I understand it changes every time, can it not just grab it each time? I don't understand why the bot can't simply get the token from the HTML form and submit it. If the one submitted in the form doesn't match (or if the token isn't set in SESSION) the request is spam. When the PHP file that handles the registration is run, it will check for the token. When the page containing the form is loaded create a token. This is my current understanding of the 'token method' of CSRF prevention I have been reading up about securing forms and CSRF came up, a term I am not familiar with. However the problem is my webhost only allows x amount of emails per minute, if a bot were to spam this not only will my database be filled with spam accounts but I will also be suspended for breaking the email limit. I am creating a site that uses a signup/login system and I want to add email verification which I am capable of. ![]() ![]() I am trying to stop bots from (potentially) submitting fake data to my php registration file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |