I have a website that needs to increment values in a database based upon user interaction. When users click a button a php script is called that increments the value. I'd like to protect this script from being accessed by outside scripts. Currently a user could write their own web page with a javascript function that hits the same php file repeatedly to blow up the value in the database.
我有一个网站需要基于用户交互在数据库中增加值。当用户单击一个按钮时,会调用一个php脚本来增加值。我想保护这个脚本不被外部脚本访问。目前,用户可以使用一个javascript函数编写自己的web页面,该函数会反复敲击同一个php文件,以放大数据库中的值。
Here's my jquery code that does the incrementing:
下面是我的jquery代码,它进行递增:
jQuery(function(){
$('.votebtn').click(function(e){
var mynum = $(this).attr('id').substring(0,5);
$.ajax({
url:"countvote.php",
type:"GET",
data: {
thenum:mynum
},
cache: false,
success:function(data) {
alert('Success!');
}
}
});
});
});
How would I go about making it so that only a call from ajax/jquery on the local server can access 'countvote.php'? If that's not the correct way to go about it, I'm open to any suggestion that will prevent my php script from being abused by outside scripts.
我要怎么做才能让本地服务器上的ajax/jquery调用能够访问'countvote.php'?如果这不是正确的方法,我愿意接受任何建议,以防止外部脚本滥用我的php脚本。
3 个解决方案
#1
33
The solution needs two steps.
解决方案需要两个步骤。
Firstly the ajax file must allow access only in ajax request with this code.
首先,ajax文件必须只允许使用此代码在ajax请求中访问。
define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
if(!IS_AJAX) {die('Restricted access');}
Secondly the ajax file has access in the name of file that call it with command $_SERVER['HTTP_REFERER']. So you can restrict access only in the host server.
其次,ajax文件以使用命令$_SERVER['HTTP_REFERER']调用它的文件名进行访问。因此,只能在主机服务器中限制访问。
$pos = strpos($_SERVER['HTTP_REFERER'],getenv('HTTP_HOST'));
if($pos===false)
die('Restricted access');
Maybe the code can work only with the second part
也许代码只能在第二部分中工作
#2
3
You can check if $_SERVER['HTTP_X_REQUESTED_WITH']
equals xmlhttprequest
, but it's not a reliable method to determine whether a request is an AJAX request or not, there is always a way to get around this. But it protects you from random hits like wrongly entered urls, crawlers etc.
您可以检查$_SERVER['HTTP_X_REQUESTED_WITH']是否等于xmlhttprequest,但它不是确定请求是否是AJAX请求的可靠方法,总是有办法解决这个问题。但是它可以保护你不受随机攻击,比如错误输入的url,爬虫等等。
#3
2
Theres not really a 100% method of doing so. AJAX requests are always going to come from a client. Use POST requests instead of GET and that will help deter any issues but not completely stop them and in your php, just drop all get requests.
这并不是100%的方法。AJAX请求总是来自客户机。使用POST请求而不是GET,这将有助于阻止任何问题,但不能完全阻止它们,在php中,只需删除所有GET请求即可。
#1
33
The solution needs two steps.
解决方案需要两个步骤。
Firstly the ajax file must allow access only in ajax request with this code.
首先,ajax文件必须只允许使用此代码在ajax请求中访问。
define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
if(!IS_AJAX) {die('Restricted access');}
Secondly the ajax file has access in the name of file that call it with command $_SERVER['HTTP_REFERER']. So you can restrict access only in the host server.
其次,ajax文件以使用命令$_SERVER['HTTP_REFERER']调用它的文件名进行访问。因此,只能在主机服务器中限制访问。
$pos = strpos($_SERVER['HTTP_REFERER'],getenv('HTTP_HOST'));
if($pos===false)
die('Restricted access');
Maybe the code can work only with the second part
也许代码只能在第二部分中工作
#2
3
You can check if $_SERVER['HTTP_X_REQUESTED_WITH']
equals xmlhttprequest
, but it's not a reliable method to determine whether a request is an AJAX request or not, there is always a way to get around this. But it protects you from random hits like wrongly entered urls, crawlers etc.
您可以检查$_SERVER['HTTP_X_REQUESTED_WITH']是否等于xmlhttprequest,但它不是确定请求是否是AJAX请求的可靠方法,总是有办法解决这个问题。但是它可以保护你不受随机攻击,比如错误输入的url,爬虫等等。
#3
2
Theres not really a 100% method of doing so. AJAX requests are always going to come from a client. Use POST requests instead of GET and that will help deter any issues but not completely stop them and in your php, just drop all get requests.
这并不是100%的方法。AJAX请求总是来自客户机。使用POST请求而不是GET,这将有助于阻止任何问题,但不能完全阻止它们,在php中,只需删除所有GET请求即可。