I think I understand CSRF and how using form keys can prevent that, but this is can only be useful for POST data coming from a form, right? In my website I let logged in users delete some items by clicking on a Delete button which sends them to delete.php?id={item_id}.
On delete.php I check if the item belongs to the user, if it does than the script deletes it. How can I stop some other site posting a link like www.mysite.com/delete.php?id=3. I understand that the attacker will have to guess the id in my case.
But in general, how do you stop CSRF for GET data or data in a url?
Also what is the difference between an attacker using an img tag or a anchor tag for doing CSRF and how do they relate to Get and Post data?
Thank you very much in advance and I will really appreciate any advice on this.
Expanding on my comment,
Assuming you are using a cookie/session to keep track of user login. Simply md5 again on the hash and let that be your confirm.
if (isset($_GET['delete'] && md5($_COOKIE["PHPSESSID"])==$_GET['confirm'])) {
//delete something
}
Then for the HTML you could state:
<a href="www.mysite.com/delete.php?id=3&confirm=<?php echo md5($_COOKIE["PHPSESSID"]);?>">Delete</a>