如何保护php脚本? [英] How to secure php scripts?

问题描述

如果我有一个对 php 脚本的 AJAX 调用，就像这样(使用 jQuery)

If I have an AJAX call to a php script, like this (using jQuery)

$.ajax(url: "../myscript.php");

和 myscript 看起来像这样:

and myscript looks like this:

<?php
    //code that does something to db
 ?>

我想知道如何防止用户只是转到 example.com/myscript.php 来执行脚本.

I want to know how to prevent a user from just going to example.com/myscript.php to execute the script.

推荐答案

这里的一些答案让您大致了解问题背后的概念，让我给您一个更务实的方法(您至少应该阅读并理解其他人所说的话关于这件事！).

Some answers here give you an overview of the concepts behind your question, let me give you a more pragmatic approach (you should at least read and understand what others say about this matter though!).

您只需要问自己:您的应用是否必须强制控制对 myscript.php 的所有请求?

You just need to ask yourself: Do your app must enforce that all requests to myscript.php should be controlled?

如果是，那么您需要使用某种令牌:您创建一个令牌并将其发送到客户端(浏览器)，然后浏览器必须发回令牌并检查它是否匹配在做一些动作之前:

If so then you need to use some sort of token: you create a token and send it to the client (browser), then the browser must send back the token and you check if it matches before doing some action:

<?php
// somefile.php (this file serves the page that contains your AJAX call)
session_start();
//...
$_SESSION['token'] = createNewToken(); // creates unique tokens

//add the token as a JS variable and send it back in your AJAX CALL
// some where you'll have something similar to this:
<script>
  var token = <?php echo $_SESSION['token'] ?>;
  $.ajax({
    url: "myscript.php",
    data: form_data, // include the token here!
    //...
  })

然后在您的脚本中:

<?php
// myscript.php
session_start();

// you can check if it's an AJAX call, if the user is logged and then the token:    
if (!isset($_SESSION['token')) {
  header("HTTP/1.0 403 Forbidden");
  die("Direct access not allowed!");
}

// Assuming your AJAX is a POST though you didn't tell us
if (!isset($_POST['token'] || $_POST['token'] != $_SESSION['token']) {
  header("HTTP/1.0 400 Bad request");
  die("You didn't provide a valid token!");
}

// do something with your DB

否则您只需要检查用户是否已登录，就像您通常对其余脚本所做的那样:

Otherwise you just need to check if the user is logged as you would normally do with the rest of your scripts:

<?php
// myscript.php
session_start();
// Check if logged in user
if (!isset($_SESSION['loggedIn']) || !$_SESSION['loggedIn']) {
  header("HTTP/1.0 403 Forbidden");
  die("You need to be logged in!");
}

// Do something with your DB

总结

使用第一种方法允许更受控制的访问，因为您强制用户发送普通用户不会拥有的秘密(令牌，在每个请求中都不同)(如果其他用户获得令牌，那么你就会遇到更大的问题，比如会话劫持).请注意，此方法可防止用户在多个选项卡/不同浏览器上打开，因为只会保存最后一个令牌.为了避免你有这个SO的精彩答案

Using the first method allows a more controlled access as you force the user to send a secret (the token, which will be different in every request) that a normal user won't have (if some other user gets the token, then you have bigger problems like session hijacking). Notice that this method prevents the user opening on multiple tabs / different browsers as only the last token will be saved. In order to avoid that you have this fantastic answer on SO

另一方面，第二种方法允许(登录的)用户直接请求您的 myscript.php，但也许您不需要阻止这种情况(如果需要，只需使用第一种方法).请注意，这里不会出现多个选项卡/不同浏览器的问题，因为您只会检查用户是否已登录.

On the other hand, the second approach allows (logged) users to request directly your myscript.php, but maybe you don't need to prevent that (if you need, just use the first method). Notice here you won't have the issue of multiple tabs / different browsers as you'll only check if the user is logged in.

这篇关于如何保护php脚本?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！