PHP检查以确保请求是来自我的站点的xmlhttp还是来自某个域的正常请求 [英] PHP check to make sure request is either xmlhttp from my site or normal request from a certain domain
问题描述
如何编写条件以确保通过xmlhttp请求从我的网站或从允许的外部域访问页面?
How would the condition be written to ensure a page is either accessed by xmlhttp request from my site or from an allowed outside domain?
<?php
$referrer = $_SERVER['HTTP_REFERER'];
if($_SERVER["HTTP_X_REQUESTED_WITH"] !== 'XMLHttpRequest') {
if(preg_match("/accepteddomain.com/",$referrer) {
header("Location: http://www.domain.com/desiredpage.php");
} else {
header("Location: http://www.domain.com/nondesiredpage.php");
}
}
?>
推荐答案
考虑到Referer和X-Request-With标头都是由客户端(或不发送)发送的(浏览器或其他任何可以发送HTTP请求的内容),它们将不会受到信任.
Considering that both Referer and X-Request-With headers are sent (or not sent) by the client (the browser, or anything else that can send an HTTP request), they cannot be trusted.
您可以将其用作提示,以增强用户体验;但您不能依靠它们出现或正确.
You can use those as hints, to enhance user-experience ; but you must not rely on them to be either present or correct.
基本上,您无法确保请求来自特定域(即使对于XmlHttpRequest:浏览器也只能在同一域上使用XHR ...但是您无法确保您收到的请求是否来自XHR).
Basically, you have no way to be sure that a request comes from a specific domain (even for XmlHttpRequest : the browser can only use XHR on the same domain... But you have no way to be sure that a request you receive is, or is not, coming from XHR).
在(不确定您真正的问题/需求是什么)中,您可能会尝试使用某种API密钥来限制请求率?
Amongst possible ideas (not sure what your real problem / need is), you might try using some kind of API-key, to limit request-rates or so ?
这篇关于PHP检查以确保请求是来自我的站点的xmlhttp还是来自某个域的正常请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!