限制访问(如果不是来自某些引用者的话)PHP [英] Restricting access if not coming from certain referer(s) PHP
问题描述
我正在绞尽脑汁,弄清为什么它不起作用.
我想实现的是,仅当来自某个网站(例如Facebook)时,才限制对自己网站上网页的访问.
由于链接将发布在1个或多个Facebook页面和/或我的个人资料上,因此如果脚本来自Facebook和/或发布在其上的任何其他"PAGES",则希望脚本执行.
例如,如果我在 www.facebook.com/This_is_my_PAGE 上发布我的链接,或者在我的个人资料 www.facebook.com/freds_personal_profile 上发布或有人共享我在Facebook上的链接,希望该页面仅对来自Facebook域的访问.
我在寻找解决方案时找到了以下脚本,但它是在回显我的错误消息,而不是重定向到有问题的链接.
$target_site = 'https://www.facebook.com/';
if (isset($_SERVER['HTTP_REFERER']) && preg_match("/$target_site/",$_SERVER['HTTP_REFERER'])) {
// do something with people from facebook.com
}
else {
// do something else with everyone else
echo "Sorry, viewable to Facebook fans only.";
}
首先,您的代码存在缺陷,原因是:
- 如果用户未使用Facebook的安全版本"(http而不是https)怎么办?
- 如果用户来自
facebook.com而不是www.facebook.com,怎么办? - 如果恶意用户诱使用户来自类似
http://example.com/evilpage.php?https://www.facebook.com/的网站怎么办?
它不起作用的主要原因是因为您的正则表达式完全无效.相反,它应该遵循以下原则:
preg_match("/".preg_quote($target_site,"/")."/i",$_SERVER['HTTP_REFERER']);
(preg_quote() 上的文档)
除了所有这些以外,检查引荐来源网址也没有安全性.它可以更改,也可以完全阻止.不应依赖它.
I am racking my brain as to why this isn't working.
What I would like to achieve, is to restrict access to a page on my own Website, only if coming from a certain website, Facebook for instance.
Since a link will be posted on 1 or more Facebook pages and/or my personal profile, would like the script to execute if coming from Facebook and/or any other "PAGES" it's posted on.
For instance, if I post my link on www.facebook.com/This_is_my_PAGE or is posted on my personal profile www.facebook.com/freds_personal_profile or someone shares my link on Facebook, would like the page accessible only to those coming from the Facebook domain.
I found the script below while searching for a solution, but it's echoing my error message, instead of redirecting to the link in question.
$target_site = 'https://www.facebook.com/';
if (isset($_SERVER['HTTP_REFERER']) && preg_match("/$target_site/",$_SERVER['HTTP_REFERER'])) {
// do something with people from facebook.com
}
else {
// do something else with everyone else
echo "Sorry, viewable to Facebook fans only.";
}
First of all, your code is flawed because:
- What if the user is not using Facebook's "Secure version" (http rather than https)?
- What if the user is coming from
facebook.comrather thanwww.facebook.com? - What if a malicious user is tricking users into coming from a site like
http://example.com/evilpage.php?https://www.facebook.com/?
The main reason it doesn't work is because your regex is completely invalid. Instead, it should be along the lines of:
preg_match("/".preg_quote($target_site,"/")."/i",$_SERVER['HTTP_REFERER']);
(documentation on preg_quote())
Aside from all of this, there is no security in checking the referrer. It can be changed, it can e blocked altogether. It should not be relied on.
这篇关于限制访问(如果不是来自某些引用者的话)PHP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
