CSRF Protection Form (VQMod)

[24-01-2021] - SL CSRF 4.04 released
Fixed white space in admin controller
Added validation of catalog sl_csrf event in admin header event due to heaviness of the installation package.
Changed catalog-end side from /after to /before event.

[22-01-2021] - SL CSRF 4.02 released
Added 227 events for the admin CSRF core form inputs
Improved csrf_helper library with the OC registry Engine reflecting on admin and catalog-end side

[21-01-2021] - SL CSRF 4.01 released
Added X-CSRF header lookup in the library file as per StackOverFlow.com . The zlib.output_compression can be set to: Off from php.ini once the extension has been successfully installed. This line should only be enabled for troubleshooting purposes.

[20-01-2021] - SL CSRF v4.0 released
OCMod package available with Events. Previous versions of VQMod with XML is now deprecated starting on this day. To upgrade, simply remove the previous files from your vqmod/xml/csrf.xml and system/helper/csrf_helper.php file. Upload the new downloaded OCMod ZIP file with the OC admin > extensions > installer. Then, refresh modifications from your OC admin > extensions > modifications page. Then, go to your OC admin > extensions > modules > SL CSRF Protection Form. Hit the install button. Then, do NOT hit edit - it's not needed. The extension module's already active. Then, go to your OC admin > extensions > events page; you should notice the admin_sl_csrf and sl_csrf events, both, being active. Then, as the first time, logout of your OC admin. Check your view-source on the browser for the __csrf key. Do the same for the catalog-end side (even from the home page, the __csrf key should be showing in the view-source). Re-login to your OC admin account, go - for e.g - to your admin > catalog > products > add / edit product page. See if the __csrf also displays (it should!). Take note that the zlib.output_compression = On still applies from your php.ini file, however. Until you know it works, it must remain there. Once you know it works, 'On' can then be set to: 'Off' until the next troubleshooting (if needed).

[26-03-2018] - Gzip compression instructions provided

In your php.ini file, ensure this line has been added:

zlib.output_compression = On

[25-02-2018] - CSRF v3.2 for OC v2.x and v3.x releases

Thanks to the forum user: neelgajjar addressing that the latest CSRF release no longer creates flooded registration. All back to normal with v2.x releases, according to his feedback.

[15-02-2018] - CSRF for OC v2.x and v3.x releases

The day has finally arrived. The CSRF protection form extension is now protecting the entire Opencart HTML forms that involves posting information to the store. Simply use VQMod and VQMod Manager to compare the lines at your discretion to the targeted file. Only new files, no core files overwritten. Not a single CSRF attacker / flooder will be able to submit bot scripts to auto-register customer / affiliate accounts from now on.

[22-10-2017] - CSRF for OC v3.x releases.

A new CSRF version has been released for Opencart v3.x releases in order to adapt the CSRF token into TWIG files.

Instructions: All new files, upload them all (override the CSRF library if you already have it). Install the admin extension module called: CSRF Protection, edit the module, enable the module (and the log if you want for monitoring purposes).

Usage: For your override files / VQMod / OCMod, the following lines are needed in your controller files each from where you'd like to use the HTML forms:

$csrf = new Csrf();


$data['csrf_form_input'] = $csrf->csrf_form_input();

As for your TWIG files, below each <form line tags, add:

{% if csrf_form_input %}
{{ csrf_form_input }}
{% endif %}

This form protection library will allow each customers and administrators to post data from web forms within a forced CSRF generated token. If this token cannot be generated, a CSRF failed message will appear and will automatically exit the session for protection purposes. This add-on will also protect GETs and POSTs data from the admin whether the token comes from URL or from forms. From now on, both uses the same generated token in order to fully protect OpenCart.

Support thread: http://forum.opencart.com/viewtopic.php?f=23&t=51859&p=244665#p244665

[Update: May 20, 2014]

Several XML line updates applied for OC v1.5.6.2.

What customers say about CSRF Protection Form (VQMod)

Excellent package, extremely easy to install, and support was fantastic. Could not have been easier to set up and it works right away. Super happy - one of the easiest and most valuable additions to our OC site.
Installed this to stop spam customer registration but it didn't appear in the modules and when trying to get support, got no reply.

  • Developed by OpenCart Community
  • Documentation Included



Last Update
25 Jan 2021

27 Jan 2012
Member since: 13 Nov 2011

View all extensions Get Support