This article shows the implementation of the create method and automatic token verification in ThinkPHP in the form of an example. The specific steps are as follows:
1. Data table structure
The user table structure is as follows:
id username password
2. View template part
aoliHomeTpldefaultUsercreate.html page is as follows:
<form action="__URL__/addit" method="post"> <input type="text" name="id" /> <input type="text" name="username" /> <input type="password" name="password" /> <input type="submit" name="sub" value="提交" /> </form>
3. Action part:
aoliHomeLibAction.php page is as follows:
<?php class UserAction extends Action { function create(){ $this->display(); } function addit(){ //向表user中添加表单内容 $user=M('user'); $user->create(); $user->add(); //判断是否存在令牌验证 if(!$user->autoCheckToken($_POST)){ dump('no'); }else{ dump('yes'); } } ?>
1. Before operating the data submitted by the form, we often need to manually create the required data, such as the form data submitted above:
//实例化User模型 $user=M('user'); //获取表单的POST数据 $data['username']=$_POST['username'] $data['password']=$_POST['password'] //写入到数据库 $user->data($data)->add();
Attachment: Data objects created using the data method will not be automatically verified and filtered, and need to be processed by yourself. If you just want to simply create a data object and do not need to complete some additional functions, you can simply use the data method. Create data objects.
2. ThinkPHP can help us quickly create data objects. The most typical application is to automatically create data objects based on form data. The data object created by the create method is stored in memory and is not actually written to the database.
//实例化user模型 $user=M('user'); //根据表单提交的POST数据创建数据对象,并保存在内存中,可以通过dump($user)查看 $user=create(); //把创建的数据对象写入数据库中 $user->add();
3. The create method supports creating data objects from other ways, such as from other data objects or arrays, etc.
$data['name']='ThinkPHP'; $data['eamil']='ThinkPHP@gmail.com'; $user->create($data); 甚至还可以支持从对象创建新的数据对象,如从user数据对象创建新的member数据对象 $user=M('user'); $user->find(1); $member=M('member'); $member->create($user);
4. While creating the data object, the create method also completes some meaningful work, including token verification, automatic data verification, field type search, automatic data completion, etc.
Therefore, the token verification, automatic verification and automatic completion functions we are familiar with must actually use the create method to take effect.
5. Token verification:
Function: It can effectively prevent remote submission of forms and other security protections.
Add the following configuration to config.php:
'TOKEN_ON' => true, //是否开启令牌验证 'TOKEN_NAME' => 'token',// 令牌验证的表单隐藏字段名称 'TOKEN_TYPE' => 'md5',//令牌验证哈希规则
Auto token will put an md5 encrypted string into the current SESSION session. And insert this string into the form of a hidden field before the form. This string appears in two places, one is in the SESSION and the other is in the form. When you submit the form, the first thing the server does is compare the SESSION information. If it is correct, the form is allowed to be submitted, otherwise it is not allowed to be submitted.
Looking at the source code of create.html, you will see that there is an automatically generated hidden field before the end mark of the form
<input type="hidden" name="token" value="eef419c3d14c9c93caa7627eedaba4a5" />
(1) If you want to control the location of the hidden field, you can manually add the {__TOKEN__} mark to the form page, and the system will automatically replace it when outputting the template.
(2) If form token verification is turned on, individual forms do not need to use token verification
function, you can add {__NOTOKEN__} to the form page, and the system will ignore the token verification of the current form.
(3) If there are multiple forms on the page, it is recommended to add the {__TOKEN__} identifier and ensure that only one form requires token verification.
(4) If you use the create method to create a data object, form verification will be automatically performed at the same time. If this method is not used, you need to manually call the autoCheckToken method of the model for form verification.
if (!$User->autoCheckToken($_POST)){ // 令牌验证错误 }
I hope the examples shown in this article will be helpful to everyone’s ThinkPHP programming design.
1. The create method can process the data submitted by POST (automatically encapsulate the data instance through the corresponding relationship between the field name in the table and the name submitted by the form). For example, there is a field named "username" in the user table. If the form There is an , then $User = M('User'); $data = $User->create(); echo $data['username'] ; will output "Xiao Ming", you don't need to use $_POST['username'] to receive it.
2. Use the create method to perform token verification on the form to prevent repeated submission of the form.
3. The data can be automatically verified, but the premise is that you must manually create a UserModel.class.php file in the Model folder and add verification rules in it
protected $_validate = array(
array( 'username','require','Username must be', 1),
);
4. Fields can be assigned values automatically, but a UserModel.class.php file must be manually created in the Model folder , add
protected $_auto = array(
array('create_time','time',self::MODEL_INSERT,'function'),
);
Then the user's registration time will be Automatically assign the value to the current time
Attached is the source code of the create method:
/**
* Create a data object but do not save it to the database
* @access public
* @param mixed $data Create data
* @param string $type status
* @return mixed
*/
public function create($data='',$type='') {
/ / If no value is passed, the POST data is taken by default
if(empty($data)) {
$data = $_POST;
}elseif(is_object($data)){
$data = get_object_vars ($data);
}
// Verify data
if(empty($data) || !is_array($data)) {
$this->error = L('_DATA_TYPE_INVALID_ ');
return false;
}
// Check field mapping
$data = $this->parseFieldsMap($data,0);
/ / Status
$type = $type?$type:(!empty($data[$this->ge...The rest of the text>>
The new version of ThinkPHP has a built-in form token verification function, which can effectively prevent remote submission of forms and other security protections.
Configuration parameters related to form token verification are: 'TOKEN_ON'=>true, // Whether to enable token verification 'TOKEN_NAME'=>'__hash__', // Form hidden fields for token verification Name 'TOKEN_TYPE'=>'md5', //The default token hash verification rule is MD5. If the form token verification function is turned on, the system will automatically generate a hidden field named TOKEN_NAME in the template file with the form. , its value is a hash string generated in TOKEN_TYPE mode, used to implement automatic token verification of the form. The automatically generated hidden field is located before the form end mark. If you want to control the position of the hidden field, you can manually add the mark on the form page, and the system will automatically replace it when outputting the template. If form token verification is turned on and individual forms do not need to use the token verification function, you can add {__NOTOKEN__} to the form page, and the system will ignore the token verification of the current form. If there are multiple forms on the page, it is recommended to add identification and ensure that only one form requires token verification. The model class will automatically perform form token verification when creating the data object. If you do not use the create method to create the data object, you need to manually call the autoCheckToken method of the model to perform form token verification. If false is returned, it indicates a form token validation error. For example: $User = M("User"); // Instantiate User object // Manual token verification if (!$User->autoCheckToken($_POST)){// Token verification error