问题
I think I understand CSRF and how using form keys can prevent that, but this is can only be useful for POST data coming from a form, right? In my website I let logged in users delete some items by clicking on a Delete button which sends them to delete.php?id={item_id}.
On delete.php I check if the item belongs to the user, if it does than the script deletes it. How can I stop some other site posting a link like www.mysite.com/delete.php?id=3. I understand that the attacker will have to guess the id in my case.
But in general, how do you stop CSRF for GET data or data in a url?
Also what is the difference between an attacker using an img tag or a anchor tag for doing CSRF and how do they relate to Get and Post data?
Thank you very much in advance and I will really appreciate any advice on this.
回答1:
Expanding on my comment,
Assuming you are using a cookie/session to keep track of user login. Simply md5 again on the hash and let that be your confirm.
if (isset($_GET['delete'] && md5($_COOKIE["PHPSESSID"])==$_GET['confirm'])) {
//delete something
}
Then for the HTML you could state:
<a href="www.mysite.com/delete.php?id=3&confirm=<?php echo md5($_COOKIE["PHPSESSID"]);?>">Delete</a>
回答2:
A great example of the intended difference between $_POST and $_GET. $_GET should be for reading data, while $_POST should be used for acting upon it. Instead of a link, you could use a form with one submit button, and your token as a hidden input. You can even use CSS to style the button to look like a link if desired.
来源:https://stackoverflow.com/questions/17002483/preventing-cross-site-request-forgery-in-the-url