How to prevent Cross-Site Request Forgery (CSRF) in PHP

A cross-site request forgery (CSRF) vulnerability occurs when:
A web application uses session cookies.
he application acts on an HTTP request without verifying that the request was made with the user’s consent.
If the request does not contain a nonce that proves its provenance, the code that handles the request is vulnerable to a CSRF attack (unless it does not change the state of the application.)  This means a web application that uses session cookies has to take special precautions in order to ensure that an attacker can’t trick users into submitting bogus requests.
For more details visit–
Generating CSRF Token

if (empty($_SESSION['token'])) {
 $_SESSION['token'] = bin2hex(random_bytes(32));

bin2hex(random_bytes(32)) —Generates cryptographically secure pseudo-random bytes.
string random_bytes ( int $length )
Generates an arbitrary length string of cryptographic random bytes that are suitable for cryptographic use, such as when generating salts, keys or initialization vectors.
Verifying CSRF Token—-

if (!empty($_POST['token'])) {
    if (hash_equals($_SESSION['token'], $_POST['token'])) {
         // Proceed to process the form data
    } else {
         // Log this as a warning and keep an eye on these attempts

Here is the full code —-

include('config.php'); // database Configuration file
//Genrating CSRF Token
if (empty($_SESSION['token'])) {
    $_SESSION['token'] = bin2hex(random_bytes(32));
//Verifying CSRF Token
if (!empty($_POST['csrftoken'])) {
    if (hash_equals($_SESSION['token'], $_POST['csrftoken'])) {
$query=mysqli_query($con,"insert into tblcsrf (Name,Subject,Message) values('$name','$subject','$message')");
//if query run successfully
echo '<script> alert("Record inserted successfully");</script>';
unset( $_SESSION['token']); // unset session token after submiiting
// If query not run
 echo '<script> alert("Something went wrong. please try again."");</script>';
// if record already inserted
else {
    echo '<script> alert("Record already inserted. Please fresh browser then try");</script>';
<!DOCTYPE html>
<html lang="en">
    <meta charset="utf-8">
    <title>Fixing CSRF vulnerability in PHP Applications </title>
        <meta name="viewport" content="width=device-width, initial-scale=1">
    <link href="" rel="stylesheet">
    <style >
    background-color: #FAFAFA;
    padding: 10px 40px 60px;
    margin: 10px 0px 60px;
    border: 1px solid GREY;
    <script src=""></script>
    <script src=""></script>
<div class="container" align="center">
<div class="col-md-7">
    <div class="form-area">
        <form name="csrftoken" method="post">
        <br style="clear:both">
                    <h3 style="margin-bottom: 25px; text-align: center;">How to implement CSRF token in php</h3>
                    <div class="form-group">
                        <input type="text" class="form-control" id="name" name="name" placeholder="Name" required>
                    <div class="form-group">
                        <input type="text" class="form-control" id="subject" name="subject" placeholder="Subject" required>
                    <div class="form-group">
                    <textarea class="form-control" type="textarea" id="message" name="message" placeholder="Message" maxlength="140" rows="7"></textarea>
                    <span class="help-block"><p id="characterLeft" class="help-block ">You have reached the limit</p></span>
 <input type="hidden" name="csrftoken" value="<?php echo htmlentities($_SESSION['token']); ?>" />
        <button type="submit" id="submit" name="submit" class="btn btn-primary pull-right">Submit Form</button>
<script >
    $('#characterLeft').text('140 characters left');
    $('#message').keydown(function () {
        var max = 140;
        var len = $(this).val().length;
        if (len >= max) {
            $('#characterLeft').text('You have reached the limit');
        else {
            var ch = max - len;
            $('#characterLeft').text(ch + ' characters left');

How to run  the script
1. Download and Unzip file on your local system.
2. Put this file inside root directory
3. Database Configuration
open browser type http://localhost/phpmyadmin
Create a database demos.
Import database tblcsrf.sql
Open Your browser put inside browser “http://localhost/csrf/”

Download Source Code(How to prevent Cross-Site Request Forgery (CSRF) in PHP)
Size: 2.88 KB
Version: V 1.0

Leave A Reply

Your email address will not be published.

  1. Tarachand says

    Fatal error: Call to undefined function random_bytes() in C:\xampp\htdocs\csrf\index.php on line 8
    this error is found while i was running the code.

    1. Anuj Kumar says

      use latest version of PHP

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy