{"id":1723,"date":"2021-05-17T08:53:56","date_gmt":"2021-05-17T08:53:56","guid":{"rendered":"https:\/\/phptutorial.net\/?page_id=1723"},"modified":"2025-04-07T14:57:13","modified_gmt":"2025-04-07T14:57:13","slug":"php-csrf","status":"publish","type":"page","link":"https:\/\/www.phptutorial.net\/php-tutorial\/php-csrf\/","title":{"rendered":"PHP CSRF"},"content":{"rendered":"\n

Summary<\/strong>: in this tutorial, you will learn about cross-site request forgery (CSRF) attacks and how to prevent them in PHP.<\/p>\n\n\n\n

What is CSRF #<\/a><\/h2>\n\n\n\n

CSRF stands for cross-site request forgery. It’s a kind of attack in which a hacker forces you to execute an action against a website where you’re currently logged in.<\/p>\n\n\n\n

For example, you visit the malicious-site.com<\/code> that has a hidden form. And that form submits on page load to yourbank.com\/transfer-fund<\/code> form.<\/p>\n\n\n\n

Because you’re currently logged in to the yourbank.com<\/code>, the request silently transfers a fund out of your bank account.<\/p>\n\n\n\n

If yourbank.com\/transfer-fund<\/code> implements the CSRF correctly, it generates a one-time token and inserts the token into the fund transfer form like this:<\/p>\n\n\n

<input type=\"hidden\"<\/span> \n       name=\"token\"<\/span>\n       value=\"b3f44c1eb885409c222fdb78c125f5e7050ce4f3d15e8b15ffe51678dd3a33d3a18dd3\"<\/span>><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
When the malicious-site.com<\/code> submits the form, the yourbank.com\/transfer-fund<\/code> form compares the token with the one on the yourbank.com<\/code>‘s server.<\/p>\n\n\n\n
If the token doesn’t exist in the submitted data or it doesn’t match with the token on the server, the fund transfer form will reject the submission and return an error.<\/p>\n\n\n\n
When the malicious-site.com<\/code> tries to submit the form, the token is likely not available or won’t match.<\/p>\n\n\n\n
How to implement CSRF token in PHP #<\/a><\/h2>\n\n\n\n
First, create a one-time token and add it to the $_SESSION<\/code> variable:<\/p>\n\n\n
$_SESSION['token'<\/span>] = md5(uniqid(mt_rand(), true<\/span>));<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Second, add a hidden field whose value is the token and insert it into the form:<\/p>\n\n\n
<input type=\"hidden\"<\/span> name=\"token\"<\/span> value=\"<?php echo $_SESSION['token'] ?? '' ?>\"<\/span>><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Third, when the form is submitted, check if the token exists in the INPUT_POST<\/code> and compare it with the $_SESSION['token']<\/code>:<\/p>\n\n\n
<?php<\/span>\n\n$token = filter_input(INPUT_POST, 'token'<\/span>, FILTER_SANITIZE_STRING);\n\nif<\/span> (!$token || $token !== $_SESSION['token'<\/span>]) {\n    \/\/ return 405 http status code<\/span>\n    header($_SERVER['SERVER_PROTOCOL'<\/span>] . ' 405 Method Not Allowed'<\/span>);\n    exit<\/span>;\n} else<\/span> {\n    \/\/ process the form<\/span>\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
If the token doesn’t exist or doesn’t match, return the 405 HTTP status code and exit.<\/p>\n\n\n\n
PHP CSRF example #<\/a><\/h2>\n\n\n\n
We’ll create a simple fund transfer form<\/a> to demonstrate how to prevent a CSRF attack:<\/p>\n\n\n\n
\"php<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
First, create the following file and directory:<\/p>\n\n\n
.\n\u251c\u2500\u2500 css\n\u2502   \u2514\u2500\u2500 style.css\n\u251c\u2500\u2500 inc\n\u2502   \u251c\u2500\u2500 footer.php\n\u2502   \u251c\u2500\u2500 get.php\n\u2502   \u251c\u2500\u2500 header.php\n\u2502   \u2514\u2500\u2500 post.php\n\u2514\u2500\u2500 index.php<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
header.php #<\/a><\/h3>\n\n\n\n
The header.php<\/code> file contains the code that shows the first section of the page:<\/p>\n\n\n
<!DOCTYPE html>\n<html lang=\"en\"<\/span>>\n<head>\n    <meta charset=\"UTF-8\"<\/span>>\n    <meta name=\"viewport\"<\/span> content=\"width=device-width, initial-scale=1.0\"<\/span>>\n    <link rel=\"stylesheet\"<\/span> href=\"css\/style.css\"<\/span>>\n    <title>PHP CSRF - Fund Transfer Demo<\/title>\n<\/head>\n<body>\n    <main><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n