### csrf防御 验证器 ~~~ <?php namespace application\example\validate; use aaphp\Validate; /** * csrf 表单token验证 * Class CsrfValidate * @package application\example\validate */ class CsrfValidate extends Validate { protected $rule = [ '_token_' => [ 'token', ], ]; } ~~~ 控制器 ~~~ /** * csrf 跨域表单验证 * @return string */ public function csrf() { $request = Request::instance(); if (!$request->isPost()) { return $this->fetch(); } $data = [ 'usernamea' => $request->post('usernamea'), 'password' => $request->post('password'), // 隐藏的token值 '_token_' => $request->post('_token_'), ]; $validate = new CsrfValidate(); if ($validate->check($data)) { echo '验证通过<br/>'; } else { echo '验证未通过，错误信息：<br/>'; var_dump($validate->getError()); } } ~~~ 视图 ~~~ <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>csrf</title> </head> <body> <form action="" method="POST" style="border: 2px solid #00ffff;width: 500px"> <p>我有隐藏input，name="_token_" ，能通过token验证" </p> <input type="hidden" name="_token_" value="{:aaphp\Validate::token()}"/> <input type="text" name="username" value="aaphp"/> <br/> <br/> <input type="text" name="password" value="123456"/> <br/> <br/> <input type="submit" value="提交"> </form> <hr> <form action="" method="POST" style="border: 2px solid #ff0000;width: 500px"> <p>我没有隐藏input，不能通过token验证" </p> <input type="text" name="username" value="aaphp"/> <br/> <br/> <input type="text" name="password" value="123456"/> <br/> <br/> <input type="submit" value="提交"> </form> </body> </html> ~~~