搜索kylekatarnls / csrfprotect
CSRF 保护
资助包维护!
kylekatarnls
Open Collective
Tidelift
Requires
- php: >=5.3.0
Requires (Dev)
- php: >=5.4.0
- phalcon/zephir: ~0.8.0
- phpunit/phpunit: >=3.7
This package is auto-updated.
Last update: 2024-09-17 17:23:36 UTC
README
PHP 扩展,用于轻松实现非常可靠的 CSRF 保护
基本用法:表单保护
<?php use \CsrfProtect\CsrfProtect as Csrf; session_start(); if (isset($_POST['message'])) { if (Csrf::checkToken()) { echo 'Thanks for your message!'; } else { echo 'Sorry, your session expired.'; } } ?> <form method="post" action=""> <textarea name="message"></textarea> <input type="submit"> <?php echo Csrf::getTag(); ?> </form>
认证用户
<?php use \CsrfProtect\CsrfProtect as Csrf; session_start(); if (isset($_POST['message'])) { if (Csrf::checkPostToken($_SESSION['user_id'])) { echo 'Thanks for your message!'; } else { echo 'Sorry, your session expired or you have log out.'; } } ?> <form method="post" action=""> <textarea name="message"></textarea> <input type="submit"> <?php echo Csrf::getTag($_SESSION['user_id']); ?> </form>
保护链接
<?php use \CsrfProtect\CsrfProtect as Csrf; session_start(); if (isset($_POST['message'])) { if (Csrf::checkToken($_GET['_csrf'])) { echo 'Thanks for clicking!'; } else { echo 'Sorry, your session expired.'; } } ?> <a href="?_csrf=<?php echo Csrf::getToken(); ?>">Click here!</a>
保护带有认证用户的链接
<?php use \CsrfProtect\CsrfProtect as Csrf; if (isset($_POST['message'])) { if (Csrf::checkToken($_GET['_csrf'], $_SESSION['user_id'])) { echo 'Thanks for clicking!'; } else { echo 'Sorry, your session expired.'; } } ?> <a href="?_csrf=<?php echo Csrf::getToken($_SESSION['user_id']); ?>">Click here!</a>
根据需要配置 CsrfProtect
<?php class ShortCsrf extends \CsrfProtect\CsrfProtect { const TOKEN_LENGTH = 6; } class LongCsrf extends \CsrfProtect\CsrfProtect { const TOKEN_LENGTH = 64; } echo ShortCsrf::getTag(); // Display an hidden input tag with a 6 chars token echo LongCsrf::getTag(); // Display an hidden input tag with a 64 chars token ?>
以下是所有可用的设置及其默认值
<?php class Csrf extends \CsrfProtect\CsrfProtect { const POST_KEY = "_csrf"; const SESSION_PREFIX = "_csrf_"; const TOKEN_LENGTH = 32; const TOKEN_CHARS = "azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN1234567890_-"; const TOKENS_LIMIT = 5000; } ?>
扩展 CsrfProtect
示例:以 XHTML 方式显示输入标签:<input />
<?php class Csrf extends \CsrfProtect\CsrfProtect { public static function getTag($identifier = "") { return str_replace('>', ' />', parent::getTag($identifier)); } } ?>
函数式方法
<?php session_start(); if (isset($_POST['message'])) { if (\CsrfProtect\checkToken()) { echo 'Thanks for your message!'; } else { echo 'Sorry, your session expired.'; } } ?> <form method="post" action=""> <textarea name="message"></textarea> <input type="submit"> <?php echo \CsrfProtect\getTag(); ?> </form>
所有 CsrfProtect 的公共方法也都作为函数提供。
安装
您可以在 Zephir 可以安装的任何位置安装 CsrfProtect。
以下是一个 Debian/Ubuntu 的示例(我们假设您已安装 PHP)
sudo apt-get update sudo apt-get install git gcc make re2c php5 php5-json php5-dev libpcre3-dev git clone https://github.com/phalcon/zephir cd zephir ./install-json ./install -c cd ..
(可选) 然后您可以删除 Zephir 源代码
rm -r zephir
然后检查 zephir 是否已正确安装
zephir help
如果尚未安装,请参阅:http://docs.zephir-lang.com/en/latest/install.html
现在您可以下载和构建 CsrfProtect
git clone https://github.com/kylekatarnls/csrfprotect zephir build
(可选) 然后您可以删除 CsrfProtect 源代码
rm -r csrfprotect
然后添加 extension=csrfprotect.so 到您的 PHP 配置文件。
# Suse: Add a file called csrfprotect.ini in /etc/php5/conf.d/ with this content: extension=csrfprotect.so # CentOS/RedHat/Fedora: Add a file called csrfprotect.ini in /etc/php.d/ with this content: extension=csrfprotect.so # Ubuntu/Debian with apache2: Add a file called 30-csrfprotect.ini in /etc/php5/apache2/conf.d/ with this content: extension=csrfprotect.so # Ubuntu/Debian with php5-fpm: Add a file called 30-csrfprotect.ini in /etc/php5/fpm/conf.d/ with this content: extension=csrfprotect.so # Ubuntu/Debian with php5-cli: Add a file called 30-csrfprotect.ini in /etc/php5/cli/conf.d/ with this content: extension=csrfprotect.so