如何在php中获取发布请求的引荐来源网址? [英] How to get the referrer url of post request in php?

问题描述

我正在开发一个php网站，允许用户在其中添加带有说明，图像等的产品.我正在使用POST方法接收用户输入.但是，如果用户知道表单的输入名称和表单的操作链接，则可以使用javascript发送持续的请求并阻塞我的数据库.

因此，如果我能以某种方式从POST请求发出的地方获取URL，则可以避免这种情况.如果POST请求来自我网站的网址，我只能将信息输入数据库.

我知道也可以使用验证码来阻止这种攻击，但是我想要一种替代方法，主要是因为验证码很痛苦.

有什么方法可以不用验证码吗?也许会议?

解决方案

为表单提供安全性的最佳方法可能是在表单中添加CSRF令牌(如何使用PHP正确添加CSRF令牌)

I'm developing a php website, where users are allowed to add products with descriptions, images etc. I am receiving the user input using POST method. But, if the users know the form input names and the form's action link, they can send constant requests using javascript and jam my database.

So, if I could somehow get the URL from where the POST request is coming, I could prevent that. I could only input the information into database if the POST request was from my site's url.

I know this attack may also be prevented using captcha, but I want an alternative, mainly because captchas are painful.

Any way I can do it without using captchas? Perhaps sessions?

解决方案

Probably the best way to provide security to your Forms are by adding a CSRF Token to your form (http://en.wikipedia.org/wiki/Cross-site_request_forgery).

How it works is every time you render a form you generate a pseudo random code and store it in a session variable and also put the same code as a hidden input in your form.

So when the user posts the form you can validate to see if the csrf tokens are the same.

There is another thread about this so you can maybe take a look at that (How to properly add CSRF token using PHP)

这篇关于如何在php中获取发布请求的引荐来源网址?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！