An easy way to implement CSRF protection into your web forms.

Csrfer.php

<?PHP

class Csrfer {
    
    const SESSION_NAME = 'csrfer_name';
    const SESSION_VALUE = 'csrfer_value';
    
    const TOKEN_FORMAT = '<input type=\'hidden\' name=\'%s\' value=\'%s\'>';
    const TOKEN_LENGTH = 128;
    
    public static function generate() {
        $token_name = self::generate_token();
        $token_value = self::generate_token();
        $_SESSION[self::SESSION_NAME] = $token_name;
        $_SESSION[self::SESSION_VALUE] = $token_value;
        return sprintf(self::TOKEN_FORMAT, $token_name, $token_value);
    }
    
    public static function check() {
        if (empty($_POST)) { return false; }
        if (!array_key_exists(self::SESSION_NAME, $_SESSION)) { return false; }
        if (!array_key_exists(self::SESSION_VALUE, $_SESSION)) { return false; }
        
        $token_name = $_SESSION[self::SESSION_NAME];
        $token_value = $_SESSION[self::SESSION_VALUE];
        
        unset($_SESSION[self::SESSION_NAME]);
        unset($_SESSION[self::SESSION_VALUE]);
        
        if (!array_key_exists($token_name, $_POST)) { return false; }
        
        return ($_POST[$token_name] === $token_value);
    }
    
    private static function generate_token() {
        $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
        $strlen = strlen($chars);
        $output = '';
        for ($i = 0; $i < self::TOKEN_LENGTH; $i++) {
            $output .= $chars[mt_rand(0, $strlen - 1)];
        }
        return $output;
    }
}