防止使用 AJAX 直接访问 PHP 文件
我想阻止直接访问名为 prevented.php 的特定 PHP 文件 我的逻辑是,我有一个主文件,我们将其命名为 index.php ,它会生成一个令牌并将其存储在 $_SESSION 变量中。我还有另一个名为 def.php 的文件,它是使用 AJAX 调用的,并将令牌从 index.php 传递到 def.php > 如果 $_SESSION['token'] 等于 $_POST['token'] 它定义一个 _DEFVAR 并返回 true否则返回 false。在我调用 def.php 并返回 true 后,我使用 location.href="prevented.php" 通过 JavaScript 重定向到 prevented.php代码>.在 prevented.php 文件的顶部有一段代码,用于检查 _DEFVAR 是否已定义。如果不是,它会显示 invalid 之类的消息,否则它会显示 prevented.php 文件的内容。但不知何故,我总是收到 invalid 消息,但我不知道为什么。知道如何在不直接访问页面的情况下访问 prevented.php 吗?
这是我的代码:
index.php
<?php
$_SESSION["token"] = hash_hmac('sha256', "tokenString", "t2o0k0e0n3"); // Creates a hashed token
?>
<script>
$.ajax({
type: "POST",
url: "def.php",
data: {
token: '<?php echo $_SESSION["token"]; ?>'
},
cache: false,
success: function(data) {
console.log (data);
if (data) {
console.log (data + ' valid');
} else {
console.log (data + ' invalid');
}
location.href = "prevented.php";
},
error: function () {
console.log('error');
}
});
</script>
def.php
<?php
session_start();
if (!isset($_POST['token']) || $_POST['token'] != $_SESSION['token']) {
echo false;
die('invalid in def');
} else {
define('_DEFVAR', 1);
echo true;
die ('valid in def');
}
?>
prevented.php
<?php
include "def.php";
if (defined('_DEFVAR')) {
die ('valid in prevented'); // instead of this I would show the content of the page
} else {
die ('invalid in prevented');
}
?>
I want to prevent direct access to a certain PHP file called prevented.php
My logic is that I have a main file lets call it index.php and it generates a token and stores it in a $_SESSION variable. I also have a another file called def.php which is called using AJAX and it passes the token from the index.php to the def.php and if the $_SESSION['token'] is equal to the $_POST['token'] it defines a _DEFVAR and returns true otherwise it returns false. After I called the def.php and it returns true, I redirect to the prevented.php via javascript using location.href="prevented.php". In the top of the prevented.php file there is a code which checks if the _DEFVAR is defined or not. If not, its die with a message like invalid otherwise it displays the content of the prevented.php file. But somewhy I always get invalid message and I don't know why. Any idea how to reach the prevented.php without directly direct the page?
Here's my code:
index.php
<?php
$_SESSION["token"] = hash_hmac('sha256', "tokenString", "t2o0k0e0n3"); // Creates a hashed token
?>
<script>
$.ajax({
type: "POST",
url: "def.php",
data: {
token: '<?php echo $_SESSION["token"]; ?>'
},
cache: false,
success: function(data) {
console.log (data);
if (data) {
console.log (data + ' valid');
} else {
console.log (data + ' invalid');
}
location.href = "prevented.php";
},
error: function () {
console.log('error');
}
});
</script>
def.php
<?php
session_start();
if (!isset($_POST['token']) || $_POST['token'] != $_SESSION['token']) {
echo false;
die('invalid in def');
} else {
define('_DEFVAR', 1);
echo true;
die ('valid in def');
}
?>
prevented.php
<?php
include "def.php";
if (defined('_DEFVAR')) {
die ('valid in prevented'); // instead of this I would show the content of the page
} else {
die ('invalid in prevented');
}
?>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您的代码不必要地过于复杂。如果您的目的仅仅是确保
protected.php的访问者首先访问了index.php那么您需要做的就是在其中创建一个会话标志并检查其是否存在存在于他人之中。不需要任何 AJAX 或任何表单 POST。 PHP 会话的固有行为已经为您提供了此功能。索引.php:
受保护的.php:
Your code is unnecessarily overcomplicated. If your intent is merely to ensure that visitors to
protected.phphave first visitedindex.phpthen all you need to do is create a session flag in one and check for its existence in the other. There is no need for any AJAX or any form POSTs. The innate behavior of PHP sessions already gives you this functionality.index.php:
protected.php: