要防止PHP應(yīng)用中的CSRF攻擊，需使用反CSRF令牌、驗(yàn)證HTTP方法、設(shè)置SameSite Cookie屬性，并考慮使用自動處理CSRF的框架。1. 使用反CSRF令牌：服務(wù)器生成唯一令牌并與用戶會話關(guān)聯(lián)，在表單中加入隱藏字段提交該令牌，提交時驗(yàn)證令牌是否匹配；2. 驗(yàn)證HTTP方法：確保敏感操作僅通過POST等安全方法執(zhí)行，拒絕非預(yù)期的GET請求；3. 設(shè)置SameSite Cookie屬性：通過session_set_cookie_params配置SameSite=Strict或Lax，防止跨站請求攜帶Cookie；4. 使用框架：如Laravel、Symfony等內(nèi)置CSRF防護(hù)機(jī)制，自動處理令牌生成與驗(yàn)證，提升安全性并減少手動疏漏。

Preventing Cross-Site Request Forgery (CSRF) in PHP applications is essential for securing user data and ensuring that actions taken in your app are intentional. The core idea is to verify that requests coming into your system were intentionally made by the authenticated user — not by a third party trying to exploit them.

Here’s how you can effectively protect your PHP application from CSRF attacks.

Use Anti-CSRF Tokens

The most reliable method to prevent CSRF is by using anti-CSRF tokens (also known as synchronizer tokens). These are unique, unpredictable values generated by the server and associated with a user’s session.

• When generating a form, include a hidden input field containing this token.
• On form submission, check if the submitted token matches the one stored in the session.
• If they don’t match, reject the request.

For example:

// Generate token (if not already set)
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(50));
}

// In your form:
echo '<input type="hidden" name="csrf_token" value="' . $_SESSION['csrf_token'] . '">';

// On submission:
if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    die('Invalid CSRF token');
}

This ensures that only forms generated by your application can be used to submit data.

Validate HTTP Methods Properly

Make sure that any state-changing operation (like POST, PUT, DELETE) isn't allowed via GET requests. Browsers automatically follow links or load images using GET, which makes them vulnerable to CSRF if sensitive actions are triggered through them.

For instance:

• Don’t allow account deletion via GET /delete-account.
• Always use POST (or other appropriate methods) for such operations.
• Double-check the request method at the beginning of your scripts.

You can do something like:

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405); // Method Not Allowed
    exit('Only POST requests are allowed.');
}

This helps avoid accidental or malicious triggering of destructive actions.

Set SameSite Cookie Attribute

Modern browsers support the SameSite attribute for cookies, which restricts how cookies are sent with cross-site requests. You can set it when starting a session:

session_set_cookie_params([
    'lifetime' => 0,
    'path' => '/',
    'domain' => '', // adjust based on your domain
    'secure' => true, // only send over HTTPS
    'httponly' => true,
    'samesite' => 'Strict' // or 'Lax' depending on your needs
]);
session_start();

Using SameSite=Strict means cookies won’t be sent along with cross-site requests, greatly reducing the risk of CSRF.

Note: Be careful with browser compatibility if you need to support older clients.

Consider Using Frameworks That Handle CSRF Automatically

If you're building a larger PHP application, consider using a framework like Laravel, Symfony, or CodeIgniter. These frameworks have built-in CSRF protection mechanisms that handle token generation, validation, and more.

For example, Laravel automatically generates and validates CSRF tokens for all POST requests, and you just need to include @csrf in your Blade templates.

While rolling your own CSRF protection works fine for small apps, frameworks take care of edge cases and keep security practices up to date.

So there you go — use tokens, validate request methods, leverage cookie attributes, and consider using a solid framework. It’s not rocket science, but it’s easy to overlook a detail and leave your app exposed.

以上是您如何在PHP應(yīng)用中防止跨站點(diǎn)偽造（CSRF）？的詳細(xì)內(nèi)容。更多信息請關(guān)注PHP中文網(wǎng)其他相關(guān)文章！