Commit 2ef6b52c authored by Dries's avatar Dries
Browse files

- Patch #28420 by Jeremy: provide a more generic interface that can be used

  to validate other form submissions, not just comments. Two new functions
  are introduced, form_token() and form_validate(). The first function uses
  a private key and a public key to set a token in a hidden field. The second
  function validates the token. The comment and contect module are updated to
  use these functions.
parent fe5f70b6
......@@ -1039,6 +1039,53 @@ function form($form, $method = 'post', $action = NULL, $attributes = NULL) {
return '<form action="'. check_url($action) .'" method="'. $method .'"'. drupal_attributes($attributes) .">\n<div>". $form ."\n</div></form>\n";
* Set a hidden 'form_token' field to be included in a form, used to validate
* that the resulting submission was actually generated by a local form.
* @param $key
* A unique key to identify the form that is currently being displayed.
* This identical key is later used to validate that the resulting submission
* actually originated with this form.
* @result
* A themed HTML string representing the hidden token field.
function form_token($key) {
// this private key should always be kept secret
if (!variable_get('drupal_private_key', '')) {
variable_set('drupal_private_key', mt_rand());
// the verification token is an md5 hash of the form key and our private key
return form_hidden('form_token', md5($key . variable_get('drupal_private_key', '')));
* Verify that the hidden 'form_token' field was actually generated with our
* private key.
* @param $edit
* An array containing the form that needs to be validated.
* @param $key
* The same key that was used to generate the 'form_token'.
* @param $error_message
* An optional error message to display if the form does not validate.
* @result
* There is nothing returned from this function, but if the 'form_token' does
* not validate an error is generated, preventing the submission.
function form_validate($edit, $key, $error_message = NULL) {
if ($error_message == NULL) {
// set a generic default error message
$error = t('Validation error, please try again. If this error persists, please contact the site administrator.');
if ($edit['form_token'] != md5($key . variable_get('drupal_private_key', ''))) {
// setting this error will cause the form to fail validation
form_set_error('form_token', $error);
* File an error against the form element with the specified name.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment