HighFile-scopePHP Plug & play

Protect Critical Forms with CSRF Tokens

Implement anti‐CSRF tokens in forms performing sensitive actions (like state changes or deletions). Generate a unique token per session or request and validate it on the server before processing the form action.

Add to Mesrai Open workspace

Why this matters

CSRF tokens prevent malicious sites from forging form submissions on behalf of authenticated users. Without this protection, a user could unintentionally trigger unwanted actions by visiting a malicious page.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<?php
// No CSRF token used
if ($_POST['acao'] === 'delete') {
    deleteUser($_POST['id']);
}
?>

Prefer

<?php
// Generate CSRF token
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
?>
<form method="POST">
  <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
  <!-- other fields -->
</form>
<?php
// Validate CSRF token on submit
if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    die('Invalid CSRF token');
}
if ($_POST['acao'] === 'delete') {
    deleteUser($_POST['id']);
}
?>

More snippets

Bad

<?php
// No CSRF token used
if ($_POST['acao'] === 'delete') {
    deleteUser($_POST['id']);
}
?>

Good

<?php
// Generate CSRF token
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
?>
<form method="POST">
  <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
  <!-- other fields -->
</form>
<?php
// Validate CSRF token on submit
if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    die('Invalid CSRF token');
}
if ($_POST['acao'] === 'delete') {
    deleteUser($_POST['id']);
}
?>

Related rules

From the same buckets as this rule.

Critical
Always sanitize user inputs
Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.
security-hardening
Critical
Always Verify Server Certificates in SSL/TLS Connections
Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.
security-hardening
Critical
Avoid modifying built-in prototypes
Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.
maintainabilitysecurity-hardening

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<?php
// No CSRF token used
if ($_POST['acao'] === 'delete') {
    deleteUser($_POST['id']);
}
?>

Prefer

<?php
// Generate CSRF token
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
?>
<form method="POST">
  <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
  <!-- other fields -->
</form>
<?php
// Validate CSRF token on submit
if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    die('Invalid CSRF token');
}
if ($_POST['acao'] === 'delete') {
    deleteUser($_POST['id']);
}
?>

More snippets

Bad

<?php
// No CSRF token used
if ($_POST['acao'] === 'delete') {
    deleteUser($_POST['id']);
}
?>

Good

<?php
// Generate CSRF token
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
?>
<form method="POST">
  <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
  <!-- other fields -->
</form>
<?php
// Validate CSRF token on submit
if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    die('Invalid CSRF token');
}
if ($_POST['acao'] === 'delete') {
    deleteUser($_POST['id']);
}
?>

Related rules

From the same buckets as this rule.

Critical

Always sanitize user inputs

Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.

security-hardening

Critical

Always Verify Server Certificates in SSL/TLS Connections

Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.

security-hardening

Critical

Avoid modifying built-in prototypes

Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.

maintainabilitysecurity-hardening