$_POST安全, 如何处理跨域提交
$_POST安全, 如何避免跨域提交?
我有一些AJAX页面,提交并链接数据库,最近怀疑有人用fsockopen或者curl模拟POST表单,偷取我的数据库资料。
如何避免$_POST跨域提交?
可否在apache里设置?或者用$_SERVER之类的进行判别?
------解决方案--------------------
1.如果能设定数据的访问权限,比如说只有登录会员才可查看,这样会给别人的抓取造成一定难度。但这个障碍总能被解决的。
2.分析访问日志,从服务器级别限制可疑IP访问。
3.记录每个IP的操作密度,较频繁的可不定时要求输验证码
------解决方案--------------------
一个token 或者一个验证码就解决了...
或者上面说的产生一个 全局变量 验证一下
------解决方案--------------------
如版主所说,生成令牌验证再对频繁提交的IP设置验证码即可。
------解决方案--------------------
用session生成令牌,提交之后验证session,合法则马上注销这个session,确保每次都有一个新的令牌.
------解决方案--------------------
除了不友好的验证码之外,没有别的方法
不过简单些的验证码也是可以机器识别的
你是些AJAX页面,所以验证码也是不能用的
可以考虑请求数据部分的 js 代码也是动态产生的
这样窃取者如不能动态解析 js 就无法获取数据了
------解决方案--------------------
使用验证,加hash。这些hash值绑定时间,
(1)设定时间内失效
(2)加密方式根据时间日期变化
------解决方案--------------------
作为一个长期数据搜集者,很遗憾地告诉你,上面说的方法都能应付
但作为php学得比你早,还知道点市场运作知识的人,我给你的建议有下面这些(基于开放数据内容):
1.最重要的一点:你要搞清防范的对象,像我这样的人(看最后),你防也没用,也没必要,关键是防你公司的竞争对手
2.基于第1点,也没必要做全数据库防范,那是防黑客层面的工作,只需要在关键数据上面做手脚就行了
什么是关键数据?对商城来说,价格就是关键数据,淘宝为何不防范?因为不是淘宝自己在卖东西……完毕
3.任何的防范工作必然会导致用户体验降低,流失客户的损失和防范少数小偷的得益之间的比较,需要衡量
4.真的要防范的话――
1) 防机器不防人,区别是什么?前者读代码,后者读文字(肉眼),所以从这点出发最重要
2) 基于上面第2点,最好和市场部协同,找对重要数据
3) 抓数据有三个步骤:开发爬虫、抓取过程、重组数据,针对增加开发难度,没必要,也没办法;针对抓取增加难度,这个上述第3点说了,慎重对待,最好针对“时间”做文章;最好把着眼点放在重组数据的难度,就是说抓到了也很难用程序重组,这个就要看你的能力了
4) 大公司应该从公司层面做对付小偷的工作,例如诉讼,这样更显得公司的大气形象;小公司一般服务对象比较固定,采用“信任”机制会更好,例如一些数据只对特定人员开放
……
总的来说应该结合商业模型,不要技术部全扛下来
补充3)所说的举例方案:
A: 如唠叨所说,某些东西用js“拼”出来,直接写出来不行,那还是完整结果;这是因为现在懂调用js引擎运算结果的人还很少
B: 以前帮别人做过这样的事――四位数,用N(某数量4,随机)张图片显示,从代码看这N张图片代码完全一致,取回的字节数也接近,但目视只有4张显示出所需要的数字(结合网页底色),当时这个方法使用相当一段时间都有效,但随着OCR的程序越来越简单,这个方法也失效了,但原理还是有用的
我抓数据漫无目的(指target),只抓自己有用和喜欢的东西,例如中日韩的邮政编码
、喜欢的图片……,不卖钱不外传也从不帮别人抓,商业数据一点兴趣(用处)也没有,可能去抓还惹来一身骚,后果严重,俺要为人生倒数的几年着想啊最后告诉你,我现在还没法对付的就是――图片瀑布墙
------解决方案--------------------
补充一下
无论你是用 cookie、session还是token都不能达到防范的作用
因为检查的是客户端回传的数据与服务端预设的是否一致
那么好了,我只要将采集的动作分为两步:
1、进入你的ajax页面,你的网站就会把验证的相关数据发给我。因为你的ajax提交也是要验证的
2、向目标页发送请求,此时与你的ajax请求是一样携带验证数据的
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1655
14
1413
52
1306
25
1252
29
1226
24
PHP and Ajax: Building an autocomplete suggestion engine
Jun 02, 2024 pm 08:39 PM
Build an autocomplete suggestion engine using PHP and Ajax: Server-side script: handles Ajax requests and returns suggestions (autocomplete.php). Client script: Send Ajax request and display suggestions (autocomplete.js). Practical case: Include script in HTML page and specify search-input element identifier.
How to solve the 403 error encountered by jQuery AJAX request
Feb 20, 2024 am 10:07 AM
Title: Methods and code examples to resolve 403 errors in jQuery AJAX requests. The 403 error refers to a request that the server prohibits access to a resource. This error usually occurs because the request lacks permissions or is rejected by the server. When making jQueryAJAX requests, you sometimes encounter this situation. This article will introduce how to solve this problem and provide code examples. Solution: Check permissions: First ensure that the requested URL address is correct and verify that you have sufficient permissions to access the resource.
How to solve jQuery AJAX request 403 error
Feb 19, 2024 pm 05:55 PM
jQuery is a popular JavaScript library used to simplify client-side development. AJAX is a technology that sends asynchronous requests and interacts with the server without reloading the entire web page. However, when using jQuery to make AJAX requests, you sometimes encounter 403 errors. 403 errors are usually server-denied access errors, possibly due to security policy or permission issues. In this article, we will discuss how to resolve jQueryAJAX request encountering 403 error
How to solve the problem of jQuery AJAX error 403?
Feb 23, 2024 pm 04:27 PM
How to solve the problem of jQueryAJAX error 403? When developing web applications, jQuery is often used to send asynchronous requests. However, sometimes you may encounter error code 403 when using jQueryAJAX, indicating that access is forbidden by the server. This is usually caused by server-side security settings, but there are ways to work around it. This article will introduce how to solve the problem of jQueryAJAX error 403 and provide specific code examples. 1. to make
How to get variables from PHP method using Ajax?
Mar 09, 2024 pm 05:36 PM
Using Ajax to obtain variables from PHP methods is a common scenario in web development. Through Ajax, the page can be dynamically obtained without refreshing the data. In this article, we will introduce how to use Ajax to get variables from PHP methods, and provide specific code examples. First, we need to write a PHP file to handle the Ajax request and return the required variables. Here is sample code for a simple PHP file getData.php:
How to implement PHP to jump to the page and carry POST data
Mar 22, 2024 am 10:42 AM
PHP is a programming language widely used in website development, and page jumps and carrying POST data are common requirements in website development. This article will introduce how to implement PHP page jump and carry POST data, including specific code examples. In PHP, page jumps are generally implemented through the header function. If you need to carry POST data during the jump process, you can do it through the following steps: First, create a page containing a form, where the user fills in the information and clicks the submit button. Acti in the form
PHP code example: How to use POST to pass parameters and implement page jumps
Mar 07, 2024 pm 01:45 PM
Title: PHP code example: How to use POST to pass parameters and implement page jumps In web development, it often involves the need to pass parameters through POST and process them on the server side to implement page jumps. PHP, as a popular server-side scripting language, provides a wealth of functions and syntax to achieve this purpose. The following will introduce how to use PHP to implement this function through a practical example. First, we need to prepare two pages, one to receive POST requests and process parameters
PHP vs. Ajax: Solutions for creating dynamically loaded content
Jun 06, 2024 pm 01:12 PM
Ajax (Asynchronous JavaScript and XML) allows adding dynamic content without reloading the page. Using PHP and Ajax, you can dynamically load a product list: HTML creates a page with a container element, and the Ajax request adds the data to that element after loading it. JavaScript uses Ajax to send a request to the server through XMLHttpRequest to obtain product data in JSON format from the server. PHP uses MySQL to query product data from the database and encode it into JSON format. JavaScript parses the JSON data and displays it in the page container. Clicking the button triggers an Ajax request to load the product list.
