CSRF Protection Form (VQMod)

[29-03-2018] - The CSRF helper has been improved with a more stronger algorithm form or string for better protection and also PHP 7+ compatibility.

[20-03-2018] - CSRF Support Forum topic updated by providing instructions for multiple social login free extensions.

[25-02-2018] - CSRF v3.2 for OC v2.x and v3.x releases

Thanks to the forum user: neelgajjar addressing that the latest CSRF release no longer creates flooded registration. All back to normal with v2.x releases, according to his feedback.

[15-02-2018] - CSRF for OC v2.x and v3.x releases

The day has finally arrived. The CSRF protection form extension is now protecting the entire Opencart HTML forms that involves posting information to the store. Simply use VQMod and VQMod Manager to compare the lines at your discretion to the targeted file. Only new files, no core files overwritten. Not a single CSRF attacker / flooder will be able to submit bot scripts to auto-register customer / affiliate accounts from now on.

[22-10-2017] - CSRF for OC v3.x releases.

A new CSRF version has been released for Opencart v3.x releases in order to adapt the CSRF token into TWIG files.

Instructions: All new files, upload them all (override the CSRF library if you already have it). Install the admin extension module called: CSRF Protection, edit the module, enable the module (and the log if you want for monitoring purposes).

Usage: For your override files / VQMod / OCMod, the following lines are needed in your controller files each from where you'd like to use the HTML forms:

$csrf = new Csrf();


$data['csrf_form_input'] = $csrf->csrf_form_input();

As for your TWIG files, below each <form line tags, add:

{% if csrf_form_input %}
{{ csrf_form_input }}
{% endif %}

This form protection library will allow each customers and administrators to post data from web forms within a forced CSRF generated token. If this token cannot be generated, a CSRF failed message will appear and will automatically exit the session for protection purposes. This add-on will also protect GETs and POSTs data from the admin whether the token comes from URL or from forms. From now on, both uses the same generated token in order to fully protect OpenCart.

Support thread: http://forum.opencart.com/viewtopic.php?f=23&t=51859&p=244665#p244665

[Update: May 20, 2014]

Several XML line updates applied for OC v1.5.6.2.

What customers say about CSRF Protection Form (VQMod)

Installed this to stop spam customer registration but it didn't appear in the modules and when trying to get support, got no reply.

  • Developed by OpenCart Community
  • Documentation Included



Last Update
29 Mar 2018

27 Jan 2012
Member since: 13 Nov 2011

View all extensions Get Support