Cross-site request forgery defense for code to count Likes

I have the following code which is supposed to insert a row into a DB table "clicks" (consisting of 1 Primary AI column "id" and another column "user" which contains the user's session ID) upon clicking the Like button. For each user assuming they have a session ID set from a login I would like to return to them their most recently inserted ID from the table. So the first time the button is clicked it will return 1 etc. I would like this to be accessible to multiple users through a login system.

Is this vulnerable to Cross-site request forgery and if so, how can I alter the code to defend against it?

index.php:

    Like';
    ?>
    
          

connect.php

connect_error) {
die("Connection failed: " . $conn->connect_error);
}
?>

init.php

like.js

function like_add(userid) {
$.post('like_add.php', {userid:userid}, function(data) {
   if (data == 'success'){
    add_like($userid);
   } else{
       alert(data);
   }
});
}

like.php

prepare("INSERT INTO clicks (user) VALUES (?)");
$stmt->bind_param("s", $userid);

$stmt->execute();
$stmt = $conn->prepare("SELECT max(id) FROM clicks WHERE user=?");
$stmt->bind_param("s", $userid);
$stmt->execute();
$stmt->bind_result($click);
$stmt->fetch();
echo $click;
$stmt->close();
}
?>

like_add.php

Defending agains CSRF offens happens by creating a token that can only be used once by the client that requested it. For proper protection, that token should ofcourse be linked to a form.

A simple one could be to add a md5 hash or similar to all your forms, store that hash somewhere. And then when the user submits, check or the hash is valid. Depending on the requirements, you can also add a Time to live to the hash (e.g. did it take more then 30minutes to submit the form?)

In your case, it is not a form, but a request being send to the server. Simply adding a token to that request (and validating it) would help you protect agains CSRF atacks.

StackExchange Code Review Q#91029, answer score: 2