For CSRF prevention you need to store a shared token on both the client and the server, so when the client makes a request, their submitted value can be compared with your known value.

For the client side you could use a cookie, or a hidden form field (personally I prefer the hidden field – so I don’t pile up cookies for every form in the clients browser).

On the server you could use the session (where the session id is stored in a cookie anyway) or store it in a database (although you’d probably need to use the session to identify the record that belongs to the client).

Here’s some very basic example CSRF prevention code for you.

session_start();

if (isset($_POST) && isset($_POST['csrf'])) {
    var_dump($_POST, $_SESSION);
    if ($_POST['csrf'] == $_SESSION['CSRF_FORM1']) {
        print 'You win cookies!';
    }
    else {
        print 'You win a bucket of vomit!';
    }
}

$_SESSION['CSRF_FORM1'] = md5(microtime());

?>
<form action="" method="post">
    <input type="hidden" name="csrf" value="<?php print $_SESSION['CSRF_FORM1']; ?>" />
    <input type="submit" value="Good form Jack!" />
</form>

<form action="" method="post">
    <input type="hidden" name="csrf" value="badValue" />
    <input type="submit" value="Bad form Jack!" />
</form>