让你的服务器通过AJAX调用上的PHP文件的域 [英] Getting the domain that calls an PHP file on your server through AJAX

问题描述

我建立了一个API，并有一个关于如何跟踪/知道哪些站点上使用电话的问题。

I'm building out an API and have a question about how to track/know which domains use the call.

API调用是内置的PHP中，并且不需要任何验证。用户最有可能使用的API在他们的服务器上的AJAX调用。

The API call is built in PHP, and doesn't require any authentication. A user will most likely use the API in an AJAX call on their server.

因此​​，例如，我的域名就是服务了API的PHP文件名为dev.yourmapper.com。有人在域www.metromapper.org构建，创建一个谷歌地图的网页，并使用Ajax覆盖在他们的地图我的数据调用我的文件。

So for example, my domain that is serving up the API PHP file is called dev.yourmapper.com. Someone on the domain www.metromapper.org builds a page that creates a Google map, and calls my file using Ajax to overlay my data on their map.

下面是行动的例子： http://www.metromapper.org/example/apitest热媒

（点击中心的地图标记来查看所有可用的PHP服务器变量的yourmapper.com脚本的弹出窗口。）

(Click the center map marker to see a popup of all the PHP Server variables available to the yourmapper.com script.)

请注意，HTTP_REFERER很可能会成为'stackoverflow.com'，如果你点击链接（或者，如果您剪切和粘贴链接空）。我认为，引用者将metromapper.org，因为该域调用yourmapper.com脚本加载后，但显然不是。

Note that HTTP_REFERER is likely going to be 'stackoverflow.com' if you click the link (or empty if you cut and paste the link). I would think that the referer would be metromapper.org, since that domain calls the yourmapper.com script after it loads, but apparently not.

底线：什么方法，我可以用它来确定哪个域呼唤我的Javascript yourmapper.com脚本？如果需要，我可以用其他语言除了PHP。谢谢你。

Bottom line: what method can I use to determine which domain is calling my yourmapper.com script with Javascript? I can use other languages besides PHP if needed. Thanks.

推荐答案

我认为，引用者会metromapper.org，因为该域调用yourmapper.com脚本加载后

"I would think that the referer would be metromapper.org, since that domain calls the yourmapper.com script after it loads"

这是不正确实际。首先你不应该依赖于HTTP_REFERER，因为它是被大多数（不是所有）浏览器通过一个自愿的参数，它可以很容易被欺骗。我可以给使用curl，使它看起来像引用是whitehouse.gov，如果我想你的网站的要求。还有的地方有没有采取任何安全措施。

That's incorrect actually. Firstly you should never rely on the HTTP_REFERER because it's a voluntary parameter passed by most (not all) browsers, and it can easily be spoofed. I can send your website requests using CURL that make it look like the referrer was whitehouse.gov if I want to. There's no security measures in place there.

话虽这么说。浏览器设置一个参数到该参照的用户的当前加载的页面。没有脚本。所以你看，你看到的结果的原因是因为用户被提到metromapper.org通过链接stackoverflow.com

That being said. The browser sets that parameter to the page that referred the user to the currently loaded page. Not script. So the reason you see the result you're seeing is because the user was referred to metromapper.org by a link on stackoverflow.com

最后，让我们对这种多汁的部分。您正在使用JS来code的东西，在浏览器中。这很好，但绝对没有问题的。但是，你要记住，JS是开源的。因此，人们可以（会）惹你code与您的API玩，只是因为他们可以。话虽如此。您最好的选择可能是通过网站的网址以及在你的JS API请求。这是为轨道哪些网站使用你的脚本的最佳方式。你可以检查服务器端以确保一个URL传递。这将prevent人修改你的API来删除发送他们的URL访问你的服务器位。它不会，但是，$ P $修改它使用别人的网址或随机注销的作为参数pvent他们。

Finally, let's get to the juicy part. You're using JS to code things in the browser. That's fine and there's absolutely no problem with that. But you have to remember that JS is open source. So people can (and will) mess with your code to play with your API just because they can. That being said. Your best bet is probably to pass the url of the site along with the request in your JS api. That's the best way to "track" what sites are using your script. You could check server side to make sure that a URL was passed. That would prevent people from modifying your API to remove the bit that sends their URL to your server. It won't, however, prevent them from modifying it to use someone else's url or a random unregistered one as the parameter.

当然，你可以建立他们自己的服务器上运行PHP API。该JS API连接到PHP API和PHP API是使用Zend后卫恩codeD（或其他一些源保护code系统），但是仍然有将是人谁去$ c中的文件到c $回到你的源和惹你。当然有会少得多的人能够做到这一点，和普通用户将只愿意使用你的API，因为它是。然后，你也有人们不能够在没有运行EN codeD PHP文件的能力的服务器上运行的API的问题。

Sure you could build a PHP API that they run on their server. The JS API connects to the PHP API and the PHP API is zend-guard encoded (or some other source protection code system) but then there's still going to be people who decode the file to get back to your source and mess with you. Granted there'd be far less people able to do that, and the average user would just rather use your API as it is. Then you also have the issue of people not being able to run your API on servers that don't have the ability to run encoded PHP files.

在最后，你必须确定你想要的安全性和认证级别，但由于您的API是在运行中的JavaScript客户端浏览器，很少有可以超越混淆。

In the end you have to determine your level of desired security and authentication, but since your API is running in JavaScript in the client browser, there is very little available beyond obfuscation.

我说你最好的选择是简单地让您的JS code抽丝当前页​​面的URL，并将其与API请求发送。从那里，你的服务器可以处理的URL得到你想要存储的根域和其他任何信息。

I'd say your best option would be to simply have your JS code snag the URL of the current page and send it with the API request. From there your server can process the URL to get the root domain and any other info you want to store.

如果你想prevent人欺骗请求其他​​用户的网站的网址，你可以实现，获取在某地安装在用户的服务器上的PHP API。例如 http://www.domain.com/my-app-name.php

If you want to prevent people from "spoofing" requests for other user's website urls, you could implement a PHP API that gets installed on the user's server at a certain place. For example http://www.domain.com/my-app-name.php

所有的JS API调用应该通过该脚本。当用户下载你的API，他们应该进入他们的网站URL和其他一些信息。您的系统会生成一个关键，并注入到脚本包装为他们下载了。该密钥的有效期为自己的域名，并使用说河豚或另有2路加密算法，用于连接code中所有传输到/从你的API。当您的API从他们的PHP API文件接收到一个请求这样的话，你得到该请求是从制作网页的网址，EN $ C $光盘只有你和该网站的管理员有钥匙。因此，请求通过的东西是这样的：metromapper.org/api?site=[url_en$c$cd_page_address]&req=[encrypted_request]

All JS API calls should go through that script. When the user downloads your API they should enter their website URL and some other info. Your system generates a "key" and injects it into the script before packaging it for them to download. That key is valid for their domain and used to encode all transmission to/from your API using say blowfish or another 2-way encryption algorithm. This way when your API receives a request from their PHP API file, you're getting the url of the page that request was made from, encoded with a key that only you and the admin of that site have. So the request comes through as something like this: metromapper.org/api?site=[url_encoded_page_address]&req=[encrypted_request]

您的服务器使用的页面URL，以确定哪些键用于对数据进行解密。然后，它解密该数据。如果数据被破坏或不解密成你所期望的，那么它是一个无效的请求，你应该退出返回什么。

Your server uses the page url to determine what key should be used to decrypt the data. It then decrypts the data. If the data is corrupted or doesn't decrypt into what you expect, then it's an invalid request and you should just exit returning nothing.

我建议使用加密的PHP文件，而不是写加密成JS的原因是因为你不想负担的客户端（每个站点访问者）与加密/解密的负荷和PHP将要处理它比JS快得多会因为有作出处理这些任务，你的库。

The reason I suggest using a PHP file for encryption as opposed to writing the encryption into JS is because you don't want to burden the client (each site visitor) with the load of encryption/decryption and PHP is going to handle it much faster than JS would since there are libraries made to handle those tasks for you.

在任何情况下，应该让你在正确的轨道上能够跟踪和验证针对不同的网站对您的API请求。

At any rate that should get you on the right track to being able to keep track of and validate requests for different sites against your API.

这篇关于让你的服务器通过AJAX调用上的PHP文件的域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！