防止从远程站点发帖
[英]Prevent POST'ing from remote sites
问题描述
我只是想知道您如何防止他人欺骗您的脚本并从远程站点发布类似外观的表格。例如说,尝试将多余的值放入您自己的字段中而没有的值或类似性质的东西。
2 个解决方案
解决方案1
3 已采纳 2011-03-19 18:19:16
To prevent Cross-Site Request Forgery (CSRF) , you should use a so called CSRF token that verifies the authenticity of the request. 
为了防止跨站点请求伪造(CSRF) ,您应该使用所谓的CSRF令牌来验证请求的真实性。 Additionally, you can check the HTTP Referer and only allow the transaction if it's empty (not existing) or one of your addresses. 此外,您可以检查HTTP Referer,并且仅在事务为空(不存在)或您的地址之一时才允许该事务。
See also OWASP's Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet for further information. 另请参阅OWASP的跨站请求伪造(CSRF)预防速查表 。
解决方案2
1 2011-03-19 18:20:45
The best idea would be to create a md5 key generated from the user agent, ip and a time frame. 最好的主意是创建一个从用户代理,ip和时间范围生成的md5密钥。 Then store that in a database and populate it in a hidden text field so on submit you can revalidate the value. 然后将其存储在数据库中,并在隐藏的文本字段中填充它,以便在提交时可以重新验证该值。
You can also use $_SERVER['HTTP_REFERER'] to get were the request came from and validate it against the url of your site. 您还可以使用$ _SERVER ['HTTP_REFERER']来获取请求的来源,并根据您的网站的网址进行验证。 Remember this is set by the user web browser so it can be spoofed. 请记住,这是由用户Web浏览器设置的,因此可以被欺骗。 Here is a list of available $_SERVER variables and their descriptions. 这是可用的$ _SERVER变量及其说明的列表。 http://www.php.net/manual/en/reserved.variables.server.php http://www.php.net/manual/en/reserved.variables.server.php
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.