12-11-2015, 08:24 PM
By default, strings are escaped from our form inputs. This will only get stronger as we transition over to PDO.
We use a special Token system to prevent Cross Site Request Attack Forgery on your forms. This is a two step process.
Step 1: Add this check to your $_POST submission:
Step 2: Add this "hidden field" to your form before the submit button
If the form is in html, add this:
If your form is a long echo of php, you need to break your php and enter the field this way:
We use a special Token system to prevent Cross Site Request Attack Forgery on your forms. This is a two step process.
Step 1: Add this check to your $_POST submission:
Code:
$token = $_POST['csrf'];Code:
if(!Token::check($token)){Code:
die('Token doesn\'t match!');Code:
}Step 2: Add this "hidden field" to your form before the submit button
If the form is in html, add this:
Code:
<input type="hidden" name="csrf" value="<?=Token::generate();?>" >If your form is a long echo of php, you need to break your php and enter the field this way:
Code:
";Code:
?>Code:
<input type="hidden" name="csrf" value="<?=Token::generate();?>" ></strong>Code:
<?php echo "