堆栈内存溢出
  简体   繁体   English

使用PHP,如何判断请求是否源自托管服务器?

[英]Using PHP, how can I tell if a request originates on the hosting server?

 原文  2009-08-10 16:03:47       php/ security

问题描述

Is there a reliable way, using PHP, to determine if a request comes from the same host that the PHP script is hosted on? 是否有使用PHP的可靠方法来确定请求是否来自托管PHP脚本的主机? In other words, is there a way to determine if the client and server computer are the same? 换句话说,有没有办法确定客户端计算机和服务器计算机是否相同?

3 个解决方案

解决方案1
 4  2009-08-10 16:07:37

您可以定义一个仅服务器知道的秘密令牌,您可以将其与请求一起发送。

解决方案2
 2 已采纳  2009-08-10 16:09:46

Hmm, it sounds like a token mechanism that is commonly used to prevent CSRF (Cross-Site Request Forgery) might be a solution to your problem. 嗯,这听起来像是一种令牌机制,通常用于防止CSRF (跨站请求伪造)可能是您解决问题的方法。 This will allow you to be sure the request is coming from a source by comparing tokens, etc. Here are a couple links with more implementation details: here and here 通过比较令牌等,您可以确保请求来自某个源。这是带有更多实现详细信息的几个链接: 此处此处

解决方案3
 2  2009-08-10 16:11:58

This is the sort of question where I think we should step back and ask why are you doing what you're doing? 我认为这是我们应该退后一步并问您为什么要做什么的问题?

Determining if the request came from the local machine by your stated method has problems, not hte least of which is virtual interfaces and multi-homing (meaning a machine can have many IP addresses and a server may be bound to only some of them). 用您确定的方法确定请求是否来自本地计算机时会遇到问题,其中最重要的是虚拟接口和多宿主(这意味着一台计算机可以有许多IP地址,而服务器可能只绑定到其中一些)。

If you're going to use a request coming locally as some kind of check for certain privileges, my advice is don't. 如果您打算使用本地发出的请求作为对某些特权的某种检查,那么我的建议是不要这样做。 yes someone can spoof IP address (but they won't get a reply) but that may still be sufficient. 是的,有人可以欺骗IP地址(但他们不会得到答复),但这仍然足够。

If what you're doing is creating some kind of admin page or site then my advice is bind that to localhost (127.0.0.1) and problem solved (pretty much). 如果您正在做的是创建某种管理页面或站点,那么我的建议是将其绑定到localhost(127.0.0.1)并解决问题(相当多)。

Also if the client and server are on the same machine and you're not doing some kind of special page or site then why do they need to communicate via the Website? 另外,如果客户端和服务器在同一台计算机上,而您没有在做某种特殊的页面或站点,那么为什么它们需要通过网站进行通信? You could just run scripts locally instead. 您可以只在本地运行脚本。

Basically it depends on the situation. 基本上,这取决于情况。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用 PHP 在共享托管服务器上截取 PNG 的 URL 或 URL 的屏幕截图 - How can i take screenshot of URL or URL to PNG on Share Hosting server using PHP 我如何使用curl和php在另一台服务器上收到此请求 - How can I receive this request in another server using curl and php 如何判断文件是否是使用PHP的文本? - How can I tell if a file is text using PHP? PHP-如何将当前会话ID告知下一个服务器请求? - PHP - How to tell current session id to the next server request? 如何区分 curl 请求与浏览器请求 - How can I tell a curl request vs browser request 如何在托管2个域的服务器上的外发PHP邮件上指定域? - how can I specify the domain on outgoing PHP mail on a server hosting 2 domains? 我如何在php中使用Ajax请求服务器端在Chrome中设置Cookie - How can i set the cookie in chrome using ajax request server side in php 我如何使用Ajax向php xml_rpc服务器发送请求 - How can i send a request to php xml_rpc server using ajax 我的PHP脚本如何判断suhosin是否更改了请求变量? - How can my php script tell if suhosin changed request variables? 如何使用php在同一主机上管理两个不同网站的单独会话状态 - How can I manage separate session states for two different websites on the same hosting using php
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM