I need to restrict POST request from specific domain. As far I know, HTTP_REFERER checking cannot be a good solution because it can be spoofed. So what can be the good solution when two different websites from different technology and web servers will work together?
1条回答 默认 最新
dongshuo9350 2012-10-21 15:53关注Heres a method you could try, by adding a hidden field within your form that is session values that are set server side. This way if the form has not originated from your server the session would not have been set and the values would not match.
Example:
<?php session_start(); if($_SERVER['REQUEST_METHOD']=='POST'){ if(isset($_SESSION['security']) && isset($_SESSION['security_key']) && !empty($_POST[$_SESSION['security_key']]) && $_POST[$_SESSION['security_key']] == $_SESSION['security']) { /* forms post is from domain as session would not have been started and security would not have been set */ echo 'good'; }else{ /* forms post is not from domain */ echo 'bad'; } $_SESSION['security_key'] = sha1(microtime(true)+1); $_SESSION['security'] = sha1(microtime(true)); }else{ $_SESSION['security_key'] = sha1(microtime(true)+1); $_SESSION['security'] = sha1(microtime(true)); } ?> <form method="POST" action=""> <input type="hidden" name="<?=$_SESSION['security_key'];?>" value="<?=$_SESSION['security'];?>"/> <p><input type="text" name="Text" size="20"><input type="submit" value="Submit"></p> </form>Alternatively you could use encryption instead of hashing, that way you could check the values:
<?php session_start(); define('SECURE_KEY',$_SERVER['SERVER_NAME']); if($_SERVER['REQUEST_METHOD']=='POST'){ if(isset($_SESSION['security_key']) && isset($_SESSION['security'])){ //Decrypt list($servername,$userip) = explode('X',decrypt(base64_decode($_SESSION['security']))); //Check the decrypted values if($servername == $_SERVER['SERVER_NAME'] && $userip == $_SERVER['REMOTE_ADDR']){ /* forms post is from domain as session would not have been started and security would not have been set */ echo 'good'; }else{ echo 'bad'; } }else{ /* forms post is not from domain */ echo 'bad'; } $_SESSION['security_key'] = sha1(microtime(true)); $_SESSION['security'] = base64_encode(encrypt($_SERVER['SERVER_NAME'].'X'.$_SERVER['REMOTE_ADDR'])); }else{ $_SESSION['security_key'] = sha1(microtime(true)); $_SESSION['security'] = base64_encode(encrypt($_SERVER['SERVER_NAME'].'X'.$_SERVER['REMOTE_ADDR'])); } function encrypt($string, $key = 'PrivateKey', $secret = 'SecretKey', $method = 'AES-256-CBC') { // hash $key = hash('sha256', $key); // create iv - encrypt method AES-256-CBC expects 16 bytes $iv = substr(hash('sha256', $secret), 0, 16); // encrypt $output = openssl_encrypt($string, $method, $key, 0, $iv); // encode return base64_encode($output); } function decrypt($string, $key = 'PrivateKey', $secret = 'SecretKey', $method = 'AES-256-CBC') { // hash $key = hash('sha256', $key); // create iv - encrypt method AES-256-CBC expects 16 bytes $iv = substr(hash('sha256', $secret), 0, 16); // decode $string = base64_decode($string); // decrypt return openssl_decrypt($string, $method, $key, 0, $iv); } ?> <form method="POST" action=""> <input type="hidden" name="<?=$_SESSION['security_key'];?>" value="<?=$_SESSION['security'];?>"/> <p><input type="text" name="Text" size="20"><input type="submit" value="Submit"></p> </form>本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报
分享
- 2012-10-21 14:59回答 1 已采纳 Heres a method you could try, by adding a hidden field within your form that is session values tha
- 2018-10-25 11:18回答 3 已采纳 Your json_encode requires an array. It should look like this <?php $checkfor = ([ 'ser
- 2021-08-24 09:48回答 1 已采纳 PHP查看是否启动curl扩展 使用phpinfo()方法,查看当前环境是否开启curl扩展,一般都是开通的,但是也建议看下。 PHP利用curl发送请求 function http_get($url
- 2022-05-04 09:04一个发送POST请求的三种方式的php类,PHP发送POST请求的三种方式 分别使用curl file_get_content fsocket 来实现post提交数据。
- 2018-07-03 04:51回答 1 已采纳 If request is in json form then, you should json_decode it first and then try to access. nested ke
- 2017-10-09 18:30回答 4 已采纳 After testing with cURL, I found that the URL had been 'moved' to https instead of http. Using jus
- 2021-01-15 16:04回答 2 已采纳 版本问题啊
- 2020-10-25 16:34主要介绍了php发送get、post请求的6种方法简明总结,分别为使用file_get_contents 、fopen、fsockopen、curl来发送GET和POST请求,需要的朋友可以参考下
- 2017-08-02 21:25回答 1 已采纳 Try using this: $data = array('key' => urlencode('ñ')); And in the $url file: $_POST['k
- 2018-02-26 10:36回答 1 已采纳 Your inner if statement is always true, but you cannot login when one is empty. Both username and
- 2019-03-06 09:58回答 1 已采纳 You have to look what C# call returns to you right ? I don't know C# but I don't think the json m
- 2019-07-11 10:44介绍一个发送POST请求的三种方式的php类,PHP发送POST请求的三种方式 分别使用curl file_get_content fsocket 来实现post提交数据。
- 2019-08-06 11:41回答 1 已采纳 You need insert to header 'protocol_version' => 1.1
- 2020-10-21 00:36主要给大家介绍的是PHP使用curl函数发送Post请求的一些注意事项,文中通过示例代码与解释介绍的很详细,对大家学习或则使用PHP具有一定的参考借鉴价值,有需要的朋友们可以跟着小编一起来学习学习吧。
- 2020-10-26 04:28主要介绍了一个php发送post请求的函数,开发中经常会用到,需要的朋友可以参考下
- 没有解决我的问题, 去提问
