Jump to content

implement csrf protection in a drop-down form

ajoo

By ajoo
in PHP Coding Help

Recommended Posts

ajoo Prolific Member

ajoo

Posted
Posted

Hi all !

 

I am using this tutorial and I am modifying it to include csrf protection. The index.php uses 

getToken();

to generate an anti-csrf token which is then inserted in the form as a hidden input field as below:

<tr>
	<td>
		<select id="country_dropdown" > 
		<option value="-1">Select country</option>
		<?php	
			while($stmt->fetch())
			{ 
			?>
			     <option value="<?php echo $country_id ?>"><?php echo $country_name ?></option 
			} 
			<?php 
                              // token added as hidden field
                             echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />';
		?>
			
		</select>
	</td>
</tr>
<tr>
	<td>
		<select id="state_dropdown" >
		<?php echo $_SESSION['token']; // debug ?>
			<option value="-1">Select state</option>
		</select>
		<?php
                  // The token does not change even when it is changed in loaddata.php. The change values
                  // does not get reflected here. So adding the below code is useless, so commented out.
                  // echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />';
                 ?>
		<span id="state_loader"></span>
	</td>
</tr>

This scheme works if the same token is to be used for all drop downs. If I change destroy and change the token in loaddata.php, the ajax response file, where the data is sent and received from for proceeding to the next drop-down, the change in the token value is not reflected in the index.php since, i guess, that file is not refreshed to load the new token value. 

 

So how can I make this work? Please help. 

 

Thanks !

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

Only set/change the token when the page is loaded.

 

Or modify your AJAX so that it returns the new token, however that tutorial you're following isn't good enough for you to do this approach. You'd have to make a number of changes.

Link to comment
Share on other sites
ajoo Prolific Member

ajoo

Posted
  • Author
Posted

Hi requinix !

 

Thanks for the reply. 

 

I think maybe I was not able to explain the problem clearly enough.

 

As t happens I needed to make only a few changes in the code in loaddata.php and jquery to get it working.

 

Thanks you.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.