禁止外部访问PHP脚本，但允许AJAX [英] Prevent external access to PHP scripts but allow AJAX

问题描述

我已经阅读了很多有关.htaccess规则，检查标头，使用加密等信息.但是我没有找到确切的答案.我知道，假设服务器设置正确，就无法使用AJAX访问我宝贵的PHP脚本.我尝试检查是否定义了访问变量，该变量不允许地址栏访问，但也阻止了我的AJAX请求.

I've read a lot about .htaccess rules, checking headers, using encryption etc.. but I haven't found exactly the answer I'm after. I know that assuming the server is set up right, you can't access my precious PHP scripts with AJAX. I tried checking if an access variable was defined which disallowed address bar access but also blocked my AJAX requests.

如果我有一些用于AJAX调用的PHP脚本，是否可以防止域外访问地址栏，PHP POST(cURL等)以及AJAX，(假设是通过跨域访问限制)?

If I have some PHP scripts that I use for AJAX calls, is there a way that I can prevent address bar access, PHP POST (cURL etc) as well as AJAX from outside my domain (assumed via cross-domain access restrictions) ?

推荐答案

绝对没有否方式来安全/可靠地识别请求来自浏览器的哪一部分-地址栏，AJAX.有一种方法可以识别通过User-Agent标头通过浏览器/curl/etc发送的内容(但不可靠)

There is NO way absolutely to safely/reliably identify which part of the browser the request comes from -- address bar, AJAX. There's a way to identify what is sending though browser/curl/etc via User-Agent header (but not reliably)

一种快速但不那么可靠的解决方案是检查以下标头.大多数浏览器都通过AJAX调用将其附加.确保彻底研究并实施.

A quick but a lot less reliable solution would be to check for the following header. Most browsers attach it with AJAX calls. Be sure to thoroughly look into it, and implement.

X-Requested-With: XMLHttpRequest

注意:如果资源至关重要，请不要信任客户端.您最好实施其他一些访问过滤方法.请记住，任何人都可以伪造标题！

NOTE: Do not trust the client if the resource is cruicial. You are better off implementing some other means of access filtering. Remember, any one can fake headers!

这篇关于禁止外部访问PHP脚本，但允许AJAX的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！