Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to achieve ThinkPHP token verification". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to achieve ThinkPHP token verification".

ThinkPHP has built-in form token verification function, which can effectively prevent the remote submission of forms and other security protection.

The configuration parameters related to form token verification are:

'TOKEN_ON'= > true, / / whether to enable token verification' TOKEN_NAME'= >'_ _ hash__', / / form hidden field name of token verification 'TOKEN_TYPE'= >' md5', / / token hash verification rule defaults to MD5

If the form token verification function is enabled, the system will automatically generate a hidden field with the name TOKEN_NAME in the template file with the form, and its value is the hash string generated by TOKEN_TYPE, which is used to realize the automatic token verification of the form.

The automatically generated hidden field is located before the Form end flag of the form. If you want to control the location of the hidden field, you can manually add the _ _ TOKEN__ identity to the form page, and the system will automatically replace it when you output the template. If token verification is not required for individual forms when form token verification is turned on, token verification for the current form will be ignored if you can add _ _ NOTOKEN__, to the form page.

If there are multiple forms on the page, it is recommended that you add the _ _ TOKEN__ identity and ensure that only one form requires token verification.

The model class automatically verifies the form token while creating the data object. If you do not use the create method to create the data object, you need to manually call the autoCheckToken method of the model for form token verification. If false is returned, it indicates a form token validation error. For example:

$User = M ("User"); / / instantiate the User object / / manually perform token verification if (! $User- > autoCheckToken ($_ token)) {/ / token verification error}

A common template replacement function is defined in the View.class.php of the ThinkPHP framework

Protected function templateContentReplace ($content) {/ / system default special variable replaces $replace = array ('.. / Public' = > APP_PUBLIC_PATH,// project public directory'_ _ PUBLIC__' = > WEB_PUBLIC_PATH,// site public directory'_ _ TMPL__' = > APP_TMPL_PATH, / / project template directory'_ _ ROOT__' = > _ _ ROOT__ / / current website address'_ APP__' = > _ _ APP__, / / current project address'_ _ UPLOAD__' = > _ _ ROOT__.'/Uploads','_ _ ACTION__' = > _ _ ACTION__, / / current operation address'_ _ SELF__' = > _ _ SELF__, / / current page address'_ _ URL__' = > _ _ URL__ '_ _ INFO__' = > _ _ INFO__,) If (defined ('GROUP_NAME')) {$replace [' _ GROUP__'] = _ GROUP__;// current project address} if (C ('TOKEN_ON')) {if (strpos ($content,' {_ TOKEN__}')) {/ / specify form token hidden domain location $replace ['{_ TOKEN__}'] = $this- > buildFormToken () } elseif (strpos ($content,' {_ NOTOKEN__}') {/ / marked as not requiring token verification $replace ['{_ NOTOKEN__}'] =';} elseif (preg_match ('/ / is',$content,$match)) {/ / Smart form token hidden field $replace [$match [0]] = $this- > buildFormToken (). $match [0] }} / / allow user-defined template string substitution if (is_array (C ('TMPL_PARSE_STRING') $replace = array_merge ($replace,C (' TMPL_PARSE_STRING')); $content = str_replace (array_keys ($replace), array_values ($replace), $content); return $content;}

The above if (C ('TOKEN_ON')) is used to determine the open state of token verification. If it is enabled, the buildFormToken () method is called. $_ SESSION [$tokenName] = $tokenValue; is actually assigning a value to $_ SESSION [' _ hash__']. If you don't want to do token verification, just add {_ _ NOTOKEN__} before the page, and it will be replaced by a null function.

The token verification function is defined in the Model.class.php class of ThinkPHP

/ / form token verification if (C ('TOKEN_ON') & &! $this- > autoCheckToken ($data)) {$this- > error = L (' _ TOKEN_ERROR_'); return false;} / / automatic form token verification public function autoCheckToken ($data) {$name = C ('TOKEN_NAME') If (isset ($_ SESSION [$name]) {/ / currently requires token verification if (empty ($data [$name]) | | $_ SESSION [$name]! = $data [$name]) {/ / illegally submit return false;} / / verify that session unset is destroyed ($_ SESSION [$name]);} return true } Thank you for your reading. The above is the content of "how to achieve ThinkPHP token Verification". After the study of this article, I believe you have a deeper understanding of how to achieve ThinkPHP token verification, and the specific usage needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.