开发者

Avoid other websites query my file.php

I have a file.php?q=data that returns json data, but I don't want other websites to query my database through this file and I don't know what to do. I just have this:开发者_高级运维

if($_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME']) exit();

Do you have any idea abut how to handle this security issue? Thank you very much.


So you want to let users access this files (probably via your other web page) but don't want competitors to access this web page? Then you need to just find out, what makes a competitor different from regular user. This problem doesn't have a definite bullet-proof solution.

You can try to limit user access by implementing some kind of authentication and counting user's request number. But these are half-measures.


If it is really a security issue to you, you will need to control the access. This can be done by requiring authentication to access the URL in question, e.g. by making use of HTTP authentication with PHP.

For some easy to circumvent prevention, you can check for the HTTP Referer Header that is send by some browsers:

$_SERVER['HTTP_REFERER']Docs - The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

Related: How to protect download URLs to be stolen with PHP?


HTTP_HOST and SERVER_NAME always refer to YOUR server. You cannot detect a remote user in this way. HTTP_HOST is the name of the site as requested by the user in the URL. SERVER_NAME is (usually) the name of the server itself, and/or whatever is specified in Apache as 'ServerName'.

HTTP_HOST and SERVER_NAME are usually different. The server itself may be named "someweird numbers.your.hosting.company.com", while HTTP_HOST will be "yoursite.com".


Try using HTTP_REFERER part of the $_SERVER variable.

Also you can use some mod_rewrite rules to prevent hotlinking of your files. See tutorial here


Assuming it is web visitors accessing the data, set a PHP session variable when they access any page (or the page containing the link to file.php). Then have file.php check for the existence of that variable.

;o) Cor

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜