防止使用 AJAX 直接访问 PHP 文件
[英]Prevent Direct access to PHP file using AJAX
问题描述
I want to prevent direct access to a certain PHP file called prevented.php My logic is that I have a main file lets call it index.php and it generates a token and stores it in a $_SESSION variable.
我想阻止直接访问某个名为prevented.php的文件 PHP 我的逻辑是,我有一个主文件,我们称之为index.php ,它生成一个令牌并将其存储在$_SESSION变量中。 I also have a another file called def.php which is called using AJAX and it passes the token from the index.php to the def.php and if the $_SESSION['token'] is equal to the $_POST['token'] it defines a _DEFVAR and returns true otherwise it returns false.我还有一个名为def.php的文件,它使用 AJAX 调用,它将令牌从index.php传递到def.php ,如果$_SESSION['token']等于$_POST['token']它定义了一个_DEFVAR并返回 true,否则返回 false。 After I called the def.php and it returns true, I redirect to the prevented.php via javascript using location.href="prevented.php" .在调用def.php并返回 true 后,我使用location.href="prevented.php"通过 javascript 重定向到prevented.php 。 In the top of the prevented.php file there is a code which checks if the _DEFVAR is defined or not.在prevented.php文件的顶部有一个代码检查_DEFVAR是否被定义。 If not, its die with a message like invalid otherwise it displays the content of the prevented.php file.如果不是,它会死掉并显示一条类似invalid的消息,否则它会显示prevented.php文件的内容。 But somewhy I always get invalid message and I don't know why.但是为什么我总是收到invalid消息,我不知道为什么。 Any idea how to reach the prevented.php without directly direct the page?知道如何在不直接引导页面的情况下到达prevented.php吗?
Here's my code:这是我的代码:
index.php
<?php
$_SESSION["token"] = hash_hmac('sha256', "tokenString", "t2o0k0e0n3"); // Creates a hashed token
?>
<script>
$.ajax({
type: "POST",
url: "def.php",
data: {
token: '<?php echo $_SESSION["token"]; ?>'
},
cache: false,
success: function(data) {
console.log (data);
if (data) {
console.log (data + ' valid');
} else {
console.log (data + ' invalid');
}
location.href = "prevented.php";
},
error: function () {
console.log('error');
}
});
</script>
def.php
<?php
session_start();
if (!isset($_POST['token']) || $_POST['token'] != $_SESSION['token']) {
echo false;
die('invalid in def');
} else {
define('_DEFVAR', 1);
echo true;
die ('valid in def');
}
?>
prevented.php
<?php
include "def.php";
if (defined('_DEFVAR')) {
die ('valid in prevented'); // instead of this I would show the content of the page
} else {
die ('invalid in prevented');
}
?>
1 个解决方案
解决方案1
3 已采纳 2022-03-15 20:20:26
Your code is unnecessarily overcomplicated.您的代码不必要地过于复杂。 If your intent is merely to ensure that visitors to protected.php have first visited index.php then all you need to do is create a session flag in one and check for its existence in the other.如果您的目的只是为了确保protected.php的访问者首先访问了index.php ,那么您需要做的就是在一个中创建一个 session 标志并检查它在另一个中是否存在。 There is no need for any AJAX or any form POSTs.不需要任何 AJAX 或任何形式的 POST。 The innate behavior of PHP sessions already gives you this functionality. PHP 会话的固有行为已经为您提供了此功能。
index.php:索引.php:
<?php
session_start();
$_SESSION['flag'] = true;
?>
<a href="protected.php">click here for the protected page</a>
protected.php:保护.php:
<?php
session_start();
if ($_SESSION['flag'] ?? false) {
echo "you have previously visited index.php";
} else {
echo "you have not previously visited index.php";
}
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.