Jump to content

implement csrf protection in a drop-down form


ajoo

Recommended Posts

Hi all !

 

I am using this tutorial and I am modifying it to include csrf protection. The index.php uses 

getToken();

to generate an anti-csrf token which is then inserted in the form as a hidden input field as below:

<tr>
	<td>
		<select id="country_dropdown" > 
		<option value="-1">Select country</option>
		<?php	
			while($stmt->fetch())
			{ 
			?>
			     <option value="<?php echo $country_id ?>"><?php echo $country_name ?></option 
			} 
			<?php 
                              // token added as hidden field
                             echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />';
		?>
			
		</select>
	</td>
</tr>
<tr>
	<td>
		<select id="state_dropdown" >
		<?php echo $_SESSION['token']; // debug ?>
			<option value="-1">Select state</option>
		</select>
		<?php
                  // The token does not change even when it is changed in loaddata.php. The change values
                  // does not get reflected here. So adding the below code is useless, so commented out.
                  // echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />';
                 ?>
		<span id="state_loader"></span>
	</td>
</tr>

This scheme works if the same token is to be used for all drop downs. If I change destroy and change the token in loaddata.php, the ajax response file, where the data is sent and received from for proceeding to the next drop-down, the change in the token value is not reflected in the index.php since, i guess, that file is not refreshed to load the new token value. 

 

So how can I make this work? Please help. 

 

Thanks !

Edited by ajoo
Link to comment
Share on other sites

Hi requinix !

 

Thanks for the reply. 

 

I think maybe I was not able to explain the problem clearly enough.

 

As t happens I needed to make only a few changes in the code in loaddata.php and jquery to get it working.

 

Thanks you.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.