How to deal with CSRF (I guess)?

advertisements

For example, in admin cp, to delete user, there is a link - http://example.com/acp/delete-user.php?id=102 . When link is opened, system automatically deletes that user from database. Imagine, that someone sent me a link (like that) and I accidentally open it. It means, that I delete that user without knowing it. =( How to deal with it? POST method? Some tokens? And how to do it exactly. I'm just learning. =P


I recommend you to do that sort of thing with a FORM. http://example.com/acp/delete-user.php?id=102 show a form with a DELETE button and a HIDEN INPUT with a random generated key. The value is stored in your session on the server side. When you hit the submit the target page will check if you past the correct key.

There is lot of ressources about CSRF on the net.