我需要限制来自特定域的 POST 请求。据我所知,HTTP_REFERER 检查不是一个好的解决方案,因为它可以被欺骗。那么,当来自不同技术和 Web 服务器的两个不同网站一起工作时,什么是好的解决方案呢?
问问题
1502 次
1 回答
3
这是您可以尝试的一种方法,方法是在表单中添加一个隐藏字段,该字段是在服务器端设置的会话值。这样,如果表单不是来自您的服务器,则不会设置会话并且值将不匹配。
例子:
<?php
session_start();
if($_SERVER['REQUEST_METHOD']=='POST'){
if(isset($_SESSION['security']) &&
isset($_SESSION['security_key']) &&
!empty($_POST[$_SESSION['security_key']]) &&
$_POST[$_SESSION['security_key']] == $_SESSION['security'])
{
/* forms post is from domain as session would
not have been started and security would not have been set */
echo 'good';
}else{
/* forms post is not from domain */
echo 'bad';
}
$_SESSION['security_key'] = sha1(microtime(true)+1);
$_SESSION['security'] = sha1(microtime(true));
}else{
$_SESSION['security_key'] = sha1(microtime(true)+1);
$_SESSION['security'] = sha1(microtime(true));
}
?>
<form method="POST" action="">
<input type="hidden" name="<?=$_SESSION['security_key'];?>" value="<?=$_SESSION['security'];?>"/>
<p><input type="text" name="Text" size="20"><input type="submit" value="Submit"></p>
</form>
或者,您可以使用加密而不是散列,这样您就可以检查值:
<?php
session_start();
define('SECURE_KEY',$_SERVER['SERVER_NAME']);
if($_SERVER['REQUEST_METHOD']=='POST'){
if(isset($_SESSION['security_key']) && isset($_SESSION['security'])){
//Decrypt
list($servername,$userip) = explode('X',decrypt(base64_decode($_SESSION['security'])));
//Check the decrypted values
if($servername == $_SERVER['SERVER_NAME'] && $userip == $_SERVER['REMOTE_ADDR']){
/* forms post is from domain as session would
not have been started and security would not have been set */
echo 'good';
}else{
echo 'bad';
}
}else{
/* forms post is not from domain */
echo 'bad';
}
$_SESSION['security_key'] = sha1(microtime(true));
$_SESSION['security'] = base64_encode(encrypt($_SERVER['SERVER_NAME'].'X'.$_SERVER['REMOTE_ADDR']));
}else{
$_SESSION['security_key'] = sha1(microtime(true));
$_SESSION['security'] = base64_encode(encrypt($_SERVER['SERVER_NAME'].'X'.$_SERVER['REMOTE_ADDR']));
}
function encrypt($string, $key = 'PrivateKey', $secret = 'SecretKey', $method = 'AES-256-CBC') {
// hash
$key = hash('sha256', $key);
// create iv - encrypt method AES-256-CBC expects 16 bytes
$iv = substr(hash('sha256', $secret), 0, 16);
// encrypt
$output = openssl_encrypt($string, $method, $key, 0, $iv);
// encode
return base64_encode($output);
}
function decrypt($string, $key = 'PrivateKey', $secret = 'SecretKey', $method = 'AES-256-CBC') {
// hash
$key = hash('sha256', $key);
// create iv - encrypt method AES-256-CBC expects 16 bytes
$iv = substr(hash('sha256', $secret), 0, 16);
// decode
$string = base64_decode($string);
// decrypt
return openssl_decrypt($string, $method, $key, 0, $iv);
}
?>
<form method="POST" action="">
<input type="hidden" name="<?=$_SESSION['security_key'];?>" value="<?=$_SESSION['security'];?>"/>
<p><input type="text" name="Text" size="20"><input type="submit" value="Submit"></p>
</form>
于 2012-10-21T15:53:12.210 回答