How would I prevent users from spamming a post request? For example, a form is submitted via Ajax post. Using firebug I can see the post request, but I noticed that this request can be easily repeated by right clicking on it and selecting "open in a new tab" How can I prevent something like this?
如何防止用户发布邮件请求?例如,表单通过Ajax post提交。使用firebug我可以看到post请求,但是我注意到这个请求可以通过右键单击并选择“在新选项卡中打开”轻松重复“我该如何防止这样的事情?
3 个解决方案
#1
0
Any web form can be posted to in any number of ways. What you need to do is make sure the server-side script that processes the form has the logic needed to "ignore" spammy requests.
任何Web表单都可以通过多种方式发布。您需要做的是确保处理表单的服务器端脚本具有“忽略”垃圾请求所需的逻辑。
#2
3
When a valid user logs in or begins a session, generate a random token string and place it in a hidden form field. Each time a valid post is made by a valid user, generate a random token string and store it in $_SESSION while also returning it to the client browser. When a the browser makes another Ajax post request, it must also send that token string which you compare against the $_SESSION.
当有效用户登录或开始会话时,生成随机令牌字符串并将其放在隐藏的表单字段中。每次有效用户发布有效帖子时,生成随机令牌字符串并将其存储在$ _SESSION中,同时将其返回到客户端浏览器。当浏览器发出另一个Ajax发布请求时,它还必须发送您与$ _SESSION进行比较的令牌字符串。
That way you can only make an Ajax post if your server has previously sanctioned it. It prevents anyone who simply knows the Ajax handler's URL from sending HTTP requests to it.
这样,如果您的服务器先前已批准它,您只能发布Ajax帖子。它可以防止任何只知道Ajax处理程序URL的人向其发送HTTP请求。
#3
0
You can't reliably. But you can check for the HTTP_X_REQUESTED_WITH header which is usually send along with ajax requests. It can be spoofed though, and can also not be there for genuine ajax requests.
你不能可靠。但是您可以检查HTTP_X_REQUESTED_WITH标头,该标头通常与ajax请求一起发送。它可能是欺骗性的,也可能不适用于真正的ajax请求。
#1
0
Any web form can be posted to in any number of ways. What you need to do is make sure the server-side script that processes the form has the logic needed to "ignore" spammy requests.
任何Web表单都可以通过多种方式发布。您需要做的是确保处理表单的服务器端脚本具有“忽略”垃圾请求所需的逻辑。
#2
3
When a valid user logs in or begins a session, generate a random token string and place it in a hidden form field. Each time a valid post is made by a valid user, generate a random token string and store it in $_SESSION while also returning it to the client browser. When a the browser makes another Ajax post request, it must also send that token string which you compare against the $_SESSION.
当有效用户登录或开始会话时,生成随机令牌字符串并将其放在隐藏的表单字段中。每次有效用户发布有效帖子时,生成随机令牌字符串并将其存储在$ _SESSION中,同时将其返回到客户端浏览器。当浏览器发出另一个Ajax发布请求时,它还必须发送您与$ _SESSION进行比较的令牌字符串。
That way you can only make an Ajax post if your server has previously sanctioned it. It prevents anyone who simply knows the Ajax handler's URL from sending HTTP requests to it.
这样,如果您的服务器先前已批准它,您只能发布Ajax帖子。它可以防止任何只知道Ajax处理程序URL的人向其发送HTTP请求。
#3
0
You can't reliably. But you can check for the HTTP_X_REQUESTED_WITH header which is usually send along with ajax requests. It can be spoofed though, and can also not be there for genuine ajax requests.
你不能可靠。但是您可以检查HTTP_X_REQUESTED_WITH标头,该标头通常与ajax请求一起发送。它可能是欺骗性的,也可能不适用于真正的ajax请求。