Tips for php fake source HTTP_REFERER

This article mainly introduces the techniques of php forging the source HTTP_REFERER. Interested friends can refer to it. I hope it will be helpful to everyone.

The example of this article describes the method of PHP forging the source HTTP_REFERER. The specific analysis is as follows:

Nowadays, automatic forum posting machines, automatic top posting machines, etc. are very popular on the Internet, which has brought great changes to many forum websites. There is a lot of spam information. Many websites simply use the value of HTTP_REFERER to filter machine posts. However, the HTTP_REFERER source information of web pages can be forged. Everything is a double-edged sword, as long as you are good at utilizing it, it has its value.

A long time ago, downloading software such as Flashget, Thunder, etc. could forge source information, and the forged HTTP_REFERER of these software was mostly based on the underlying sock to construct false http header information to achieve the purpose. This article will discuss purely from a technical perspective the method of forging HTTP_REFERER in the PHP language, in order to let everyone understand the process and provide better defense.

Environment: Apache/2.2.8 PHP/5.2.5 Windows XP system, local test.
First, create two files, 1.php and 2.php, in the virtual root directory of the website.
Among them, the content of the 1.php file is as follows:

<?php
$host = &#39;127.0.0.1&#39;;
$target = &#39;/2.php&#39;;
$referer = &#39;http://www.PHP.cn&#39;; //伪造HTTP_REFERER地址
$fp = fsockopen($host, 80, $errno, $errstr, 30);
if (!$fp){
echo "$errstr($errno)<br />\n";
} 
else{
$out = "
GET $target HTTP/1.1
Host: $host
Referer: $referer
Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)){
echo fgets($fp, 1024);
}
fclose($fp);
}
?>

The other 2.php file is very simple, just write a line of code to read the current HTTP_REFERER server value, as follows:

<?php
echo "<hr />";
echo $_SERVER["HTTP_REFERER"];
?>

Execute the 1.php file and open http://localhost/1.php. The page returns the following information:

HTTP/1.1 200 OK Date: Fri, 04 Apr 2008 16:07: 54 GMT Server: Apache/2.2.8 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Content-Length: 27 Connection: close Content-Type: text/html; charset=gb2312

Have you seen the result? The forged source HTTP_REFERER information was successful. Therefore, if your website only judges HTTP_REFERER, it is not safe. Others can also construct such sources. A simple defense method is to add a verification code to the verification page; it can also be combined with the IP judgment method.

Supplement: The code for forged sources under ASP is as follows:

<%
dim http 
set http=server.createobject("MSXML2.XMLHTTP") &#39;//MSXML2.serverXMLHTTP也可以
Http.open "GET",url,false 
Http.setRequestHeader "Referer","http://www.jb51.net/" 
Http.send()
%>

If you are a thoughtful person, please do not use these methods maliciously. After all, if you do too many bad things, the effect will be too much; for example If you post a lot of spam, it may bring you a lot of external links in the short term, but such black hat methods will be discovered by search engines sooner or later, and these links that have been sent out are like water that cannot be collected. When you come back, such incriminating evidence is no longer within your control.

Summary: The above is the entire content of this article, I hope it will be helpful to everyone's study.

Related recommendations:

php string and process control methods

PHP realizes full-width character conversion Half-width method

php function to convert digital amounts into Chinese capital amounts

The above is the detailed content of Tips for php fake source HTTP_REFERER. For more information, please follow other related articles on the PHP Chinese website!