检查 PHP 引用
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5032889/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Checking PHP referrer
提问by JakeSteam
So, I need to check the referrer to a page using php, and if it is *.example.com, or *.anothersite.com, execute code, but if not, redirect elsewhere.
因此,我需要使用 php 检查页面的引用,如果它是 *.example.com 或 *.anothersite.com,则执行代码,但如果不是,则重定向到其他地方。
How would I go about checking if the HTTP_REFERER is equal to those values, with a wildcard character?
我将如何使用通配符检查 HTTP_REFERER 是否等于这些值?
Thanks!
谢谢!
EDIT: The url will contain more than one domain, so the regex needs to match the FIRST occurance found.
编辑:该 url 将包含多个域,因此正则表达式需要匹配找到的第一次出现。
回答by seriousdev
Should do it:
应该这样做:
$allowed_host = 'example.com';
$host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
if(substr($host, 0 - strlen($allowed_host)) == $allowed_host) {
// some code
} else {
// redirection
}
回答by Marc B
$ref = $_SERVER['HTTP_REFERER'];
if (strpos($ref, 'example.com') !== FALSE) {
redirect to wherever example.com people should go
}
if (strpos($ref, 'example.org') !== FALSE) {
redirect to wherever example.org people should go
}
Of course, this only works if the referer is "nice". For instance, coming from google you could possibly have "example.org" in the search term somewhere, in which case strpos would see it, and redirect, even though you came from google.
当然,这只适用于推荐人“nice”的情况。例如,来自谷歌的你可能在某个地方的搜索词中有“example.org”,在这种情况下 strpos 会看到它并重定向,即使你来自谷歌。
回答by Zaffy
Other answers' checks' are good but are not strictly bound to your website. So for example referer with value http://attacker.com/www.example.com/will pass almost all the checks. And it is very easy to make such site and just send a cross-domain request.
其他答案的检查是好的,但并不严格绑定到您的网站。因此,例如具有值的引用http://attacker.com/www.example.com/将通过几乎所有检查。制作这样的网站非常容易,只需发送跨域请求即可。
There is a reliable and secure method to check if referer is reallyyour domain. Of course referer can be spoofed, but a victim of an attacker site will send correct referer.
有一种可靠且安全的方法可以检查引用者是否真的是您的域。当然referer 可以被欺骗,但是攻击者站点的受害者会发送正确的referer。
The trick is in ^special character. Here is the magic regex:
诀窍在于^特殊性质。这是神奇的正则表达式:
^https?://(([a-z0-9-]+)\.)*example\.com/
^- ensures that we are at the starthttps?- protocol - http or https(([a-z0-9-]+)\.)*- matches subdomains, also of higher levels, if anyexample\.com- matches main domain/- ensures start of path so domain name cannot continue
^- 确保我们在开始https?- 协议 - http 或 https (([a-z0-9-]+)\.)*- 匹配子域,如果有的话,也是更高级别的example\.com- 匹配主域/- 确保路径的开始,因此域名无法继续
回答by Sean Walsh
preg_match('/(.+?)\.example\.(com|org)/',$_SERVER['HTTP_REFERER'])
preg_match('/(.+?)\.example\.(com|org)/',$_SERVER['HTTP_REFERER'])
This will only match an address that has a subdomain, and it also will not continue looking for anything beyond subdomain.example.comor .org. i.e. subdomain.example.com/some-other-stuff. Do you need to also match either of these?
这只会匹配具有子域的地址,并且也不会继续查找subdomain.example.com或之外的任何内容.org。即subdomain.example.com/some-other-stuff。您是否还需要匹配其中任何一个?
Correction - this will match www.example.combut will not match example.com.
更正 - 这将匹配www.example.com但不会匹配example.com。
回答by Michael Berkowski
Try this:
尝试这个:
if (preg_match('/\.example\.(com|org)/', $_SERVER['HTTP_REFERER']))
{
// execute your code
}
else
{
header("Location: http://example.com/redirectpage.htm");
exit();
}
