我怎样才能限制只能从我的网​​站页面访问一些PHP页面？ [英] How can I restrict access to some PHP pages only from pages within my website?

问题描述

我在我的网站上的PHP网页，其中检索数据从我的数据库是psented在我的网站$ P $。这个页面通过AJAX调用。我如何可以限制对它的访问只能从我的网​​站页面，因此用户谁想要滥用它，并得到该数据的不可以从网站（如发布来自其服务器的HTTP请求）本身不会能够做到这一点？

I have in my website a PHP page which retrieves data from my database to be presented in my website. This page is called via AJAX. How can I restrict the access to it only from pages within my website so users who wants to abuse it and get this data not from the website (e.g. posting HTTP request from their server) itself won't be able to do so ?

推荐答案

在其他网站上运行的JavaScript将无法访问，因为的同源策略为XHR 。但没有什么是从构建PHP +卷曲脚本阻止别人代理从你的AJAX支持，使它看起来好像它是自己的服务器上运行的数据。试图黑名单客户是凌乱的，IP地址是廉价和免费的HTTP代理很丰富。

JavaScript running on another site will be unable to access your site because of the Same-Origin Policy for XHR. But nothing is stopping someone from building a PHP+CURL script to "proxy" the data from your ajax backed to make it appear as though it was running on their server. Trying to blacklist clients is messy, ip address are cheap and free http proxies are plentiful.

总之有什么特别的你的JavaScript。客户端可以做他想做什么，你不能强迫他的行为，这是客户端站点的信任为基础。黑客可以使用像 tamperdata 甚至的萤火识别HTTP请求，他将能够重放它们或卷曲伪造他们。

In short there is nothing special about your javascript. A client can do whatever he wants, and you can't force him to behave, this is the basis of "client site trust". A hacker can use something like tamperdata or even firebug to identify HTTP requests and he will be able to replay them or forge them with CURL.

您可以尝试不解您的JavaScript。但在一天结束的时候，攻击者只是要重播的http请求，也绝对，你可以做的事情。

You could try obfuscating your javascript. But at the end of the day an attacker is just going to replay the http request, and there is absolutely thing you can do about it.

这篇关于我怎样才能限制只能从我的网​​站页面访问一些PHP页面？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！