Home >Backend Development >PHP Tutorial >PHP prevents remote illegal submission of form program code_PHP tutorial
Preventing remote form submission is a way to prevent hackers from illegally submitting data remotely to bring security to our website. Let me introduce an example of preventing remote illegal form submission in PHP.
Detailed method
1. PHP method to prevent data submission outside the site
代码如下 | 复制代码 |
$servername=$HTTP_SERVER_VARS['SERVER_NAME']; $sub_from=$HTTP_SERVER_VARS["HTTP_REFERER"]; $sub_len=strlen($servername); $checkfrom=substr($sub_from,7,$sub_len); if($checkfrom!=$servername){ echo("警告!你正在从外部提交数据!!请立即终止!!"); exit; } ?> |
Put the above code into a page that needs to prevent external submission of data. If you enter the URL directly or link to this page from an external network, it will display: Warning! You are submitting data from outside! ! Please terminate immediately! ! ; If you link to this page from this site or submit it through a form, there will be no such prompt. This is mainly done to prevent some fake forms from submitting data to the site.
The above code can be skipped directly through curl. We can refer to the method of dz forum login
A better way to handle remote form submission is to generate a token based on a unique string or timestamp and place this token in the session variable and the form. After submitting the form, check if the two tokens match. If it doesn't match, you know someone is trying to send data from a remote copy of the form.
To create a random token, you can use PHP’s built-in md5(), uniqid() and rand() functions as shown below
The code is as follows | Copy code | ||||
代码如下 |
复制代码 |
session_start(); |
if ($_POST['submit'] == "go"){ //check token if ($_POST['token'] == $_SESSION['token']){ //strip_tags $name = strip_tags($_POST['name']); $name = substr($name,0,40); //clean out any potential hexadecimal characters $name = cleanHex($name); //continue processing.... }else{ //stop all processing! remote form posting attempt! } } $token = md5(uniqid(rand(), true)); $_SESSION['token']= $token; function cleanHex($input){ $clean = preg_replace("![][xX]([A-Fa-f0-9]{1,3})!", "",$input); return $clean; } ?> |
If you have nothing to do, write out the ASP I wrote before
How ASP prevents external submission of data
代码如下 | 复制代码 |
<% Server_v1=Cstr(Request.ServerVariables("HTTP_REFERER")) Server_v2=Cstr(Request.ServerVariables("SERVER_NAME")) If mid(server_v1,8,len(server_v2))<>server_v2 then Response.write "警告!你正在从外部提交数据!!请立即终止!!" Response.End End if %> |