'; } function csrfValidate(): bool { if (session_status() === PHP_SESSION_NONE) session_start(); $token = $_POST['csrf_token'] ?? ''; return hash_equals($_SESSION['csrf_token'] ?? '', $token); }