堆栈内存溢出
  简体   繁体   English

PHP仅从特定页面接受GET方法

[英]PHP accept GET method only from specific page

 原文  2016-06-13 14:15:30       php/ html/ validation

问题描述

I have two PHP files: 我有两个PHP文件:

1.php 1.PHP 

<?php

...  header("location: 2.php?id=1");
?>

2.php 2.PHP 

<?php

... echo $_GET['id'];

?>

URL from 1.php to 2.php is: http://localhost/2.php?id=1 从1.php到2.php的URL是: http://localhost/2.php?id=1

My question. 我的问题。 Is it possible to validate where get method coming from and accept only if from coming 1.php. 是否有可能验证get方法来自哪里,并且仅在来自1.php时才接受。 But if someone in address bar changing id values then ignore? 但是,如果地址栏中的某人更改了ID值,则忽略吗? Something with $_SERVER['HTTP_REFERER'] but i'm not sure 带有$_SERVER['HTTP_REFERER']东西,但我不确定

2 个解决方案

解决方案1
 4  2016-06-13 14:16:51

Is it possible to validate where get method coming from and accept only if from coming 1.php. 是否有可能验证get方法来自哪里,并且仅在来自1.php时才接受。

Not reliably. 不可靠。

But if someone in address bar changing id values then ignore? 但是,如果地址栏中的某人更改了ID值,则忽略吗?

Find something else to test against. 寻找其他可以测试的东西。 (eg is this a user who is logged in and authorised to view the page with that id?). (例如,这是已登录并有权查看具有该ID的页面的用户吗?)。

解决方案2
 0 已采纳  2016-06-13 14:34:03

Simple answer is no. 简单的答案是否定的。 $_SERVER['HTTP_REFERER'] is often disabled by browsers and is easily spoofed. $ _SERVER ['HTTP_REFERER']通常被浏览器禁用,并且容易被欺骗。

You can do someting close to your requirement: 您可以根据自己的需要做一些事情: 

<?php
 //1.php
 $id = 1;
 $key = generateKeyBasedOnId($id);
 header("location: 2.php?id=$id&key=$key");
?>

You can write generateKeyBasedOnId() function as you wanted to, but you are the only one who should known the algorithm. 您可以根据需要编写generateKeyBasedOnId()函数,但是您是唯一应该知道该算法的人。 (For example return md5('my very secret'.$id.' string'); (例如,返回md5('my very secret'。$ id.'string'); 

<?php
//2.php
if($_GET['key'] !== generatekeyBasedOnId($_GET['id'])) {
   //error
}
?>

Of course, if someone copy paste the url 2.php?id=..&key=..., it will still work. 当然,如果有人复制粘贴URL 2.php?id = ..&key = ...,它仍然可以工作。 You can hide key into cookies, but it is still easilly spoofable. 您可以将密钥隐藏到cookie中,但是仍然很容易欺骗。

You can also generate random key, save it into database, read it in 2.php and if it exists, immediately delete it. 您还可以生成随机密钥,将其保存到数据库中,在2.php中读取它,如果存在,请立即将其删除。 So the key can be used only once. 因此该密钥只能使用一次。 But if someone catch your header redirect, he still could (theoreticaly) take it and use it in different browser in different country ... 但是,如果有人抓住了您的标头重定向,他仍然可以(理论上)接受它并在不同国家的不同浏览器中使用它...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 仅接受来自特定页面的AJAX $ _GET或$ _POST请求 - Only accept AJAX $_GET or $_POST requests from specific page PHP-仅接受特定类的数组 - PHP - Accept only array of specific class PHP Regex仅接受特定字符 - PHP Regex to accept only specific characters 仅使用Zend \\ Http \\ Client和Curl从特定服务器获取PHP页面内容 - Get PHP page content only from specific server with Zend\Http\Client and Curl 如何接受来自特定页面的连接? - How can accept connection from specific page? 如何使用 ajax 中的 get 方法仅将 html 代码“(不包括标签)”的文本部分传递给 php 页面 - How to pass only text part of html code `(excluding the tags)` to php page using get method from ajax iframe仅接受来自特定页面的请求 - Iframe accept request only from a certain page 仅从一个网站接受Cookie:PHP - Accept Cookies from One Website only : PHP 如何限制字母数并仅接受PHP STDIN中的特定字母? - How to limit the letter count and accept only specific letters in PHP STDIN? 如何使用PHP从文件中仅获取特定内容。 - how to get only the specific content from a file using PHP.
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM