I have an issue that i'm hoping someone will be able to assist with. I'm trying to implement a token system (using php) but for some reason it keeps failing.
Here's the code that I place in the of my HTML form (i've also tried placing the code within the form tags)
//-------------------------------------------------
<?php
session_start();
$form_token = uniqid();
$_SESSION['form_token'] = $form_token;
?>
//------------------------------------------------------
I also have a hidden field on the form
<input type="hidden" name="form_token" value="<?php echo $form_token; ?>" />
//----------------------------------------------------------
When the form is sumitted the following script is run:
<?php
session_start();
if(isset($_POST['sumbitcheck'])) {
include('connect.php');
}
if ($_POST['form_token'] !== $_SESSION['token'])
{
echo("Invalid Submission");
}
if($_POST['form_token']== $_SESSION['form_token'])
{
echo("Accees");
}
?>
//--------------------------------------------
For some reason it echos 'invalid submission' and the match never =True Can anyone help?
Many thanks,
This:
$_POST['form_token'] !== $_SESSION['token']
should be:
$_POST['form_token'] !== $_SESSION['form_token']
This is because your submitting the hidden field with the name form_token, not token.
If you wanted to, you could do this:
<input type="hidden" name="token" value="<?php echo $form_token; ?>" />
In which case, your current code would work.
Its because this ...
if ($_POST['form_token'] !== $_SESSION['token'])
needs to be this...
if ($_POST['form_token'] !== $_SESSION['form_token'])
Change this:
if ($_POST['form_token'] !== $_SESSION['token'])
To this:
if ($_POST['form_token'] !== $_SESSION['form_token'])
Also, check out the manual for the uniqid() function. It is NOT supposed to be used for security purposes.