Preventing Cross Site Request Forgeries(CSRF) in PHP

Cross-site request forgery, also known as one-click attack or session riding. This can harm the user's data by modifying them or deleting them. It may attack on the user browsers or internally submits some forms. That can delete or modify or stole the user's data or all logged session data. It exploits the website trusts on the browser.

To prevent such type of attack, in this article, we generate a random unique token string and include it as a hidden input in the form.

Every time when the form is submitted, the generated unique token is also submitted with each GET & POST form request. On the form handler page, we check the form is valid or not by comparing the submitted token with one stored in session variable. In this case, if an attacker tries to generate the form request, the attacker would have to know the token value which in a random unique string and difficult to find.

Code to protect PHP Form from CSRF

<?php
session_start();
echo $_SESSION['token'] = md5(uniqid(mt_rand(), true));
?>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" />
<div  class="wrapper col-sm-4">
<form action="handler.php" method="POST">
<div class="form-group">
<label class="control-label col-sm-4" for="textinput">Name</label>  
<div  class="col-sm-8">
<input id="textinput" name="name" placeholder="Enter your name" class="form-control input-md" required="" type="text">
</div>
</div>    
<div class="form-group">
<label class="control-label col-sm-4" for="textinput">Age</label>  
<div  class="col-sm-8">
<input id="textinput" name="age" placeholder="Enter your age" class="form-control input-md" required="" type="text">
</div>
</div> 
<div class="form-group">
<label class="control-label col-sm-4" for="textinput">Phone</label>  
<div  class="col-sm-8">
<input id="textinput" name="phone" placeholder="Enter your phone" class="form-control input-md" required="" type="text">
</div>
</div>  
<div class="form-group">
<div  class="col-sm-8">
<input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />
<input type="submit" value="Submit" />
</div>    
 </div>    
</form>    
</div>

<?php
session_start();
if ($_POST['token'] != $_SESSION['token'] || !isset($_SESSION['token'])) {
echo 'Invalid Form Submitted';
} else {
// Write code to store data in database
echo 'Valid Form Submitted';
}
?>




Related Articles

Import Data Into MySQL From Excel File
Php display PDF in iframe
Read CSV file & Import data into MySQL with PHP
How to create a doc file using PHP
PHP | SplFileObject fread() Function
File upload in PHP MySQL database
Send HTML form data to email using PHP
Forgot password code in PHP mysqli
PHP Basic authentication example
PHP cache example
PHP get current directory path
How to prevent CSRF attack in PHP
PHP contact form send email SMTP
Dynamic pagination in PHP
File upload ftp PHP




Read more articles


General Knowledge



Learn Popular Language