CSRF stands for Cross Site Request Forgery, that is, cross-site request forgery, by pretending to be trusted by the website user's request to use trusted. If the application uses zblog are linked by a cmd.php treatment, or to submit data, you should submit a token parameters. In addition, if your application has side effects, be sure to also need to add CSRF Token.
Submitted by the GET method, if your destination address is cmd.php, you can use the following functions:
1 |
<?php echo BuildSafeCmdURL('act=TagPst'); ?> |
If not, then you can also directly
1 |
<?php echo BuildSafeURL('main.php'); ?> |
Submitted by the POST method, you can add in the form form
1 |
echo '<input type="hidden" name="csrfToken" value="' . $zbp->GetCSRFToken() . '">'; |
If you need compatibility with legacy Z-BlogPHP, you can use
1 |
<?php if (function_exists('CheckIsRefererValid')) {echo '<input type="hidden" name="csrfToken" value="' . $zbp->GetCSRFToken() . '">';}?> |
If you want to integrate CSRF Token detected within your application (which will become essential requirement was added to our application center in the future), as well as the source of detection in enhanced security mode, you can simply use the following function
1 |
CheckIsRefererValid(); |
If you need compatibility with legacy Z-BlogPHP, you can use
1 |
if (function_exists('CheckIsRefererValid')) CheckIsRefererValid(); |
Reference: https: //github.com/zblogcn/zblogphp/commit/acd2d343f857192403c82d4cfd76806eef2dd660
Simple example:
1 2 3 4 5 6 7 8 9 |
if(isset($_POST['form'])){
if (function_exists('CheckIsRefererValid')) CheckIsRefererValid();
}
<form>
<input type="text" name="form" value=""/>
<?php if (function_exists('CheckIsRefererValid')) {echo '<input type="hidden" name="csrfToken" value="' . $zbp->GetCSRFToken() . '">';}?>
<input name="" type="Submit" class="button" value="保存"/>
</form> |
zblog wiki address: https: //wiki.zblogcn.com/doku.php id = zblogphp:? development: features: 1.5.2: security