在 php 中验证 XMLHttpRequest [英] Verifying XMLHttpRequest in php

问题描述

我正在使用以下代码向 PHP 站点发送数据:

I am sending data to a PHP site using the following code:

if (window.XMLHttpRequest)
      {// code for IE7+, Firefox, Chrome, Opera, Safari
              xmlhttp= new XMLHttpRequest();
      }
      else
      {// code for IE6, IE5
          xmlhttp= new ActiveXObject("Microsoft.XMLHTTP");
      }
      xmlhttp.open("GET","addEmail.php?email="+escape(email),true);
      xmlhttp.send();
      xmlhttp.close;

有什么方法可以确保 addEmail.php 通过 XMLHttpRequest 运行，这样人们就不能简单地访问 www.domain.com/addEmail.php?email=some@thing.com 让 php 站点吃掉他们的电子邮件并在页面上运行一千个请求?提前致谢

Is there any way of making sure that the addEmail.php is being run through the XMLHttpRequest so people cant simply go to www.domain.com/addEmail.php?email=some@thing.com to make the php site eat their email and run a thousand requests on the page? Thanks in advance

推荐答案

用户总是可以直接访问 php 脚本，但是你可以通过在 php 脚本中添加这个检查来保护更多:

The users is always able to access the php script directly, but you can protect is a bit more by adding this check to the php script:

if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest')
{
  //CODE HERE
}

此外，就像 Eugen Rieck 提到的那样，您可以发送令牌.

Additionally, like Eugen Rieck mentioned, you could send a token.

这篇关于在 php 中验证 XMLHttpRequest的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！