PHP令牌 Token改进版-php手册-php.cn

Home

php教程

php手册

PHP令牌 Token改进版

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 13, 2016 pm 12:28 PM

base64getphptokentoken发BundleImprovemethodVersionthispass

正是由于使用了 base64 ，所以在把这个令牌通过 GET方法发送的时候，出现了问题。
比如：http://test/test.php?a=1+2
你用 $_GET["a"] 取得是：1 2 ，即那个加号没有了。一开始我用 urlencode 对其进行转换，但是总有那么一两的结果是意料外的。

后来想想 base64 的字符就限定于： [A-Za-z0-9\+\/=] 这么多，加号出问题，我就把加号换成不出问题的符号，下划线是最好的选择。下面是修改后的代码：

GEncrypt.inc.php

复制代码代码如下:

class GEncrypt {
protected static function keyED($txt, $encrypt_key) {
  $encrypt_key = md5 ( $encrypt_key );
  $ctr = 0;
  $tmp = "";
  for($i = 0; $i    if ($ctr == strlen ( $encrypt_key ))
    $ctr = 0;
   $tmp .= substr ( $txt, $i, 1 ) ^ substr ( $encrypt_key, $ctr, 1 );
   $ctr ++;
  }
  return $tmp;
}

public static function encrypt($txt, $key) {
  $encrypt_key = md5 ( (( float ) date ( "YmdHis" ) + rand ( 10000000000000000, 99999999999999999 )) . rand ( 100000, 999999 ) );
  $ctr = 0;
  $tmp = "";
  for($i = 0; $i    if ($ctr == strlen ( $encrypt_key ))
    $ctr = 0;
   $tmp .= substr ( $encrypt_key, $ctr, 1 ) . (substr ( $txt, $i, 1 ) ^ substr ( $encrypt_key, $ctr, 1 ));
   $ctr ++;
  }
  return ( preg_replace("/\\+/s","_", base64_encode ( self::keyED ( $tmp, $key ) ) ));
}
//base64 [A-Za-z0-9\+\/=]
public static function decrypt($txt, $key) {
  if($txt == ""){ return false;}
  //echo preg_replace("/_/s","+",$txt);
  $txt = self::keyED (base64_decode ( preg_replace("/_/s","+", $txt) ), $key );
  $tmp = "";
  for($i = 0; $i    $md5 = substr ( $txt, $i, 1 );
   $i ++;
   $tmp .= (substr ( $txt, $i, 1 ) ^ $md5);
  }
  return $tmp;
}
}

?>

GToken.inc.php

复制代码代码如下:

/**
* 原理：请求分配token的时候，想办法分配一个唯一的token, base64( time + rand + action)
* 如果提交，将这个token记录，说明这个token以经使用，可以跟据它来避免重复提交。
*
*/
class GToken {

/**
  * 得到当前所有的token
  *
  * @return array
  */
public static function getTokens(){
  $tokens = $_SESSION[GConfig::SSN_KEY_TOKEN ];
  if (empty($tokens) && !is_array($tokens)) {
   $tokens = array();
  }
  return $tokens;
}

/**
  * 产生一个新的Token
  *
  * @param string $formName
  * @param 加密密钥 $key
  * @return string
  */

public static function newToken($formName,$key = GConfig::ENCRYPT_KEY ){
  $token = GEncrypt::encrypt($formName.session_id(),$key);
  return $token;
}

/**
  * 删除token,实际是向session 的一个数组里加入一个元素，说明这个token以经使用过，以避免数据重复提交。
  *
  * @param string $token
  */
public static function dropToken($token){
  $tokens = self::getTokens();
  $tokens[] = $token;
  GSession::set(GConfig::SESSION_KEY_TOKEN ,$tokens);
}

/**
  * 检查是否为指定的Token
  *
  * @param string $token 要检查的token值
  * @param string $formName
  * @param boolean $fromCheck 是否检查来路,如果为true,会判断token中附加的session_id是否和当前session_id一至.
  * @param string $key 加密密钥
  * @return boolean
  */

public static function isToken($token,$formName,$fromCheck = false,$key = GConfig::ENCRYPT_KEY){
  if(empty($token)) return false;

  $tokens = self::getTokens();

  if (in_array($token,$tokens)) //如果存在，说明是以使用过的token
   return false;

  $source = GEncrypt::decrypt($token,$key);

  if($fromCheck)
   return $source == $formName.session_id();
  else{
   return strpos($source,$formName) === 0;
  }
}

public static function getTokenKey($token,$key = GConfig::ENCRYPT_KEY){
  if($token == null || trim($token) == "") return false;
  $source = GEncrypt::decrypt($token,$key);
  return $source != "" ? str_replace(session_id(),"",$source) : false;
}

public function newTokenForSmarty($params){
  $form = null;
  extract($params);
  return self::newToken($form);
}
}
?>

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

What's New in Windows 11 KB5054979 & How to Fix Update Issues

4 weeks agoByDDD

How to fix KB5055523 fails to install in Windows 11?

3 weeks agoByDDD

InZoi: How To Apply To School And University

1 months agoByDDD

How to fix KB5055518 fails to install in Windows 10?

3 weeks agoByDDD

Where to find the Site Office Key in Atomfall

4 weeks agoByDDD

Hot Tools

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.