禁止使用不需要的客户端请求来使用PHP文件

I've a PHP document, let's say jsonarray.php.

This file returns the json_encode of an associative array when some parameters are given. I need to forbid an unwanted user to access and use this file for his own purposes.

Is this possible?

In addition, I want to specify that it is a client-side request, which I make in a JavaScript code.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

5条回答默认最新

dstbp22002 2012-12-16 12:14

关注

if you are looking this from another PHP file, you can set BASEPATH constant there & add the following line in top of all the files you need to protect:

defined('BASEPATH') OR exit('No direct script access allowed');

so if the file is accessed from that particular file, BASEPATH is set & everything works. But incase of some url directly tried to access, script would terminate.

If you are calling it this from Javascript -- other option is to add nonce token to every javascript request which is basically a randomly generated unique token that is valid for single request. see Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet for more details.

here is a example taken from here:

    function create_api_key(){
        return base64_encode(base64_encode($this->encrypt(time().'X'.$_SERVER['REMOTE_ADDR'])));
    }

    function check_api_key($key,$timeout=5){
        if(empty($key)){ exit('Invalid Key'); }

        $keys=explode('X',$this->decrypt(base64_decode(base64_decode($key))));

        if (isset($key) && isset($keys[0]) && $keys[0] >= (time()-$timeout) &&
        isset($keys[1]) && $keys[1] == $_SERVER['REMOTE_ADDR']){
            return true;
        }else{
            return false;
        }
    }

    function encrypt($value){
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
        $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, 'SECURE_KEY', $value, MCRYPT_MODE_ECB, $iv);
    }

    function decrypt($value){
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
        $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, 'SECURE_KEY', $value, MCRYPT_MODE_ECB, $iv));
    }
}

$csrf = new csrf_check();

if(!empty($_GET['do'])){

    $do = $_GET['do'];
    switch($do){
            //example.com?do=get - a key for the request
        case "get":
            echo $csrf->create_api_key();
            break;

        case "check":
            //key only lasts 30 secs & validate key passed
            //example.com?do=get&key=MEV6NXk4UjVRQXV5Qm1CMjBYa3RZZUhGd2M0YnFBUVF0ZkE5TFpNaElUTT0=
            if(!empty($_GET['key']) && $csrf->check_api_key($_GET['key'],30)){
                exit('Key valid');
            }else{exit('Key invalid');}
            break;

        default:
            exit('Request invalid');
            break;
    }
}

本回答被题主选为最佳回答 , 对您是否有帮助呢?