提交表格的安全方式[关闭]

The answers will be sent to a mysql database.

Is there a better way of doing this, making it more secure?

<form action="insert.php" method="post">

1. Artist Name: <input type="text" name="artist" />

2. Song Name: <input type="text" name="song" />

<input type="submit" />

</form>

If you want to secure the form from external/3rd party site submissions then you add a CSRF token to the form, plus make the form keys unrelated to the content thats being posted.

So for example, on your form:

<?php 
session_start();
$_SESSION['csrf']        = uniqid(microtime(true));
$_SESSION['artistParam'] = uniqid(microtime(true));
$_SESSION['songParam']   = uniqid(microtime(true));
?>
<form action="insert.php" method="post">
    <input type="hidden" name="csrf" value="<?php echo $_SESSION['csrf'];?>"/>
    1. Artist Name: <input type="text" name="<?php echo $_SESSION['artistParam'];?>" />
    2. Song Name: <input type="text" name="<?php echo $_SESSION['artistParam'];?>" />
    <input type="submit" />
</form> 

Now on the receiver file insert.php, you would check that the required parameters are set and match the session vars.. so for example:

<?php 
session_start();

if(
    //Check is POST
    $_SERVER['REQUEST_METHOD'] == 'POST' &&

    //Check required variables are set
    isset($_SESSION['csrf']) &&
    isset($_SESSION['artistParam']) &&
    isset($_SESSION['songParam']) &&
    isset($_POST['csrf']) &&
    isset($_POST[$_SESSION['artistParam']]) &&
    isset($_POST[$_SESSION['songParam']]) &&

    //Check csrf key match the session key
    $_SESSION['csrf'] == $_POST['csrf']
){
    //do somthing with values
    $artist = $_POST[$_SESSION['artistParam']];
    $song   = $_POST[$_SESSION['songParam']];
}

//Unset to stop multiple attempts
unset($_SESSION['csrf'], $_SESSION['artistParam'], $_SESSION['songParam']);
?>

You could even go as far as encoding the form using javascript (bit overkill).

<?php 
$form = '<form action="insert.php" method="post">
    <input type="hidden" name="csrf" value="'.$_SESSION['csrf'].'"/>
    1. Artist Name: <input type="text" name="'.$_SESSION['artistParam'].'" />
    2. Song Name: <input type="text" name="'.$_SESSION['artistParam'].'" />
    <input type="submit" />
</form>';

$str = preg_replace('/^\s+|
||\s+$/m', '', $form);
$enc = '';
for ($i=0; $i < strlen($str); $i++){
    $hex = dechex(ord($str[$i]));
    $enc .= ($hex=='') ? $enc.urlencode($str[$i]) : '%'.(strlen($hex)==1 ? '0'.strtoupper($hex) : strtoupper($hex));
}
$enc = str_replace(array('.','+','_','-'),array('%2E','%20','%5F','%2D'),$enc);
$sec = substr(sha1(microtime(true)),0,10);
echo '<script type="text/javascript">var x'.$sec.'x="'.$enc.'";document.write(unescape(x'.$sec.'x));</script>
    <noscript>
        <style>
            #noscript_notice {
                text-align: center;
                font-weight: bold;
                color:#FF6962;
                padding-top: 20px;
            }
        </style>
        <div id="noscript_notice">
            <p>Please enable JavaScript!</p>
        </div>
    </noscript>';
?>

Is that what you meant?