Preventing Cross Site Request Forgeries(CSRF) in PHP

In this post, you will learn how to prevent the cross site request forgeries using PHP.

Cross-site request forgery (CSRF), also known as one-click attack or session riding. This can harm the user's data by modifying them or deleting them. It may attack on the user browsers or internally submit some forms. That can delete or modify or steal the user's data or all logged session data. It exploits the website trust on the browser.

To prevent such type of attack, in this article, we generate a random unique token string and include it as a hidden input in the form.





Every time when the form is submitted, the generated unique token is also submitted with each GET & POST form request. On the form handler page, we check whether the form is valid or not by comparing the submitted token with one stored in a session variable. In this case, if an attacker tries to generate the form request, the attacker would have to know the token value which is in a random unique string and difficult to find.

Code to protect PHP Form from CSRF

<?php
session_start();
echo $_SESSION['token'] = md5(uniqid(mt_rand(), true));
?>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" />
<div  class="wrapper col-sm-4">
<form action="handler.php" method="POST">
<div class="form-group">
<label class="control-label col-sm-4" for="textinput">Name</label>  
<div  class="col-sm-8">
<input id="textinput" name="name" placeholder="Enter your name" class="form-control input-md" required="" type="text">
</div>
</div>    
<div class="form-group">
<label class="control-label col-sm-4" for="textinput">Age</label>  
<div  class="col-sm-8">
<input id="textinput" name="age" placeholder="Enter your age" class="form-control input-md" required="" type="text">
</div>
</div> 
<div class="form-group">
<label class="control-label col-sm-4" for="textinput">Phone</label>  
<div  class="col-sm-8">
<input id="textinput" name="phone" placeholder="Enter your phone" class="form-control input-md" required="" type="text">
</div>
</div>  
<div class="form-group">
<div  class="col-sm-8">
<input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />
<input type="submit" value="Submit" />
</div>    
 </div>    
</form>    
</div>

<?php
session_start();
if ($_POST['token'] != $_SESSION['token'] || !isset($_SESSION['token'])) {
echo 'Invalid Form Submitted';
} else {
// Write code to store data in database
echo 'Valid Form Submitted';
}
?>




Related Articles

Import Data Into MySQL From Excel File
Php display PDF in iframe
Read CSV file & Import data into MySQL with PHP
How to create a doc file using PHP
PHP | SplFileObject fread() Function
File upload in PHP MySQL database
Send HTML form data to email using PHP
Forgot password code in PHP mysqli
PHP Basic authentication example
PHP cache example
PHP get current directory path
How to prevent CSRF attack in PHP
Upload multiple files php
PHP contact form send email SMTP
Dynamic pagination in PHP
File upload ftp PHP
PHP reverse a string without predefined function
PHP random quote generator
PHP convert string into an array




Read more articles


General Knowledge



Learn Popular Language