Create method and automatic token verification examples in ThinkPHP

This article mainly introduces the create method in ThinkPHP and the implementation method of automatic token verification. It has a very important purpose. Friends who need it can refer to it.

This article shows the create method in ThinkPHP in the form of an example. Method and implementation of automatic token verification, the specific steps are as follows:

1. Data table structure

The user table structure is as follows:

id username password

2. View template part

\aoli\Home\Tpl\default\User\create.html page is as follows:

<form action="__URL__/addit" method="post">
 <input type="text" name="id" />
 <input type="text" name="username" />
 <input type="password" name="password" />
 <input type="submit" name="sub" value="提交" />
</form>

3. Action part:

\aoli\Home\Lib\Action.php page is as follows:

<?php
 class UserAction extends Action {
  function create(){
     $this->display();   
   }
   
   function addit(){
     //向表user中添加表单内容
     $user=M(&#39;user&#39;);
     $user->create();
     $user->add();
     //判断是否存在令牌验证
     if(!$user->autoCheckToken($_POST)){
       dump(&#39;no&#39;); 
     }else{
       dump(&#39;yes&#39;);   
     }
 }
?>

1. Before operating the data submitted by the form, we often You need to manually create the required data, such as the form data submitted above:

 //实例化User模型
  $user=M('user');
 
 //获取表单的POST数据
  $data['username']=$_POST['username']
  $data['password']=$_POST['password']
 
 //写入到数据库
   $user->data($data)->add();

Attachment: The data object created using the data method will not be automatically verified and filtered, and needs to be processed by yourself. If you just want to simply create a data Object, and if you do not need to complete some additional functions, you can use the data method to simply create a data object.

2. ThinkPHP can help us quickly create data objects. The most typical application is to automatically create data objects based on form data. The data object created by the create method is stored in memory and is not actually written to the database.

   //实例化user模型
    $user=M('user');
  
   //根据表单提交的POST数据创建数据对象，并保存在内存中，可以通过dump($user)查看
    $user=create();

   //把创建的数据对象写入数据库中
    $user->add();

3. The create method supports creating data objects in other ways, such as from other data objects or arrays.

   $data['name']='ThinkPHP';
   $data['eamil']='ThinkPHP@gmail.com';
   $user->create($data);

   甚至还可以支持从对象创建新的数据对象，如从user数据对象创建新的member数据对象
   $user=M('user');
   $user->find(1);
   $member=M('member');
   $member->create($user);

4. While creating the data object, the create method also completes some meaningful work, including token verification, automatic data verification, field type search, automatic data completion, etc.

Because of this, the token verification, automatic verification and automatic completion functions we are familiar with must actually use the create method to take effect.

5. Token verification:

Function: It can effectively prevent remote submission of forms and other security protections.

Add the following configuration to config.php:

   'TOKEN_ON'   =>  true, //是否开启令牌验证
   'TOKEN_NAME'  =>  'token',// 令牌验证的表单隐藏字段名称
   'TOKEN_TYPE'  =>  'md5',//令牌验证哈希规则

The automatic token will put an md5 encrypted string into the current SESSION session. And insert this string into the form of a hidden field before the form. This string appears in two places, one is in the SESSION and the other is in the form. When you submit the form, the first thing the server does is compare the SESSION information. If it is correct, the form is allowed to be submitted, otherwise it is not allowed to be submitted.

Looking at the source code of create.html, you will see that there will be an automatically generated hidden field before the end mark of the form.

<input type="hidden" name="token" value="eef419c3d14c9c93caa7627eedaba4a5" />

(1) If you want to control the hidden field yourself You can manually add the {__TOKEN__} mark to the form page, and the system will automatically replace it when outputting the template.

(2). If the form token verification is turned on and individual forms do not need to use the token verification
function, you can add {__NOTOKEN__} to the form page, and the system will ignore the current form. Token verification.

(3) If there are multiple forms on the page, it is recommended to add the {__TOKEN__} identifier and ensure that only one form requires token verification.

(4). If you use the create method to create a data object, form verification will be automatically performed at the same time. If this method is not used, you need to manually call the autoCheckToken method of the model for form verification.

if (!$User->autoCheckToken($_POST)){
// 令牌验证错误
}

Related recommendations:

Usage of volist tag in Thinkphp

The above is the detailed content of Create method and automatic token verification examples in ThinkPHP. For more information, please follow other related articles on the PHP Chinese website!