PHP Form Session Token Something Weird ?

Question

phplover 0 Junior Poster in Training

14 Years Ago

Hi,

I have basically created two functions in a filed called functions.php . They are as follows:

# Form Token Hash Generator (must be declared after if statement)
function GenerateFormTokenHash(){
$token = $_SESSION['token'] = md5(uniqid(mt_rand(), true)) ;
return $token;
}

# Form Token Hash Validator
function IsValidFormTokenHash(){
return $_POST['token'] == $_SESSION['token'];
}

The first function creates a random token and stores it in the session token and assigned to a variable $token for using later on other forms on site, which works fine on local as i can see the token in the session file on local computer.

The second function basically checks the hidden field name token against the $_SESSION .

Now they seem fine to me i beleive, i must admit functions confuse me to say the least.

My test form is just this: (note this is not my full test page, but so you know the functions.php is included as an include on the webpage, just not shown below.

<?php

# Has form been submitted ?
if(isset($_POST['submit'])){
    # Now form has been submitted compare token value
    if(isset($_SESSION['token']) && IsValidFormTokenHash()){
        # Everything is ok so do processing etc here
        $name = $_POST['name'];
        $email = $_POST['email'];

        echo "FORM SENT!";
        exit;

    } else { # mmm, seems fishy to me; TELL THEM!
        echo 'YOU ARE TAMPERING WITH THIS FORM';
        exit;
    }
}

# Generate token hash
GenerateFormTokenHash();

?>

<form method="post" action="<?php $_SERVER[PHP_SELF] ?>">
    Name:  <input type="text" name="name" /> <br />
    Email: <input type="text" name="email" /> <br />
    <input type="hidden" name="token" value="<?php echo $token; ?>" />
    <input type="submit" name="submit" value="Send" />
</form>

Now the problem i am having is althou i assigned the random string to $token/$_SESSION in the hidden field i got it to echo $token but the hidden field value is empty. If i type $_SESSION in hidden field it works, but reason for using a variable $token is so i can change it from one file if i alter parts of the function later on in time.

Can someone tell me what i am doing wrong, probably something stupid but functions confuse me so not sure what is not rite. Basically the hidden form input token has no value althou i am echoing $token, which is confusing me as $_SESSION which stores the random string was assigned to $token and in function i placed return before it.

Thanks,
PHPLOVER

php

Edited 14 Years Ago by phplover because: n/a

1 Contributor
2 Replies
214 Views
8 Hours Discussion Span
Latest Post 14 Years Ago Latest Post by phplover

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

phplover 0 Junior Poster in Training · Answer 1 · 2010-07-11T22:41:09+00:00

Hi,

I just realised i copied the wrong test file.

This is the one.

The correct functions are:

# Form Token Hash Generator (must be declared after if statement)
function GenerateFormTokenHash(){
    $token = $_SESSION['token'] = md5(uniqid(mt_rand(), true)) ;
    return $token;
}

# Form Token Hash Validator
function IsValidFormTokenHash(){
 if(isset($_POST['token']) && $_POST['token'] != $_SESSION['token']){
    echo '<h1>Malicious Activity Suspected</h1> <br />';
    echo 'Sorry but we cannot process your request at this time.';
    echo ' There has been an alteration in the form which has suspected malicious activity;';
    echo ' therefore your request has not been processed.';
          require_once($footer_inc);
          exit;
     }
    }

Form:

<?php

 if(isset($_POST['submit'])){

    # Check if form has been tampered with
    IsValidFormTokenHash();

    # If tampering was not detected continue
    # Process as normal etc ...
    $name = $_POST['name'];
    $email = $_POST['email'];

    # Say form sent
    echo 'Form Sent!';
    require_once($footer_inc);
    exit;
}

    # Generate form token hash before form is submitted.
    GenerateFormTokenHash();

?>

<form method="post" action="testform.php">
    Name:  <input type="text" name="name" /> <br />
    Email: <input type="text" name="email" /> <br />
    <input type="hidden" name="token" value="<?php echo $token; ?>" />
    <input type="submit" name="submit" value="Send" />
</form>

phplover 0 Junior Poster in Training · Answer 2 · 2010-07-11T23:44:22+00:00

OMG!

All these hours and now i worked it out the hidden field must be like:

<?php echo GenerateFormTokenHash("$token"); ?>

Not like i had it originally:

<?php echo $token; ?>

I thought using the return infront of the $token inside the function would allow me to use the variable just by typing $token where ever i wanted it outside the function just like a variable in a script, it seems i have learned that althou return is before $token in the function i still have to call the variable $token inside the function name outside the function.

I wish PHP did not do it like this yet at the same time i can understand why.

Thanks,
PHPLOVER