How to set expiration time in PHP form to strengthen security measures

PHP form is a commonly used interactive method in website development. It can receive user input and pass the data to the server for processing. However, since form data is transmitted over HTTP, there are certain security risks. One of them is that it is easy for malicious attackers to use replay attacks to carry out data tampering or disguise attacks. In order to prevent such attacks, we can set the expiration time in the PHP form and strengthen security measures. This article will introduce how to set the expiration time in PHP forms to strengthen security protection.

1. What is the expiration time

The expiration time refers to setting a time limit before the form is submitted. If it is not submitted within the specified time, the form will become invalid. This mechanism prevents forms from being used by malicious attackers to perform data tampering or disguise attacks through replay attacks. At the same time, the expiration time can also limit the validity period of the form to avoid useless data occupying server resources.

2. How to set the expiration time

You can use session technology to set the expiration time in PHP. The sample code is as follows:

<?php
session_start();
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    session_unset();
    session_destroy();
}
$_SESSION['LAST_ACTIVITY'] = time();
?>

The above code means, If the current time minus the time of the last operation is greater than 1800 seconds (30 minutes), the session is destroyed.

3. How to use expiration time to enhance form security

After setting the expiration time, we also need to verify the form data when the form is submitted, such as keywords Perform data verification and filtering on each segment to prevent security threats such as SQL injection, XSS attacks, and CSRF attacks. The following are some specific measures:

3.1 Data verification

When receiving form submission data, we can use PHP's filter function to filter, verify and clean the form submission data. , improve data security. The filter function can verify data type, length, case, and special characters. The code example is as follows:

<?php
// 过滤输入的字符串
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);

// 验证电子邮箱格式
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);

// 校验输入的 URL
$url = filter_input(INPUT_POST, 'url', FILTER_VALIDATE_URL);

// 验证IP地址
$ip = filter_input(INPUT_POST, 'ip', FILTER_VALIDATE_IP);
?>

3.2 Preventing SQL Injection

Before the form data is stored in the database, we can Prevent SQL injection by using parameter binding, escape characters, etc. Among them, parameter binding can use PDO or mysqli library, and escape characters can use functions such as addslashes. The sample code is as follows:

<?php
// 参数绑定防止 SQL 注入
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->bindParam(':username', $username);
$stmt->execute();

// 转义字符串防止 SQL 注入
$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);
?>

3.3 Preventing XSS attacks

When outputting form data, we can filter the submitted data to prevent XSS attacks. You can use PHP's htmlspecialchars and other functions to convert special characters into HTML escape characters. The sample code is as follows:

<?php
// 输出转义后的字符串
echo htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
?>

3.4 Preventing CSRF attacks

In order to prevent CSRF attacks, we can add a csrf_token, used to verify whether the source of the form is legal. You can use PHP session to store tokens. The sample code is as follows:

<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $csrf_token = $_POST['csrf_token'];
    if (!isset($_SESSION['csrf_token']) || $_SESSION['csrf_token'] !== $csrf_token) {
        die('非法请求');
    }
}
$csrf_token = md5(uniqid(rand(), true));
$_SESSION['csrf_token'] = $csrf_token;
?>
<form method="post">
    <input type="hidden" name="csrf_token" value="<?php echo $csrf_token;?>">
    <input type="text" name="username">
    <input type="password" name="password">
    <button>提交</button>
</form>

4. Summary

By setting the expiration time for the PHP form, you can effectively prevent replay attacks and disguise attacks. , thereby enhancing form security. In addition, we can further strengthen the security of the form through data verification, preventing SQL injection, preventing XSS attacks and preventing CSRF attacks. In website development, strengthening security protection is crucial. We should start from all aspects to improve the security of the website.

The above is the detailed content of How to set expiration time in PHP form to strengthen security measures. For more information, please follow other related articles on the PHP Chinese website!