトリクエストフォージェリ(CSRF)対策するときのメモ

<?php
session_start();

//トークンをセッションにセット
function setToken(){
    $token = sha1(uniqid(mt_rand(), true));
    $_SESSION['token'] = $token;
}

//トークンをセッションから取得
function checkToken(){
    //セッションが空か生成したトークンと異なるトークンでPOSTされたときは不正アクセス
    if(empty($_SESSIOIN['token']) || ($_SESSION['token'] != $_POST['token'])){
        echo '不正なPOSTが行われました', PHP_EOL;
        exit;
    }
}

//エスケープ
function h($s){
    return htmlspecialchars($s, ENT_QUOTES, "UTF-8");
}

//GETでアクセスされたとき
if($_SERVER['REQUEST_METHOD'] != 'POST'){
    setToken();
}
//POSTでアクセスされたとき
else{
    checkToken();
}
<!DOCTYPE html>
<html lang="ja">
...
<body>
...
<form method="post" action="">
...
<!--hiddenで生成したワンタイムトークンの文字列をPOST送信-->
<input type="hidden" name="token" value="<?php echo h($_SESSION['token']); ?>">
<input type="submit" value="登録">
...
</form>

...
</body>
</html>
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Sign upLogin
47
Help us understand the problem. What are the problem?