限制一个PHP脚本执行一个引荐 [英] Restrict the execution of a PHP script to one referer
问题描述
我构建Ajax / PHP脚本,我已经拿出东西来保护从外部访问的AJAX文件,我的意思是,限制脚本从另一台服务器(和域)执行。我使用的JQuery $ AJAX 张贴到PHP文件。
I am building an ajax/PHP script and I have come up with something to protect the ajax file from external access, by that I mean to restrict the execution of the script from another server (and domain). I am using JQuery $ajax to post to the PHP file.
下面是PHP文件:
<?php
$config["url"]="mysite.com";
if (isset($_SERVER["HTTP_REFERER"])) {
$url = parse_url($_SERVER["HTTP_REFERER"]);
if ($url["host"] != $config["url"]) {
echo "You don't have access to this file.";
exit;
} else {
//Run The script
}
}
?>
基本上,这是什么脚本做的是,它匹配引用站点和域。该脚本将退出,如果它不匹配,并且如果这样做将运行。因此,该脚本只能从执行 mysite.com ,而不是从其他地方。
Basically what this script does is that it matches the Referer and the domain. The script will exit if it doesn't match and will run if it does. So the script can be executed from only mysite.com and not from elsewhere.
我不是PHP / Javascript的专家,所以谁能告诉我,如果这是好还是不好,如果它会在某些情况下可能会失败?
I am not PHP / Javascript expert, so can anyone tell me if this is good or not and if it will fail under some conditions?
推荐答案
这是什么脚本是防止一个的跨站请求伪造或 CSRF 的。检查引用者反对这种攻击的两个主要的防御。唯一的问题是,如果网站有任何用户生成的内容,那么他们可以添加一些东西,例如:
What this script is protecting against is a Cross Site Request Forgery or CSRF. Checking the referer is one of the two primary defenses against this attack. The only problem is if the site has any user generated content, then they can add something such as:
<img src="/src/to/your/ajax?params=something_evil" />
这将仍然执行它。 第二个最常见的prevention方法是使用CSRF令牌阿贾克斯。 这里有两个资源,读上找到更多关于这种攻击:
which will still execute it. The second most common prevention method is using a CSRF token for ajax. Here are two resources to read up on to find more about this attack:
说明: https://www.owasp.org/index.php/跨Site_Request_Forgery_(CSRF )
prevention:的https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_$p$pvention_Cheat_Sheet
Prevention: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
编辑:
一点点澄清,可能会清除这个问题的困惑。的
任何用户都可以伪造引用者头部,但是这是不相关的。没关系的原因是,如果他们可以伪造引用者,他们可以很容易地做出合理的要求。
Any user can forge the referer header, but this is irrelevant. The reason it doesn't matter is that if they can forge the referer, they can just as easily make a legitimate request.
这里的重要组成部分,是确保他们不能从其他任何用户伪造的请求。这是唯一重要的方面,并检查引用站点和防止CSRF攻击的唯一原因。
The important part here is ensuring that they cannot forge a request from any other user. This is the only aspect that matters and the only reason for checking the referer and protecting against CSRF attacks.
这篇关于限制一个PHP脚本执行一个引荐的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
