php 如何检查请求是来自同一服务器还是不同服务器?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5410238/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to check if a request if coming from the same server or different server?
提问by ptamzz
How can I check whether a request being received is sent from the same server??
如何检查接收到的请求是否来自同一服务器?
Say, I've my domain at www.domain.com. Now I've php processing files which will process forms hosted through this domain. This processes will be executed only if the requests are sent from within the domain ie. www.domain.com and any other requests sent from other domains will be discarded.
比如说,我的域名位于 www.domain.com。现在我有 php 处理文件,这些文件将处理通过该域托管的表单。仅当请求是从域内发送时才会执行此过程,即。www.domain.com 和从其他域发送的任何其他请求将被丢弃。
回答by Pascal MARTIN
Basically : you cannot.
With the HTTP protocol, each request is independent from the others.
基本上:你不能。
对于 HTTP 协议,每个请求都独立于其他请求。
A first idea would be to check the Referer HTTP header, but note that :
第一个想法是检查 Referer HTTP 标头,但请注意:
- It can be faked (it's sent by the browser)
- It is not always present.
- 可以伪造(由浏览器发送)
- 它并不总是存在。
So : not a reliable solution.
所以:不是一个可靠的解决方案。
A possible, and far better than the Referer idea, solution could be to use a nonce:
一个可能的,并且比 Referer 的想法好得多的解决方案可能是使用nonce:
- When displaying the form, put a hidden input field in it, containing a random value
- At the same time, store that random value into the session that correspond to the user.
- When the form is submitted, check that the hidden field has the same value as the one that's stored in session.
- 显示表单时,在其中放置一个隐藏的输入字段,其中包含一个随机值
- 同时,将该随机值存储到与用户对应的会话中。
- 提交表单后,检查隐藏字段的值是否与会话中存储的值相同。
If those two values are not the same, refuse to use the submitted data.
如果这两个值不相同,则拒绝使用提交的数据。
Note : this idea is often used to help fight against CSRF-- and integrated in the "Form" component of some Frameworks (Zend Framework, for instance).
回答by Ashraf
this will check if there is a referer, then it will compare it with current domain, if different then it is from outside referer
这将检查是否有引用者,然后将其与当前域进行比较,如果不同,则来自外部引用者
if ((isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER']))) {
if (strtolower(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)) != strtolower($_SERVER['HTTP_HOST'])) {
// referer not from the same domain
}
}
回答by andergmartins
I know this is an old thread, but some one else can probably find it relevant.
我知道这是一个旧线程,但其他人可能会发现它相关。
The answer is: Yes you can. But it depends if your Apache/nginx server is set to populate the $_SERVER variable with the required information. Most the server are, so probably you can use this approach.
答案是:是的,你可以。但这取决于您的 Apache/nginx 服务器是否设置为使用所需信息填充 $_SERVER 变量。大多数服务器都是,所以你可能可以使用这种方法。
What you need to do is to extract the HTTP_REFERER from the $_SERVER variable and compare with your domain.
您需要做的是从 $_SERVER 变量中提取 HTTP_REFERER 并与您的域进行比较。
<?php
function requestedByTheSameDomain() {
$myDomain = $_SERVER['SCRIPT_URI'];
$requestsSource = $_SERVER['HTTP_REFERER'];
return parse_url($myDomain, PHP_URL_HOST) === parse_url($requestsSource, PHP_URL_HOST);
}
