Re: XSS prevention
Posted: Fri Aug 17, 2007 2:01 am
feyd | Please use
Is the above code correct?
feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Someone suggested of using a token verification in the form
Well i got the following codeCode: Select all
<?php
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
$_SESSION['token_timestamp'] = time();
?>
<form action="/post.php" method="POST">
<input type="hidden" name="token" value="<?php echo $token;?>" />
<p>Subject: <input type="text" name="subject" /></p>
<p>Message: <textarea name="message"></textarea></p>
<p><input type="submit" value="Add Post" /></p>
</form>
Then when you get to your validation page include this.
if ($_POST['token']!= $_SESSION['token']) {
echo "Invalid data!";
exit;
}
$token_age = time() - $_SESSION['token_time'];
if ($token_age >= LOGIN_TIME_LIMIT) {
// time limit can be set here as number instead
// of LOGIN_TIME_LIMIT define, such as 60*10
exit;
}feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]