通过 AJAX 获取在您的服务器上调用 PHP 文件的域 [英] Getting the domain that calls an PHP file on your server through AJAX
问题描述
我正在构建一个 API 并且有一个关于如何跟踪/知道哪些域使用调用的问题.
I'm building out an API and have a question about how to track/know which domains use the call.
API 调用是用 PHP 构建的,不需要任何身份验证.用户很可能会在其服务器上的 AJAX 调用中使用该 API.
The API call is built in PHP, and doesn't require any authentication. A user will most likely use the API in an AJAX call on their server.
例如,我提供 API PHP 文件的域称为 dev.yourmapper.com.域 www.metromapper.org 上的某个人构建了一个页面来创建 Google 地图,并使用 Ajax 调用我的文件以将我的数据覆盖在他们的地图上.
So for example, my domain that is serving up the API PHP file is called dev.yourmapper.com. Someone on the domain www.metromapper.org builds a page that creates a Google map, and calls my file using Ajax to overlay my data on their map.
下面是这个例子:http://www.metromapper.org/example/apitest.htm
(单击中心地图标记以查看对 yourmapper.com 脚本可用的所有 PHP 服务器变量的弹出窗口.)
(Click the center map marker to see a popup of all the PHP Server variables available to the yourmapper.com script.)
请注意,如果您单击链接,则 HTTP_REFERER 可能会是stackoverflow.com"(如果您剪切并粘贴链接,则该链接可能会是空的).我认为引用者将是metromapper.org,因为该域在加载后调用yourmapper.com 脚本,但显然不是.
Note that HTTP_REFERER is likely going to be 'stackoverflow.com' if you click the link (or empty if you cut and paste the link). I would think that the referer would be metromapper.org, since that domain calls the yourmapper.com script after it loads, but apparently not.
底线:我可以使用什么方法来确定哪个域正在使用 Javascript 调用我的 yourmapper.com 脚本?如果需要,我可以使用除 PHP 之外的其他语言.谢谢.
Bottom line: what method can I use to determine which domain is calling my yourmapper.com script with Javascript? I can use other languages besides PHP if needed. Thanks.
推荐答案
我认为引用者应该是 Metromapper.org,因为该域在加载后调用 yourmapper.com 脚本"
"I would think that the referer would be metromapper.org, since that domain calls the yourmapper.com script after it loads"
这其实是不正确的.首先,您永远不应该依赖 HTTP_REFERER,因为它是大多数(并非所有)浏览器传递的自愿参数,并且很容易被欺骗.如果我愿意,我可以使用 CURL 发送您的网站请求,使其看起来像是 whitehouse.gov.那里没有安全措施.
That's incorrect actually. Firstly you should never rely on the HTTP_REFERER because it's a voluntary parameter passed by most (not all) browsers, and it can easily be spoofed. I can send your website requests using CURL that make it look like the referrer was whitehouse.gov if I want to. There's no security measures in place there.
话虽如此.浏览器将该参数设置为将用户引向当前加载页面的页面.不是脚本.所以你看到你看到的结果的原因是因为用户通过 stackoverflow.com 上的链接被引用到 Metromapper.org
That being said. The browser sets that parameter to the page that referred the user to the currently loaded page. Not script. So the reason you see the result you're seeing is because the user was referred to metromapper.org by a link on stackoverflow.com
最后,让我们进入多汁的部分.您正在使用 JS 在浏览器中编写代码.那很好,绝对没有问题.但是你必须记住 JS 是开源的.所以人们可以(并且将会)弄乱你的代码来玩你的 API,因为他们可以.话虽如此.您最好的选择可能是将站点的 url 与您的 JS api 中的请求一起传递.这是跟踪"哪些网站正在使用您的脚本的最佳方式.您可以检查服务器端以确保传递了一个 URL.这将阻止人们修改您的 API 以删除将其 URL 发送到您的服务器的位.但是,它不会阻止他们修改它以使用其他人的 url 或随机未注册的 url 作为参数.
Finally, let's get to the juicy part. You're using JS to code things in the browser. That's fine and there's absolutely no problem with that. But you have to remember that JS is open source. So people can (and will) mess with your code to play with your API just because they can. That being said. Your best bet is probably to pass the url of the site along with the request in your JS api. That's the best way to "track" what sites are using your script. You could check server side to make sure that a URL was passed. That would prevent people from modifying your API to remove the bit that sends their URL to your server. It won't, however, prevent them from modifying it to use someone else's url or a random unregistered one as the parameter.
当然,您可以构建在他们的服务器上运行的 PHP API.JS API 连接到 PHP API,PHP API 是 Zend-guard 编码的(或其他一些源代码保护代码系统),但是仍然会有人解码文件以返回您的源并与您混为一谈.当然,能够做到这一点的人要少得多,普通用户更愿意按原样使用您的 API.然后,您还会遇到人们无法在无法运行编码的 PHP 文件的服务器上运行您的 API 的问题.
Sure you could build a PHP API that they run on their server. The JS API connects to the PHP API and the PHP API is zend-guard encoded (or some other source protection code system) but then there's still going to be people who decode the file to get back to your source and mess with you. Granted there'd be far less people able to do that, and the average user would just rather use your API as it is. Then you also have the issue of people not being able to run your API on servers that don't have the ability to run encoded PHP files.
最后,您必须确定所需的安全性和身份验证级别,但由于您的 API 在客户端浏览器中以 JavaScript 运行,因此除了混淆之外几乎没有可用的内容.
In the end you have to determine your level of desired security and authentication, but since your API is running in JavaScript in the client browser, there is very little available beyond obfuscation.
我认为您最好的选择是简单地让您的 JS 代码获取当前页面的 URL 并将其与 API 请求一起发送.您的服务器可以从那里处理 URL 以获取根域和您想要存储的任何其他信息.
I'd say your best option would be to simply have your JS code snag the URL of the current page and send it with the API request. From there your server can process the URL to get the root domain and any other info you want to store.
如果您想防止人们欺骗"对其他用户网站网址的请求,您可以实现一个 PHP API,该 API 安装在用户服务器的某个位置.例如 http://www.domain.com/my-app-name.php
If you want to prevent people from "spoofing" requests for other user's website urls, you could implement a PHP API that gets installed on the user's server at a certain place. For example http://www.domain.com/my-app-name.php
所有 JS API 调用都应通过该脚本.当用户下载你的 API 时,他们应该输入他们的网站 URL 和一些其他信息.您的系统会生成一个密钥"并将其注入脚本中,然后再打包以供下载.该密钥对他们的域有效,并用于使用比方说的河豚或其他 2 路加密算法对进出您的 API 的所有传输进行编码.这样,当您的 API 收到来自其 PHP API 文件的请求时,您将获得发出请求的页面的 url,并使用只有您和该站点管理员拥有的密钥进行编码.所以请求是这样的:metromapper.org/api?site=[url_encoded_page_address]&req=[encrypted_request]
All JS API calls should go through that script. When the user downloads your API they should enter their website URL and some other info. Your system generates a "key" and injects it into the script before packaging it for them to download. That key is valid for their domain and used to encode all transmission to/from your API using say blowfish or another 2-way encryption algorithm. This way when your API receives a request from their PHP API file, you're getting the url of the page that request was made from, encoded with a key that only you and the admin of that site have. So the request comes through as something like this: metromapper.org/api?site=[url_encoded_page_address]&req=[encrypted_request]
您的服务器使用页面 url 来确定应该使用什么密钥来解密数据.然后解密数据.如果数据已损坏或未解密为您期望的内容,那么这是一个无效请求,您应该退出,不返回任何内容.
Your server uses the page url to determine what key should be used to decrypt the data. It then decrypts the data. If the data is corrupted or doesn't decrypt into what you expect, then it's an invalid request and you should just exit returning nothing.
我建议使用 PHP 文件进行加密而不是将加密写入 JS 的原因是因为您不想让客户端(每个站点访问者)承担加密/解密的负担,而 PHP 将要处理它比 JS 快得多,因为有一些库可以为您处理这些任务.
The reason I suggest using a PHP file for encryption as opposed to writing the encryption into JS is because you don't want to burden the client (each site visitor) with the load of encryption/decryption and PHP is going to handle it much faster than JS would since there are libraries made to handle those tasks for you.
无论如何,这应该会让您走上正确的轨道,能够针对您的 API 跟踪和验证针对不同网站的请求.
At any rate that should get you on the right track to being able to keep track of and validate requests for different sites against your API.
这篇关于通过 AJAX 获取在您的服务器上调用 PHP 文件的域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
