避免其他网站查询我的file.php
[英]Avoid other websites query my file.php
问题描述
I have a file.php?q=data that returns json data, but I don't want other websites to query my database through this file and I don't know what to do. 
我有一个file.php?q = data返回json数据,但我不希望其他网站通过此文件查询我的数据库,也不知道该怎么办。 I just have this: 我只有这个:
if($_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME']) exit();
Do you have any idea abut how to handle this security issue? 您对如何处理此安全问题有任何想法吗? Thank you very much. 非常感谢你。
5 个解决方案
解决方案1
1 2011-08-09 16:24:36
So you want to let users access this files (probably via your other web page) but don't want competitors to access this web page? 因此,您想让用户(可能通过您的其他网页)访问此文件,但是不希望竞争对手访问此网页吗? Then you need to just find out, what makes a competitor different from regular user. 然后,您需要找出导致竞争对手与普通用户不同的原因。 This problem doesn't have a definite bullet-proof solution. 这个问题没有确定的防弹解决方案。
You can try to limit user access by implementing some kind of authentication and counting user's request number. 您可以通过实施某种身份验证并计算用户的请求数来尝试限制用户访问。 But these are half-measures. 但是这些都是半招。
解决方案2
0 2014-11-12 20:08:19
Assuming it is web visitors accessing the data, set a PHP session variable when they access any page (or the page containing the link to file.php). 假设是Web访问者访问数据,请在访问任何页面(或包含file.php链接的页面)时设置一个PHP会话变量。 Then have file.php check for the existence of that variable. 然后让file.php检查该变量的存在。
;o) Cor ; o)Cor
解决方案3
0 2011-08-09 16:04:30
Try using HTTP_REFERER part of the $_SERVER variable. 尝试使用$_SERVER变量的HTTP_REFERER部分。
Also you can use some mod_rewrite rules to prevent hotlinking of your files. 您也可以使用一些mod_rewrite规则来防止文件的热链接。 See tutorial here 在这里查看教程
解决方案4
0 2011-08-09 16:24:16
If it is really a security issue to you, you will need to control the access. 如果这确实是您的安全问题,则需要控制访问。 This can be done by requiring authentication to access the URL in question, eg by making use of HTTP authentication with PHP . 这可以通过要求身份验证来访问所涉及的URL来完成,例如通过使用PHP的HTTP身份验证 。
For some easy to circumvent prevention, you can check for the HTTP Referer Header that is send by some browsers: 为了便于避免,您可以检查某些浏览器发送的HTTP Referer标头:
$_SERVER['HTTP_REFERER']Docs - The address of the page (if any) which referred the user agent to the current page.$_SERVER['HTTP_REFERER']文档 -将用户代理引至当前页面的页面地址(如果有)。 This is set by the user agent.
Related: How to protect download URLs to be stolen with PHP? 相关: 如何保护下载URL被PHP窃取?
解决方案5
0 2011-08-09 16:41:40
HTTP_HOST and SERVER_NAME always refer to YOUR server. HTTP_HOST和SERVER_NAME始终引用您的服务器。 You cannot detect a remote user in this way. 您无法以这种方式检测到远程用户。 HTTP_HOST is the name of the site as requested by the user in the URL. HTTP_HOST是用户在URL中请求的站点名称。 SERVER_NAME is (usually) the name of the server itself, and/or whatever is specified in Apache as 'ServerName'. SERVER_NAME通常是服务器本身的名称,和/或在Apache中指定为“ ServerName”的任何名称。
HTTP_HOST and SERVER_NAME are usually different. HTTP_HOST和SERVER_NAME通常不同。 The server itself may be named "someweird numbers.your.hosting.company.com", while HTTP_HOST will be "yoursite.com". 服务器本身可能被命名为“ someweirdnumbers.your.hosting.company.com”,而HTTP_HOST将被命名为“ yoursite.com”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.