开发者

PHP get the site that calls your script via file_get_contents

问答 作者:

I have a PHP script hosted on my site that outputs a value based on the GET parameters passed.

Other sites call this script from within their own PHP scripts via the PHP function file_get_contents with the url and get params and are served back just the value requested.

I am trying to allow only certain domains access to this script and have been using HTTP_REFERER to check who's calling the script.

if (isset($_SERVER['HTTP_REFERER'])) // check if referrer is set
{
    echo $_SERVER['HTTP_REFERER']; // echo referrer
}
else
{
    echo 'No referrer set'; // echo failure message
}

I am getting No referrer set when I use file_get_cont开发者_如何学JAVAents but if I use a clicked link from a page to a script with the above code the referrer displays correctly.

Am I using the wrong function (file_get_contents) to call the external script and can someone suggest the correct one or should this work?

Any help much appreciated. Thanks

Bear in mind that the HTTP "Referer" header is an optional header -- there's no need for a site to send it to you, and it can be easily faked. If you really only want certain people to use your resources, you're better off using some form of authentication.

Typically Referer: is sent by web browsers, but there's no need for it to be -- for example, they won't send it if the referer is a secure site. With a PHP file_get_contents() there isn't technically a referer anyway; you're not being "referred" from anywhere.

Consider instead either:

  • Locking down by IP address (but bear in mind that multiple domains can share a single IP, and that a domain's IP can change.)
  • Using some form of authentication (preferably not one that transmits passwords in plain text!)

You should consider how secure you need this service to be, and what threats might attack it when deciding the right security to apply.

You would be much better to restrict based on IP address rather than domain, much more reliable. Just keep an array of allowed IP's and call in_array($_SERVER['REMOTE_ADDR'],$allowedAddresses) to validate it.

Or just require authentication via a cookie or HTTP auth...

You can't do this using HTTP_REFERER.

The HTTP_REFERER it set by the client, and it can be anything the client wants.

You have to use a password / key authentication mechanism instead.

May want to use something along the lines of a stream context to set extra headers.

http://us.php.net/manual/en/function.stream-context-create.php

Additionally, if needed, you could set a 'secret' header to authenticate the requests, rather then the referer.

继续阅读:file-get-contentsphpreferrer

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9