Home > Article > Backend Development > PHP prevents forged data from being submitted from URL_PHP Tutorial
For the case where forged data is submitted from the URL, the first is the following code that checks the source of the previous page:
<?/*PHP防止站外提交数据的方法*/ function CheckURL(){ $servername=$_SERVER['SERVER_NAME']; $sub_from=$_SERVER["HTTP_REFERER"]; $sub_len=strlen($servername); $checkfrom=substr($sub_from,7,$sub_len); if($checkfrom!=$servername)die("警告!你正在从外部提交数据!请立即终止!"); } ?>
This method only prevents URLs that are manually entered on the browser bar.
In fact, as long as you construct a link pointing to the URL on the server (such as adding a hyperlink when posting) and click it, this Check will have no effect at all.
Currently, I think it is more reliable to use the POST method to transmit important data.
You can insert some hidden text in the form to pass data.
Or use the following method to submit data from the client to the server using Ajax.
/*创建XHR对象*/ function createXHR() { if (window.XMLHttpRequest){ var oHttp = new XMLHttpRequest(); return oHttp; } else if (window.ActiveXObject){ var versions = ["MSXML2.XmlHttp.6.0","MSXML2.XmlHttp.3.0"]; for (var i = 0; i < versions.length; i++){ try { var oHttp = new ActiveXObject(versions[i]); return oHttp; } catch (error) {} } } throw new Error("你的浏览器不支持AJAX!"); } /*用AJAX向page页面传递数据*/ function ajaxPost(url,query_string='') { var xhr; xhr = createXHR(); xhr.open('POST',url,false); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=gb2312"); xhr.onreadystatechange = function(){if (xhr.readyState == 4)if (xhr.status != 200)return;} xhr.send(query_string); }