[eluser]IamPrototype[/eluser]
From this tutorial (
http://net.tutsplus.com/tutorials/php/se...form-keys/) I just re-wrote the content and coded it into a CI library.
Here's the library and a testing controller with two testing views.
----
library (last updated: 18. juni 09 23:03 - 24-hour system)
Code:
<?php
#doc
# classname: Form_Key
# note: Prevents other sites from sending post data to forms on your site
#/doc
class Form_Key
{
# internal variables
private $form_key;
private $old_form_key;
private $ci;
# __construct
function __construct()
{
// Load additional libraries
$this->load->library('session');
// Get instance
$this->ci =& get_instance();
// Checks if the session form_key is set, if true, assign the session's value to our old_form_key variable
if (isset($this->ci->session->userdata('form_key'))
{
$this->old_form_key = $this->ci->session->userdata('form_key');
}
}
###
# generate_key
function _generate_key()
{
$ip = $_SERVER['REMOTE_ADDR']; // User's IP address
$uniqid = uniqid(mt_rand(), TRUE); // Generates a random key
return sha1($ip.uniqid); // Return the newly generated key
}
###
# output_key
function output_key()
{
$this->form_key = $this->generate_key(); // Generates a unqiue key using our _generate_key method
$this->ci->session->set_userdata('form_key', $this->form_key); // Sets a new session called form_key with our new unique key
echo '<input type="hidden" name="form_key" id="form_key" value="'.$this->form_key.'" />'; // Simple input with our key as the value (hidden)
}
###
# validate
function validate()
{
return $this->input->post('form_key') == $this->old_form_key;
}
###
}
###
### end of library
testing controller
Code:
<?php
#doc
# classname: Formkey
# scope: Public
#
#/doc
class Formkey extends Controller
{
# __construct
function __construct()
{
parent::Controller();
// Load additional libraries
$this->load->library('formkey');
}
###
# index
function index()
{
$this->form();
}
###
# form
function form()
{
$data['form_key'] $this->formkey->output_key();
$this->load->view('test_view', $data);
}
###
# validateform
function validateform()
{
if ($this->formkey->validate())
{
// Success! Go on with validation (e.g. form_validation)
// If this method of doing it is bad practice, would it be any better
// to make the variable old_form_key public in the library
// and apply the session's value to a var in this validateform method
// and then use the form_validation class for the final validate?
// Please, any suggestions!
}
else
{
$data['err_msg'] = "Key is invalid!"; // Redirect user back to the form view and display error message
$this->load->view('test_fail_view', $data);
}
}
###
}
###
### end of controller
first testing view (form)
Code:
<html >
<head>
<title>Making our forms secure using form keys!</title>
<meta http-equiv="Content-type" content="text/html; charset=UTF-8" />
<meta name="description" content="apple juice addict" />
</head>
<body>
<form method="post" action="formkey/validate" id="test_form" name="test_form">
<?=$form_key?>
<label for="email">Email</label> <input type="text" name="email" id="email" /><br />
<label for="website">Website</label> <input type="text" name="website" id="website" /><br />
<input type="submit" name="submit" id="submit" value="Submit!" />
</form>
</body>
</html>
second testing view (fail)
Code:
<html >
<head>
<title>Making our forms secure using form keys!</title>
<meta http-equiv="Content-type" content="text/html; charset=UTF-8" />
<meta name="description" content="apple juice addict" />
</head>
<body>
<p><?=$err_msg?></p>
</body>
</html>
-----
I actually just wrote it, so I guess there could be some problems, typos and so on.. any suggestions would be nice! I want to optimize the code as much as I can.
PS: Would a library like this make sense for you? Or would you just use the already made cURL libraries?
Edit: Typo, library update