PHP Token (Token) Design_PHP Tutorial
How to achieve the goal:
How to avoid repeated submissions?
Save an array in SESSION. This array stores tokens that have been successfully submitted. When processing in the background, first determine this Is the token in this array? If it exists, it means that it is a repeated submission.
How to check the origin?
Optional, when this token is generated, the current session_id is added. If someone else copies your html(token (a copy), when submitting, in theory, if the session_id contained in the token is not equal to the current session_id, it can be judged that this submission is an external submission.
How to match the action to be performed?
When submitting the token, you need to Write the action name of this token into this token, so that during processing, you can extract this action for comparison.
The GToken I wrote before could not meet the second point mentioned above, but it was modified today. After a while, I added function 2. Personally I think it’s okay.
Please take a look at the code. If you feel there is something unreasonable, please enlighten me! Thank you.
I found the encryption online. Method, slightly modified.
GEncrypt.inc.php:
class GEncrypt extends GSuperclass {
protected static function keyED($txt,$encrypt_key){
$encrypt_key = md5($encrypt_key);
$ctr= ; ctr=0; using
}
public static function encrypt($txt,$key){
//$encrypt_key = md5(rand(0,32000));
$encrypt_key = md5((( float) date("YmdHis") + rand(10000000000000000,99999999999999999)).rand(100000,999999));
$ctr=0;
$tmp = "" ; 0;$i
$tmp.= substr($encrypt_key,$ctr, 1). (Substr ($ txt, $ i, 1)^substr ($ Encrypt_key, $ ctr, 1)); ,$key));
}
public static function decrypt($txt,$key){
$txt = self::keyED( base64_decode($txt),$key); 🎜> $tmp = ""; > $i++;
}
? >
GToken.inc.php
Method:
a, granteToken Parameters: formName, which is the action name, key is the encryption/decryption key.
Returns a string in the form: encryption (formName:session_id)
b, isToken parameter: token is the result generated by grantToken, formName, action name, whether fromCheck checks the source, if it is true, it is also necessary to determine whether the session_id in the token is the same as the current session_id 1.
c, dropToken, after successfully executing an action, call this function and record the token into the session,
/**
* Principle: When requesting to allocate a token, find a way to allocate a unique token, base64( time + rand + action)
* If submitted, record this token to indicate that this token has been used and can be used accordingly It is used to avoid duplicate submissions.
*
*/
class GToken {
/**
* Get all current tokens
*
* @return array
*/
public static function getTokens(){
$tokens = $_SESSION[GConfig::SESSION_KEY_TOKEN ];
if (empty($tokens) && !is_array($tokens)) {
$tokens = array();
}
return $tokens;
}
/**
* Generate a new Token
*
* @param string $formName
* @param Encryption key $key
* @return string
*/
public static function granteToken($formName,$key = GConfig::ENCRYPT_KEY ){
$token = GEncrypt::encrypt($formName.":".session_id(),$key);
return $token;
}
/**
* Deleting a token actually adds an element to an array in the session, indicating that the token has been used before to avoid repeated submission of data.
*
* @param string $token
*/
public static function dropToken($token){
$tokens = self::getTokens();
$tokens[] = $token;
GSession::set(GConfig::SESSION_KEY_TOKEN ,$tokens);
}
/**
* Check whether it is the specified Token , if true, it will be judged whether the session_id attached to the token is the same as the current session_id.
* @param string $key encryption key
* @return boolean
*/
public static function isToken($token,$formName,$fromCheck = false,$key = GConfig::ENCRYPT_KEY){
$tokens = self::getTokens();
if (in_array($token,$tokens)) //如果存在,说明是以使用过的token
return false;
$source = split(":", GEncrypt::decrypt($token,$key));
if($fromCheck)
return $source[1] == session_id() && $source[0] == $formName;
else
return $source[0] == $formName;
}
}
?>
Example:
First take out the token from $_POST and use isToken to judge.
Downloading this file seems to be no problem. If you want to judge whether it is To execute the matching action, you can change the formName in isToken and run it. It works fine. There is no match. This proves that this is successful.
I have not verified whether repeated submissions can be avoided. It is too simple logic.
The rest is to determine whether the source check is working properly.
Copy the html generated by the above example to a local web page (to achieve the purpose of different domains), run it, and check for unknown sources , no action is executed (you need to set the third parameter of isToken to true).
Set the third parameter of isToken to false, submit, and the specified action is executed!
Okay, here we go So far, I don’t know if there are still BUGs in any places. This will need to be debugged and modified slowly in long-term use!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Beyond the LAMP Stack: PHP's Role in Modern Enterprise Architecture
Jul 27, 2025 am 04:31 AM
PHPisstillrelevantinmodernenterpriseenvironments.1.ModernPHP(7.xand8.x)offersperformancegains,stricttyping,JITcompilation,andmodernsyntax,makingitsuitableforlarge-scaleapplications.2.PHPintegrateseffectivelyinhybridarchitectures,servingasanAPIgateway
Object-Relational Mapping (ORM) Performance Tuning in PHP
Jul 29, 2025 am 05:00 AM
Avoid N 1 query problems, reduce the number of database queries by loading associated data in advance; 2. Select only the required fields to avoid loading complete entities to save memory and bandwidth; 3. Use cache strategies reasonably, such as Doctrine's secondary cache or Redis cache high-frequency query results; 4. Optimize the entity life cycle and call clear() regularly to free up memory to prevent memory overflow; 5. Ensure that the database index exists and analyze the generated SQL statements to avoid inefficient queries; 6. Disable automatic change tracking in scenarios where changes are not required, and use arrays or lightweight modes to improve performance. Correct use of ORM requires combining SQL monitoring, caching, batch processing and appropriate optimization to ensure application performance while maintaining development efficiency.
Building Resilient Microservices with PHP and RabbitMQ
Jul 27, 2025 am 04:32 AM
To build a flexible PHP microservice, you need to use RabbitMQ to achieve asynchronous communication, 1. Decouple the service through message queues to avoid cascade failures; 2. Configure persistent queues, persistent messages, release confirmation and manual ACK to ensure reliability; 3. Use exponential backoff retry, TTL and dead letter queue security processing failures; 4. Use tools such as supervisord to protect consumer processes and enable heartbeat mechanisms to ensure service health; and ultimately realize the ability of the system to continuously operate in failures.
Creating Production-Ready Docker Environments for PHP
Jul 27, 2025 am 04:32 AM
Using the correct PHP basic image and configuring a secure, performance-optimized Docker environment is the key to achieving production ready. 1. Select php:8.3-fpm-alpine as the basic image to reduce the attack surface and improve performance; 2. Disable dangerous functions through custom php.ini, turn off error display, and enable Opcache and JIT to enhance security and performance; 3. Use Nginx as the reverse proxy to restrict access to sensitive files and correctly forward PHP requests to PHP-FPM; 4. Use multi-stage optimization images to remove development dependencies, and set up non-root users to run containers; 5. Optional Supervisord to manage multiple processes such as cron; 6. Verify that no sensitive information leakage before deployment
VSCode settings.json location
Aug 01, 2025 am 06:12 AM
The settings.json file is located in the user-level or workspace-level path and is used to customize VSCode settings. 1. User-level path: Windows is C:\Users\\AppData\Roaming\Code\User\settings.json, macOS is /Users//Library/ApplicationSupport/Code/User/settings.json, Linux is /home//.config/Code/User/settings.json; 2. Workspace-level path: .vscode/settings in the project root directory
Building Immutable Objects in PHP with Readonly Properties
Jul 30, 2025 am 05:40 AM
ReadonlypropertiesinPHP8.2canonlybeassignedonceintheconstructororatdeclarationandcannotbemodifiedafterward,enforcingimmutabilityatthelanguagelevel.2.Toachievedeepimmutability,wrapmutabletypeslikearraysinArrayObjectorusecustomimmutablecollectionssucha
The Serverless Revolution: Deploying Scalable PHP Applications with Bref
Jul 28, 2025 am 04:39 AM
Bref enables PHP developers to build scalable, cost-effective applications without managing servers. 1.Bref brings PHP to AWSLambda by providing an optimized PHP runtime layer, supports PHP8.3 and other versions, and seamlessly integrates with frameworks such as Laravel and Symfony; 2. The deployment steps include: installing Bref using Composer, configuring serverless.yml to define functions and events, such as HTTP endpoints and Artisan commands; 3. Execute serverlessdeploy command to complete the deployment, automatically configure APIGateway and generate access URLs; 4. For Lambda restrictions, Bref provides solutions.
A Deep Dive into PHP's Internal Garbage Collection Mechanism
Jul 28, 2025 am 04:44 AM
PHP's garbage collection mechanism is based on reference counting, but circular references need to be processed by a periodic circular garbage collector; 1. Reference count releases memory immediately when there is no reference to the variable; 2. Reference reference causes memory to be unable to be automatically released, and it depends on GC to detect and clean it; 3. GC is triggered when the "possible root" zval reaches the threshold or manually calls gc_collect_cycles(); 4. Long-term running PHP applications should monitor gc_status() and call gc_collect_cycles() in time to avoid memory leakage; 5. Best practices include avoiding circular references, using gc_disable() to optimize performance key areas, and dereference objects through the ORM's clear() method.
