+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: CSRF and Form Validation (/showthread.php?tid=69079)
CSRF and Form Validation - zadro - 10-04-2017
I'm trying to validate the CSRF cookie against the CSRF token name when processing a form.
I'm using form_open(); and can see the hidden CSRF input field but can't access it...
$this->input->post($this->security->get_csrf_token_name()) is always empty. Why?
I'm clearly sending the variable as seen by $this->input->raw_input_stream;
Any ideas why I can't access if via POST directly?
This doesn't work:
PHP Code:
if($this->input->post($this->security->get_csrf_token_name(), TRUE) == get_cookie($this->config->item('csrf_cookie_name') , TRUE) ) {
}
I'm doing this below instead, and it's working fine, but really curious why the above version doesn't work
PHP Code:
if($this->security->get_csrf_hash() == get_cookie($this->config->item('csrf_cookie_name') , TRUE) ) {
}
Thanks!
RE: CSRF and Form Validation - Narf - 10-05-2017
CI does this validation automatically and then unsets the $_POST entry. You don't have to do anything.
RE: CSRF and Form Validation - zadro - 10-05-2017
(10-05-2017, 02:05 AM)Narf Wrote: CI does this validation automatically and then unsets the $_POST entry. You don't have to do anything.
Ah now it makes sense. Thank you!