How to prevent Cross Site Request Forgery in PHP
- Tech Area
- July 8, 2024
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. A CSRF attack exploits a vulnerability in a Web application if it cannot differentiate between a request generated by an individual user and a request generated by a user without their consent.
Files used in this tutorial:
1- connection.php (database connection file)
2- index.php (registration form with CSRF token)
Below are the step by step process of how to use CSRF token to prevent Cross-Site Request Forgery in PHP and MySQL.
Step 1: Create a Database connection
In this step, create a new file connection.php to create database connection.
connection.php
<?php
$server = "localhost";
$username = "root";
$password = "";
$database = "college_db";
$connection = mysqli_connect("$server","$username","$password");
$select_db = mysqli_select_db($connection, $database);
if(!$select_db)
{
echo("connection terminated");
}
?>Step 2: Create a file for registration form
Now create a new file index.php This is the main file used for registration form and submit data into the database.
This screenshot shows the registration form.
index.php
<html>
<head>
<title>Registration Form</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" />
</head>
<style>
.box
{
width:100%;
max-width:600px;
background-color:#f9f9f9;
border:1px solid #ccc;
border-radius:5px;
padding:16px;
margin:0 auto;
}
.msg
{
color: red;
font-weight: 700;
}
</style>
<?php
session_start();
include("connection.php");
if(!isset($_SESSION['csrf_token']))
{
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
if(isset($_POST['register']))
{
if(!empty($_POST['csrfToken']) && $_POST['csrfToken'] == $_SESSION['csrf_token'])
{
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$insert_query = mysqli_query($connection,"insert into tbl_student set name='$name', email='$email', phone='$phone'");
if($insert_query)
{
$msg = "Data inserted successfully!";
}
else
{
$msg = "Error!";
}
}
else
{
$msg = "Invalid Request!";
}
}
?>
<body>
<div class="container">
<div class="table-responsive">
<h3 align="center">Registration Form</h3>
<div class="box">
<form method="post">
<div class="form-group">
<label for="name">Enter Your Name</label>
<input type="text" name="name" id="name" placeholder="Enter Name" required class="form-control"/>
</div>
<div class="form-group">
<label for="email">Enter Your Email</label>
<input type="email" name="email" id="email" placeholder="Enter Email" required class="form-control"/>
</div>
<div class="form-group">
<label for="phone">Enter Your Phone No.</label>
<input type="text" name="phone" id="phone" placeholder="Enter Phone No." required class="form-control"/>
</div>
<div class="form-group">
<input type="hidden" name="csrfToken" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
<input type="submit" id="register" name="register" value="Submit" class="btn btn-success" />
</div>
<p class="msg"><?php if(!empty($msg)){ echo $msg; } ?></p>
</form>
</div>
</div>
</div>
</body>
</html>Download Source Code
Join 10,000+ subscriber