MY_Form_Validation w/ spam and CSRF protection |
[eluser]n0xie[/eluser]
The first thing to acknowledge is that in my experience, most people do destructive things often via GET. This is inherently wrong but you should emphasize this: never do anything destructive via GET, always use POST. I would like to make this point clear since your 'library' only deals with POST data. Your site would still be easily exploitable if you had url's like http://domain.tld/user/delete/12345 which would delete user 12345. Always keep this in mind when talking about CSRF: most people don't know how it works and assume a 'library' like this will magically protect their site against any form of CSRF attack. Code: md5('nonce' . $this->CI->input->ip_address() . microtime()); If you want an effective CSRF protection take a look at the example Controller of Ion Auth where I added a simple nonce implementation in the deactivate method. |
Welcome Guest, Not a member yet? Register Sign In |