ThinkPHP has built-in form token verification function, which can effectively prevent remote submission of forms and other security protections.
The configuration parameters related to form token verification are:
'TOKEN_ON'=>true, // Whether to enable token verification'TOKEN_NAME'=>'__hash__', // Token validation form hidden field name'TOKEN_TYPE'=>'md5', //Token hash validation rules Default isMD5
If the form token verification function is enabled, the system will automatically generate a hidden field with the name TOKEN_NAME in the template file with the form, and its value is a hash string generated in the TOKEN_TYPE method, which is used to implement automatic token verification of the form.
The automatically generated hidden domain is located before the form Form end flag. If you want to control the location of the hidden domain yourself, you can manually add the __TOKEN__ logo on the form page, and the system will automatically replace the template when outputting it. If individual forms do not need to use the token verification function when the form token verification is enabled, you can add __NOTOKEN__ to the form page, the system will ignore the token verification of the current form.
If there are multiple forms on the page, it is recommended to add the __TOKEN__ ID and make sure that only one form requires token verification.
The model class will automatically perform form token verification operations while creating data objects. If you do not use the create method to create data objects, you need to manually call the autoCheckToken method of the model for form token verification. If false is returned, it means the form token verification error. For example:
$User = M("User"); // Instantiate the User object// Manual token verificationif (!$User->autoCheckToken($_POST)){
// Token verification error}
A common template replacement function is defined in the ThinkPHP framework
protected function templateContentReplace($content) {
// System default special variable replacement $replace = array(
'../Public' => APP_PUBLIC_PATH,// Project public directory '__PUBLIC__' => WEB_PUBLIC_PATH,// Site public directory '__TMPL__' => APP_TMPL_PATH, // Project template directory '__ROOT__' => __ROOT__, // Current website address '__APP__' => __APP__, // Current project address '__UPLOAD__' => __ROOT__.'/Uploads',
'__ACTION__' => __ACTION__, // Current operation address '__SELF__' => __SELF__, // Current page address '__URL__' => __URL__,
'__INFO__' => __INFO__,
);
if(defined('GROUP_NAME'))
{
$replace['__GROUP__'] = __GROUP__;// Current project address }
if(C('TOKEN_ON')) {
if(strpos($content,'{__TOKEN__}')) {
// Specify the hidden domain location of the form token $replace['{__TOKEN__}'] = $this->buildFormToken();
}elseif(strpos($content,'{__NOTOKEN__}')){
// Mark as no token verification is required $replace['{__NOTOKEN__}'] = '';
}elseif(preg_match('/<\/form(\s*)>/is',$content,$match)) {
// Intelligently generate form tokens to hide domain $replace[$match[0]] = $this->buildFormToken().$match[0];
}
}
// Allow user to customize the template string replacement if(is_array(C('TMPL_PARSE_STRING')) )
$replace = array_merge($replace,C('TMPL_PARSE_STRING'));
$content = str_replace(array_keys($replace),array_values($replace),$content);
return $content;
}
The above if (C('TOKEN_ON')) is to judge the open status of token verification. If it is enabled, the buildFormToken() method is called, $_SESSION[$tokenName] = $tokenValue; In fact, it is to assign a value to $_SESSION['__hash__']. If you do not want to verify tokens, just add {__NOTOKEN__} before the page, and it will be replaced by the function.
Define the token verification function in the ThinkPHP class
// Form token verification if(C('TOKEN_ON') && !$this->autoCheckToken($data)) {
$this->error = L('_TOKEN_ERROR_');
return false;
}
// Automatic form token verification public function autoCheckToken($data) {
$name = C('TOKEN_NAME');
if(isset($_SESSION[$name])) {
// Token verification is currently required if(empty($data[$name]) || $_SESSION[$name] != $data[$name]) {
// Illegal submission return false;
}
// Verify the destruction session unset($_SESSION[$name]);
}
return true;
}