Created
February 5, 2015 16:13
-
-
Save mathewjosephh/96f22cf23a356e6cd44e to your computer and use it in GitHub Desktop.
CSRF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
class csrf { | |
public function get_token_id() { | |
if(isset($_SESSION['token_id'])) { | |
return $_SESSION['token_id']; | |
} else { | |
$token_id = $this->random(10); | |
$_SESSION['token_id'] = $token_id; | |
return $token_id; | |
} | |
} | |
public function get_token() { | |
if(isset($_SESSION['token_value'])) { | |
return $_SESSION['token_value']; | |
} else { | |
$token = hash('sha256', $this->random(500)); | |
$_SESSION['token_value'] = $token; | |
return $token; | |
} | |
} | |
public function check_valid($method) { | |
if($method == 'post' || $method == 'get') { | |
$post = $_POST; | |
$get = $_GET; | |
if(isset(${$method}[$this->get_token_id()]) && (${$method}[$this->get_token_id()] == $this->get_token())) { | |
return true; | |
} else { | |
return false; | |
} | |
} else { | |
return false; | |
} | |
} | |
private function random($len) { | |
if (function_exists('openssl_random_pseudo_bytes')) { | |
$byteLen = intval(($len / 2) + 1); | |
$return = substr(bin2hex(openssl_random_pseudo_bytes($byteLen)), 0, $len); | |
} elseif (@is_readable('/dev/urandom')) { | |
$f=fopen('/dev/urandom', 'r'); | |
$urandom=fread($f, $len); | |
fclose($f); | |
$return = ''; | |
} | |
if (empty($return)) { | |
for ($i=0;$i<$len;++$i) { | |
if (!isset($urandom)) { | |
if ($i%2==0) { | |
mt_srand(time()%2147 * 1000000 + (double)microtime() * 1000000); | |
} | |
$rand=48+mt_rand()%64; | |
} else { | |
$rand=48+ord($urandom[$i])%64; | |
} | |
if ($rand>57) | |
$rand+=7; | |
if ($rand>90) | |
$rand+=6; | |
if ($rand==123) $rand=52; | |
if ($rand==124) $rand=53; | |
$return.=chr($rand); | |
} | |
} | |
return $return; | |
} | |
} | |
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
session_start(); | |
include 'csrf.class.php'; | |
$csrf = new csrf(); | |
// Generate Token Id and Valid | |
$token_id = $csrf->get_token_id(); | |
$token_value = $csrf->get_token($token_id); | |
?> | |
<form action="submit.php" method="post"> | |
<input type="hidden" name="<?= $token_id; ?>" value="<?= $token_value; ?>" /> | |
<input type="submit" value="Login"/> | |
</form> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
session_start(); | |
include 'csrf.class.php'; | |
$csrf = new csrf(); | |
// Generate Token Id and Valid | |
$token_id = $csrf->get_token_id(); | |
$token_value = $csrf->get_token($token_id); | |
if($csrf->check_valid('post')) { | |
var_dump($_POST[$token_id]); | |
} else { | |
echo 'Not Valid'; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment