Tham khảo sách 'beginning ajax with php (security in the preceding example) - ', công nghệ thông tin, kỹ thuật lập trình phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả | 9 27 06 12 00 PM Page 194 194 CHAPTER 12 SECURITY In the preceding example the Insecure Bank Co. shouldn t have transferred the money to Bob s account so easily. Julie should have been forced to fill out a specific form for the transaction to take place. In this form you use a one-time token. This is essentially a password that is generated for a specific transaction which is then required to complete the transaction. It doesn t require the user to enter anything extra it simply means that a transaction cannot be completed without confirmation. We ll use the bank example again to demonstrate this. This is how a basic version of the script might look with the one-time token added to it. Without the correct token being submitted with the form the transaction cannot complete thereby foiling the previous CSRF attack. php session_start if isset _SESSION token _SESSION token md5 uniqid rand true if _POST token _SESSION token Validate the submitted amount and account and complete the transaction. unset _SESSION token echo Transaction completed exit form method post action input type hidden name token value php echo _SESSION token p Amount input type text name amount br Account input type text name account br input type submit value Transfer money p form You first initiate the PHP session. We have simplified this call for now but you should keep in mind the previous strategies for protecting your sessions. Next you check whether a token exists and create a new one if there isn t already one. You use the uniqid function to create this unique token. In fact the code used to generate this token is taken directly from the uniqid PHP manual page at uniqid. 9 27 06 12 00 PM Page 195 CHAPTER 12 SECURITY 195 To simplify the example we have created a form that submits back to itself so next you check your stored token against the one submitted. Initially when you run this form no token is submitted so obviously the .