PHP仅允许访问特定的引荐来源网址/页面

时间:2022-10-05 20:15:14

So my question is simple ive used the following method for allowing access to the php script via the referrer's domain name but i want to allow access for only referrers matching the full url.

所以我的问题很简单我已经使用以下方法允许通过引用者的域名访问php脚本,但我想只允许访问匹配完整URL的引用。

<?php
if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != 'domain.com')
{
echo "Eexcuting code here";
} else {
echo('Hot Linking Not Permitted');
// display some message / image / video
exit;
}
?>

So if the referrer url matches http://www.domain.com/page.html then allow access else if block it.

因此,如果引荐来源网址与http://www.domain.com/page.html匹配,则允许访问else,否则阻止它。

2 个解决方案

#1


22  

It will not be safe because referrer data can be easily spoofed. However, if it still fits your needs, then you should be fine with your code already, since $_SERVER['HTTP_REFERER'] contains the full referrer URL and not just the domain. Actually, your present code needs some adjustments because it can't work like that:

它不安全,因为引用者数据很容易被欺骗。但是,如果它仍然符合您的需求,那么您的代码已经很好了,因为$ _SERVER ['HTTP_REFERER']包含完整的引荐来源网址而不仅仅是域名。实际上,你现在的代码需要一些调整,因为它不能像那样工作:

<?php
// This is to check if the request is coming from a specific domain
$ref = $_SERVER['HTTP_REFERER'];
$refData = parse_url($ref);

if($refData['host'] !== 'domain.com') {
  // Output string and stop execution
  die("Hotlinking not permitted");
}

echo "Executing code here";
?>

Note that if you check if HTTP_REFERER is set before checking if it's what you want, people would get to your script without any referrer set at all, so you should check it in any case. Now, checking for a specific URL is much simpler:

请注意,如果在检查是否符合要求之前检查是否设置了HTTP_REFERER,那么人们会在没有设置任何引用者的情况下访问您的脚本,因此您应该检查它。现在,检查特定的URL要简单得多:

<?php
// This is to check if the request is coming from a specific URL
$ref = $_SERVER['HTTP_REFERER'];

if($ref !== 'http://domain.com/page.html') {
  die("Hotlinking not permitted");
}

echo "Executing code here";
?>

#2


6  

What is it that you are trying to protect?

你想保护什么?

You should never trust HTTP_REFERER as it can be spoofed (as others have pointed out). Also some firewalls and security software will rewrite or remove the referer, and not all browsers report it properly.

你永远不应该相信HTTP_REFERER,因为它可以被欺骗(正如其他人指出的那样)。此外,一些防火墙和安全软件将重写或删除引用程序,并非所有浏览器都正确报告它。

If it's sensitive data then personally I would pass a hash between pages.

如果它是敏感数据,那么我个人会在页面之间传递一个哈希值。

#1


22  

It will not be safe because referrer data can be easily spoofed. However, if it still fits your needs, then you should be fine with your code already, since $_SERVER['HTTP_REFERER'] contains the full referrer URL and not just the domain. Actually, your present code needs some adjustments because it can't work like that:

它不安全,因为引用者数据很容易被欺骗。但是,如果它仍然符合您的需求,那么您的代码已经很好了,因为$ _SERVER ['HTTP_REFERER']包含完整的引荐来源网址而不仅仅是域名。实际上,你现在的代码需要一些调整,因为它不能像那样工作:

<?php
// This is to check if the request is coming from a specific domain
$ref = $_SERVER['HTTP_REFERER'];
$refData = parse_url($ref);

if($refData['host'] !== 'domain.com') {
  // Output string and stop execution
  die("Hotlinking not permitted");
}

echo "Executing code here";
?>

Note that if you check if HTTP_REFERER is set before checking if it's what you want, people would get to your script without any referrer set at all, so you should check it in any case. Now, checking for a specific URL is much simpler:

请注意,如果在检查是否符合要求之前检查是否设置了HTTP_REFERER,那么人们会在没有设置任何引用者的情况下访问您的脚本,因此您应该检查它。现在,检查特定的URL要简单得多:

<?php
// This is to check if the request is coming from a specific URL
$ref = $_SERVER['HTTP_REFERER'];

if($ref !== 'http://domain.com/page.html') {
  die("Hotlinking not permitted");
}

echo "Executing code here";
?>

#2


6  

What is it that you are trying to protect?

你想保护什么?

You should never trust HTTP_REFERER as it can be spoofed (as others have pointed out). Also some firewalls and security software will rewrite or remove the referer, and not all browsers report it properly.

你永远不应该相信HTTP_REFERER,因为它可以被欺骗(正如其他人指出的那样)。此外,一些防火墙和安全软件将重写或删除引用程序,并非所有浏览器都正确报告它。

If it's sensitive data then personally I would pass a hash between pages.

如果它是敏感数据,那么我个人会在页面之间传递一个哈希值。