iNaD · December 14, 2015 01:39
diff --git a/csrf.php b/csrf.php
 <?php

 function create_csrf_field()
 {
 	$field_hash = hash('sha256', time().'some_salt');
 	$hash = hash('sha256', 'some_salt'.time().rand(0,10));
 	$_SESSION['csrf_field'] = $field_hash;
 	$_SESSION['csrf_hash'] = $hash;
 	return '<input type="hidden" name="'.$field_hash.'" value="'.$hash.'">';
 }

 function check_csrf()
 {
 	if(isset($_SESSION['csrf_field']) && isset($_SESSION['csrf_hash']) && isset($_POST[$_SESSION['csrf_field']]))
 	{
 		if($_POST[$_SESSION['csrf_field']] == $_SESSION['csrf_hash'])
 			return true;
 	}
 	return false;
 }
diff --git a/csrf_example.php b/csrf_example.php
 <?php
 require_once dirname(__FILE__).'/csrf.php';

 if(isset($_POST['username']))
 {
 	if(check_csrf())
 	{
 		echo 'Put form logic here';
 	}
 	else
 	{
 		echo 'Direct Post is not allowed. Use the form to submit your data.';
 	}
 }
 ?>
 <form method="POST">
 	<?php echo create_csrf_field(); ?>
 	<input type="text" name="username" value=""><br>
 	<input type="submit" value="Login">
 </form>
	<?php

	function create_csrf_field()
	{
	$field_hash = hash('sha256', time().'some_salt');
	$hash = hash('sha256', 'some_salt'.time().rand(0,10));
	$_SESSION['csrf_field'] = $field_hash;
	$_SESSION['csrf_hash'] = $hash;
	return '<input type="hidden" name="'.$field_hash.'" value="'.$hash.'">';
	}

	function check_csrf()
	{
	if(isset($_SESSION['csrf_field']) && isset($_SESSION['csrf_hash']) && isset($_POST[$_SESSION['csrf_field']]))
	{
	if($_POST[$_SESSION['csrf_field']] == $_SESSION['csrf_hash'])
	return true;
	}
	return false;
	}
	<?php
	require_once dirname(__FILE__).'/csrf.php';

	if(isset($_POST['username']))
	{
	if(check_csrf())
	{
	echo 'Put form logic here';
	}
	else
	{
	echo 'Direct Post is not allowed. Use the form to submit your data.';
	}
	}
	?>
	<form method="POST">
	<?php echo create_csrf_field(); ?>
	<input type="text" name="username" value=""><br>
	<input type="submit" value="Login">
	</form>