stackoom
  简体   繁体   中英

Avoid other websites query my file.php

 原文  2011-08-09 16:02:30       php/ security

Question

I have a file.php?q=data that returns json data, but I don't want other websites to query my database through this file and I don't know what to do. I just have this: 

if($_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME']) exit();

Do you have any idea abut how to handle this security issue? Thank you very much.

5 answers

solution1
 1  2011-08-09 16:24:36

So you want to let users access this files (probably via your other web page) but don't want competitors to access this web page? Then you need to just find out, what makes a competitor different from regular user. This problem doesn't have a definite bullet-proof solution.

You can try to limit user access by implementing some kind of authentication and counting user's request number. But these are half-measures.

solution2
 0  2014-11-12 20:08:19

Assuming it is web visitors accessing the data, set a PHP session variable when they access any page (or the page containing the link to file.php). Then have file.php check for the existence of that variable.

;o) Cor

solution3
 0  2011-08-09 16:04:30

Try using HTTP_REFERER part of the $_SERVER variable.

Also you can use some mod_rewrite rules to prevent hotlinking of your files. See tutorial here

solution4
 0  2011-08-09 16:24:16

If it is really a security issue to you, you will need to control the access. This can be done by requiring authentication to access the URL in question, eg by making use of HTTP authentication with PHP .

For some easy to circumvent prevention, you can check for the HTTP Referer Header that is send by some browsers:

$_SERVER['HTTP_REFERER'] Docs - The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

Related: How to protect download URLs to be stolen with PHP?

solution5
 0  2011-08-09 16:41:40

HTTP_HOST and SERVER_NAME always refer to YOUR server. You cannot detect a remote user in this way. HTTP_HOST is the name of the site as requested by the user in the URL. SERVER_NAME is (usually) the name of the server itself, and/or whatever is specified in Apache as 'ServerName'.

HTTP_HOST and SERVER_NAME are usually different. The server itself may be named "someweird numbers.your.hosting.company.com", while HTTP_HOST will be "yoursite.com".

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question `require ('file.php')` stops my code and display blank page php -f file.php? How include file file.php in another file.php Cannot POST /file.php PHP convert '../folder/file.php' into url Php include 'file.php + link' php HeadlessChromium\BrowserFactory not found in file.php /file.php to /file/ try out How to deny direct access to website files but allow website files to access each other by include 'file.php'? php - is include(file.php) the same as running it?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM