Prevent CRSF in Drupal 7

CSRF (Cross-Site Request Forgery) is an attack where a malicious website tricks a user's browser into making unwanted actions on a different site where the user is authenticated, exploiting the user's session to perform unauthorized operations. In Drupal 7, use the drupal_get_token() function to generate a CSRF token and validate it with drupal_valid_token().

Generating Token (in a form):

Source code viewer
$form['csrf_token'] = array(
  '#type' => 'hidden',
  '#value' => drupal_get_token('my_form'),
);
 
Programming Language: PHP

Validating Token (on submit):

Source code viewer
if (!drupal_valid_token($_POST['csrf_token'], 'my_form')) {
  drupal_set_message(t('Invalid token.'), 'error');
  return;
}
 
Programming Language: PHP

Browse Tutorials

“Talk is cheap. Show me the code.” ― Linus Torvalds

You are here

Generating Token (in a form):

Validating Token (on submit):