Preventing Cross Site Request Forgeries(CSRF) in PHP

Cross-site request forgery, also known as one-click attack or session riding. This can harm the user's data by modifying them or deleting them. It may attack on the user browsers or internally submits some forms. That can delete or modify or stole the user's data or all logged session data. It exploits the website trusts on the browser.

To prevent such type of attack, in this article, we generate a random unique token string and include it as a hidden input in the form.

Every time when the form is submitted, the generated unique token is also submitted with each GET & POST form request. On the form handler page, we check the form is valid or not by comparing the submitted token with one stored in session variable. In this case, if an attacker tries to generate the form request, the attacker would have to know the token value which in a random unique string and difficult to find.

Code to protect PHP Form from CSRF

<?php
session_start();
echo $_SESSION['token'] = md5(uniqid(mt_rand(), true));
?>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" />
<div  class="wrapper col-sm-4">
<form action="handler.php" method="POST">
<div class="form-group">
<label class="control-label col-sm-4" for="textinput">Name</label>  
<div  class="col-sm-8">
<input id="textinput" name="name" placeholder="Enter your name" class="form-control input-md" required="" type="text">
</div>
</div>    
<div class="form-group">
<label class="control-label col-sm-4" for="textinput">Age</label>  
<div  class="col-sm-8">
<input id="textinput" name="age" placeholder="Enter your age" class="form-control input-md" required="" type="text">
</div>
</div> 
<div class="form-group">
<label class="control-label col-sm-4" for="textinput">Phone</label>  
<div  class="col-sm-8">
<input id="textinput" name="phone" placeholder="Enter your phone" class="form-control input-md" required="" type="text">
</div>
</div>  
<div class="form-group">
<div  class="col-sm-8">
<input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />
<input type="submit" value="Submit" />
</div>    
 </div>    
</form>    
</div>

<?php
session_start();
if ($_POST['token'] != $_SESSION['token'] || !isset($_SESSION['token'])) {
echo 'Invalid Form Submitted';
} else {
// Write code to store data in database
echo 'Valid Form Submitted';
}
?>


Read more articles


General Knowledge



Learn Popular Language