How to deal with CSRF (I think)?

Question

How to deal with CSRF (I think)?

For example, in admin cp, to delete a user, there is a link - http://example.com/acp/delete-user.php?id=102 . When the link is open, the system automatically removes this user from the database. Imagine that someone sent me a link (like this), and I accidentally opened it. This means that I am deleting this user without knowing it. = (How to handle this? POST method? Some tokens? And how to do it for sure. I'm just learning. = P

+3

security php forms csrf

daGrevis Nov 12 '10 at 17:08

source share

4 answers

You have viewed this article . As others have said, I hope you have authentication in everything. But for the correct implementation, you will need to perform a token service. Because if you are logged in and I will send you a link, it will delete the user.

0

Amir raminfar Nov 12 '10 at 17:17

source share

POST ( , POST).

( ). - , . , .

: http://www.serversidemagazine.com/php/php-security-measures-against-csrf-attacks

0

kapa 12 . '10 17:20

, , , , .

-1

Matthew J Morrison 12 . '10 17:13

Sebastien vincent · Accepted Answer · 2010-11-12T17:15:02+0000

I recommend that you do these things with FORM. http://example.com/acp/delete-user.php?id=102 show the form using the DELETE and HIDEN INPUT buttons with a randomly generated key. The value is stored in a server-side session. When you click submit, the landing page will check if you have passed the correct key.

There are many resources on the network about CSRF.

How to deal with CSRF (I think)?

More articles: