How to Prevent Cross Site Request Forgery (CSRF) Attacks in PHP
Create csrf.class.php., Create get_token_id() Function., Create get_token() Function., Create check_valid() Function., Create form_names() Function., Create the random() Function., Close the Class Bracket.
Step-by-Step Guide
-
Step 1: Create csrf.class.php.
Start off by create the file and saving it with the content below: <?php class csrf { All code in this section of the guide will be added to the end of this file. , This function get the token id from the users session, if one has not already been created then it generates a random token. public function get_token_id() { if(isset($_SESSION)) { return $_SESSION; } else { $token_id = $this->random(10); $_SESSION= $token_id; return $token_id; } } , This function gets the token value, if one has not already been generated then it generates one. public function get_token() { if(isset($_SESSION)) { return $_SESSION; } else { $token = hash('sha256'
$this->random(500)); $_SESSION= $token; return $token; } } , This function is used to check if the token id and the token value are valid.
It does this by checking the values of the GET or POST request with the values stored in the users SESSION variable. public function check_valid($method) { if($method == 'post' || $method == 'get') { $post = $_POST; $get = $_GET; if(isset(${$method}) && (${$method}== $this->get_token())) { return true; } else { return false; } } else { return false; } } , This is the second defense against CSRF in this article.
This function generates random names for the form fields. public function form_names($names, $regenerate) { $values = array(); foreach ($names as $n) { if($regenerate == true) { unset($_SESSION); } $s = isset($_SESSION) ? $_SESSION: $this->random(10); $_SESSION= $s; $values= $s; } return $values; } , This function generates a random string using the linux random file for more entropy. private function random($len) { if (function_exists('openssl_random_pseudo_bytes')) { $byteLen = intval(($len / 2) + 1); $return = substr(bin2hex(openssl_random_pseudo_bytes($byteLen)), 0, $len); } elseif (@is_readable('/dev/urandom')) { $f=fopen('/dev/urandom'
'r'); $urandom=fread($f, $len); fclose($f); $return = ''; } if (empty($return)) { for ($i=0;$i<$len;++$i) { if (!isset($urandom)) { if ($i%2==0) { mt_srand(time()%2147 * 1000000 + (double)microtime() * 1000000); } $rand=48+mt_rand()%64; } else { $rand=48+ord($urandom)%64; } if ($rand>57) $rand+=7; if ($rand>90) $rand+=6; if ($rand==123) $rand=52; if ($rand==124) $rand=53; $return.=chr($rand); } } return $return; } , This will end the class csrf. } You can now close the file csrf.class.php as we have finished editing it. -
Step 2: Create get_token_id() Function.
-
Step 3: Create get_token() Function.
-
Step 4: Create check_valid() Function.
-
Step 5: Create form_names() Function.
-
Step 6: Create the random() Function.
-
Step 7: Close the Class Bracket.
Detailed Guide
Start off by create the file and saving it with the content below: <?php class csrf { All code in this section of the guide will be added to the end of this file. , This function get the token id from the users session, if one has not already been created then it generates a random token. public function get_token_id() { if(isset($_SESSION)) { return $_SESSION; } else { $token_id = $this->random(10); $_SESSION= $token_id; return $token_id; } } , This function gets the token value, if one has not already been generated then it generates one. public function get_token() { if(isset($_SESSION)) { return $_SESSION; } else { $token = hash('sha256'
$this->random(500)); $_SESSION= $token; return $token; } } , This function is used to check if the token id and the token value are valid.
It does this by checking the values of the GET or POST request with the values stored in the users SESSION variable. public function check_valid($method) { if($method == 'post' || $method == 'get') { $post = $_POST; $get = $_GET; if(isset(${$method}) && (${$method}== $this->get_token())) { return true; } else { return false; } } else { return false; } } , This is the second defense against CSRF in this article.
This function generates random names for the form fields. public function form_names($names, $regenerate) { $values = array(); foreach ($names as $n) { if($regenerate == true) { unset($_SESSION); } $s = isset($_SESSION) ? $_SESSION: $this->random(10); $_SESSION= $s; $values= $s; } return $values; } , This function generates a random string using the linux random file for more entropy. private function random($len) { if (function_exists('openssl_random_pseudo_bytes')) { $byteLen = intval(($len / 2) + 1); $return = substr(bin2hex(openssl_random_pseudo_bytes($byteLen)), 0, $len); } elseif (@is_readable('/dev/urandom')) { $f=fopen('/dev/urandom'
'r'); $urandom=fread($f, $len); fclose($f); $return = ''; } if (empty($return)) { for ($i=0;$i<$len;++$i) { if (!isset($urandom)) { if ($i%2==0) { mt_srand(time()%2147 * 1000000 + (double)microtime() * 1000000); } $rand=48+mt_rand()%64; } else { $rand=48+ord($urandom)%64; } if ($rand>57) $rand+=7; if ($rand>90) $rand+=6; if ($rand==123) $rand=52; if ($rand==124) $rand=53; $return.=chr($rand); } } return $return; } , This will end the class csrf. } You can now close the file csrf.class.php as we have finished editing it.
About the Author
Victoria Cruz
Specializes in breaking down complex creative arts topics into simple steps.
Rate This Guide
How helpful was this guide? Click to rate: