I-CSRF umsebenzi onobungozi owenziwa umhlaseli, owenza izenzo egameni lomsebenzisi oqinisekisiwe, olimaza ukuphepha kwewebhu. Ngenhlanhla, i-Laravel inikeza amathuluzi okuvimbela lolu hlobo lokuba sengozini.
I-CSRF ihlasela izikhathi zomsebenzisi. Lokhu bakwenza ngokukhohlisa umsebenzisi ukuthi athumele isicelo esebenzisa omaka befomu abafihliwe noma ama-URL anonya (izithombe noma izixhumanisi) ngaphandle kolwazi lomsebenzisi.
Lokhu kuhlasela kuholela kushintsho esimweni seseshini yomsebenzisi, ukuvuza kwedatha, futhi ngezinye izikhathi izigebengu ze-inthanethi zingakhohlisa idatha yomsebenzisi wokugcina kuhlelo lokusebenza.
Isithombe esingenhla sibonisa isimo lapho ukuphepha kwewebhu kwephulwa khona. Isisulu sithumela isicelo ngokuchofoza isixhumanisi (esitholiwe), sithumele isicelo kuseva yesizindalwazi esizokhiqiza imiphumela efiswa umgebengu, ozothola ulwazi oluwusizo ekufinyeleleni nasekusebenziseni iseva yewebhusayithi.
Ukuthuthukisa i ukuvikeleka kuwebhu yezinhlelo zakho zokusebenza, kuseshini ngayinye yomsebenzisi, i-Laravel ikhiqiza amathokheni avikelekile ewasebenzisayo ukuqinisekisa ukuthi umsebenzisi ogunyaziwe nguyena ocela uhlelo.
Ngoba le tokheni iyashintsha njalo uma iseshini yomsebenzisi ikhiqizwa kabusha, umhlaseli akakwazi ukuyifinyelela.
Noma nini lapho kunesicelo sokushintsha imininingwane yomsebenzisi ohlangothini lweseva (i-backend) efana POST
, PUT
, PATCH
e DELETE
, kufanele ufake isiqondiso @csrf
efomini lesicelo blade
I-HTML. I @csrf
ngakho-ke kuyisiqondiso Blade
esetshenziselwa ukukhiqiza ithokheni efihliwe eqinisekiswe uhlelo lokusebenza.
Umyalelo Blade
yi-syntax esetshenziswa ngaphakathi kwenjini yesifanekiso ye-Laravel ebizwa Blade . Ukuze udale ifayela blade
kufanele uyinike igama - esimweni sethu - kulandelwa ukunwetshwa kwe-blade. Lokhu kusho ukuthi ifayela lizoba negama form.blade.php
.
Ifayela liyasetshenziswa blade
ukunikeza ukubukwa kwabasebenzisi ekhasini lewebhu. Kukhona iziqondiso zangaphambili ezimbalwadefiI-nite noma i-blade shorthand syntax ongayisebenzisa. Ngokwesibonelo, @if
hlola ukuthi umbandela wanelisiwe, @empty
hlola ukuthi amarekhodi awanalutho yini, @auth
hlola ukuthi umsebenzisi ugunyaziwe yini nokunye.
Kodwa ake sibuyele emuva kusiqondiso @csrf
. Nansi indlela oyisebenzisa ngayo:
<form method="POST" action="{{route('pay')}}">
@csrf
</form>
Izinguqulo zangaphambilini ze-Laravel bezinokusetha okuhlukile: zombili ziyasebenza futhi zenza into efanayo.
<form method="POST" action="{{route('pay')}}">
<input type="hidden" name="_token" value="{{ csrf_token() }}" />
</form>
Uma ithokheni ye-CSRF ingekho esicelweni sefomu esithunyelwayo noma uma libonakala lingavumelekile, i-Laravel iphonsa umlayezo wephutha othi “Ikhasi Liphelelwe Isikhathi” onekhodi yesimo engu-419.
I-middleware VerifyCsrfToken
iphatha ukuqinisekiswa kwe-CSRF ngaphakathi kohlelo lokusebenza lwe-Laravel. I middleware
ibhaliswe ku Kernel.php
futhi itholakala kuhla lwemibhalo app/Http/Middleware
. Lokhu kusho ukuthi i- middleware
icushwa ngezicelo ngaphakathi kuwebhu, ayihlobene nama-API.
protected $middlewareGroups = [
'web' => [
.
.
.
.
.
\App\Http\Middleware\VerifyCsrfToken::class,
],
];
I-VerifyCsrfToken middleware inweba ikilasi Illuminate\Foundation\Http\Middleware\VerifyCsrfToken
, okungukuthi ukuqinisekiswa kwe-CSRF defiekuseni ekilasini.
Ake sijule ukuze sithole ukuthi iLaravel ikuphatha kanjani ukuqinisekiswa kwe-CSRF.
Ngaphakathi ekilasini, sinomsebenzi tokensMatch
.
protected function tokensMatch($request)
{
$token = $this->getTokenFromRequest($request);
return is_string($request->session()->token()) &&
is_string($token) &&
hash_equals($request->session()->token(), $token);
}
kukhodi inquma ukuthi iseshini nokokufaka kwamathokheni e-CSRF kuyahambisana.
Umsebenzi wenza izinto ezimbili:
$this->getTokenFromRequest
ithokheni esicelweni esingenayo esinamathiselwe ngenkundla efihliwe noma isihloko sesicelo. Ithokheni iyasuswa ukubethela bese ibuyiselwa kokuguquguqukayo kwethokheni.protected function getTokenFromRequest($request)
{
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
try {
$token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
} catch (DecryptException $e) {
$token = '';
}
}
return $token;
}
Ekhodini thola ithokheni kwanhlokweni
2. Sakaza kokubili ithokheni yesicelo kanye neseshini entanjeni bese uyayisebenzisa hash_equals
eyakhelwe ku-PHP ukuqhathanisa uma zombili izintambo zilingana. Umphumela walo msebenzi uhlala njalo i-bool (iqiniso) noma (amanga) .
Ercole Palmeri
I-Coveware ye-Veeam izoqhubeka nokuhlinzeka ngezinsizakalo zokuphendula izigameko zokuntshontshwa kwe-inthanethi. I-Coveware izohlinzeka ngama-forensics kanye nekhono lokulungisa…
Ukulungiswa okuqagelayo kuguqula umkhakha kawoyela negesi, ngendlela emisha nesebenzayo yokuphatha izitshalo.…
I-CMA yase-UK ikhiphe isexwayiso mayelana nokuziphatha kwe-Big Tech emakethe yezobunhloli bokwenziwa. Lapho…
Isinqumo esithi "Case Green", esakhiwe yi-European Union ukuze kuthuthukiswe ukusebenza kahle kwamandla ezakhiwo, siphothule inqubo yaso yomthetho ngokuthi...