PHP表单键错误 [英] PHP form key bug
问题描述
有人可以看下面我的两个功能并提出我的建议吗?我创建了两个函数,这些函数基本上创建了一个唯一键,并且该键在表单的隐藏字段中回显,然后在检查表单是否已提交后立即进行检查,第二个函数检查隐藏字段中的键是否与键匹配在会话中.
Can someone look at my two functions below and suggest what I can do? I have created two functions that basically creates a unique key and this is echoed in a hidden field in a form and then straight after I check if the form has been submitted the second function checks to see if the key in the hidden field matches the key in the session.
我经常遇到的问题是,尽管我没有使用Firefox Web开发工具有意编辑表单密钥,但只是将我重定向到禁止的页面,提示密钥不匹配.
The problem I am having is now and again it just redirects me to to the forbidden page suggesting the keys don't match although I have not edited the form key deliberately using my Firefox web dev tools to test.
我不确定这是否是缓存问题,有人可以查看我是否缺少某些东西或可以改善吗?它只会一次又一次地发生,例如,如果我提交表单几次,则可能会转到禁止的页面,这表明隐藏字段中的键与会话中的键不匹配,尽管我发现两个键都没有错功能.
I am not sure if it's a cache issue or not, can anyone see if there is something that I am missing out or could improve on? It only happens now and again, for example if I submit the form a few times it may then just go to the forbidden page which suggests the key in hidden field did not match the key in the session, although I see nothing wrong with my two functions.
这是我的第一个功能,它将创建一个唯一键,并在表单的隐藏字段中将其回显.我还对用户必须提交表单的时间有时间限制,但由于目前看来,启用该功能的频率似乎更高,所以我已经将其注释掉了.
Here is my first function, this creates a unique key and this is echoed out in a hidden field in the form. I also have a time limit on how long a user has to submit the form but I have commented that out as of now because it seems to happen more often when enabled.
function GenerateFormTokenHash($token)
{
$token = $_SESSION['token'] = md5(uniqid(mt_rand(), true));
//$token_time = $_SESSION['token_time'] = time();
return htmlspecialchars($token);
//return $token_time;
}
要使用上面的函数,我只需回显GenerateFormTokenHash($ token);隐藏在一个称为令牌的令牌中.
To use the function above i simply echo GenerateFormTokenHash($token); in a hidden called token.
我检查表单是否已提交之后,立即使用下面的功能.
The function below is used straight after i check if the form has been submitted.
# Form Token Hash Validator
function IsValidFormTokenHash()
{
/*global $websiteaddress;
$token_age = time() - $_SESSION['token_time'];
if($token_age >= 300) {
echo 'Session Expired';
echo 'This form has now expired. ';
echo 'Please click here to go back to the form.';
$_SESSION = array();
setcookie(session_name(), '', time()-42000, '/');
# Destroy the session
session_destroy();
# Generate new seesion id
session_regenerate_id(true);
exit;
}*/
if(isset($_POST['token']) && $_POST['token'] != $_SESSION['token'] || !isset($_POST['token']) || !isset($_SESSION['token']))
{
$_SESSION = array();
setcookie(session_name(), '', time()-42000, '/');
# Destroy the session
session_destroy();
# Generate new seesion id
session_regenerate_id(true);
redirect("/error/forbidden.php");
exit;
}
}
同样,该函数位于我的functions.php文件中,因此在检查表单是否已提交后,我只需按以下方式调用该函数:
Again that function is in my functions.php file so after i check if form has been submitted i simply call the function as follows:
if(isset($_POST['submit'])) {
IsValidFormTokenHash();
}
所以我基本上是想弄清楚为什么有时会时不时地认为会话密钥和隐藏字段中的密钥不匹配,也许是缓存问题或我可以做些什么来确保其正常工作?
So I am basically trying to work out why sometimes now and then it just thinks the session key and key in hidden field does not match, maybe a cache issue or something I can do to ensure it works properly?
推荐答案
可能您需要在if检查部分周围加上括号,它们的评估方式可能与您的逻辑需求不同:
Probably what you need is to put parenthesis around your if check parts, they are probably getting evaluated in another way than your logic needs:
if( (isset($_POST['token']) && $_POST['token'] != $_SESSION['token']) //<-- added parenthesis around those
|| !isset($_POST['token'])
|| !isset($_SESSION['token']))
这篇关于PHP表单键错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
