php防止远程提交表单的有关问题
php防止远程提交表单的问题。
在网上找到一段防止远程提交表单的demo,它用的是md5(uniqid(rand()))生成令牌验证的方法,如下:
- PHP code
<!--Code highlighting produced by Actipro CodeHighlighter (freeware)http://www.CodeHighlighter.com/--><?phpsession_start ();if ($_POST['submit'] == “go"){ //check token if ($_POST['token'] == $_SESSION['token']){ //strip_tags $name = strip_tags($_POST['name']); $name = substr($name,0,40); //clean out any potential hexadecimal characters $name = cleanHex($name); //continue processing…. }else{ //stop all processing! remote form posting attempt! }}$token = md5(uniqid(rand(), true));$_SESSION['token']= $token;function cleanHex($input){ $clean = preg_replace("![\][xX]([A-Fa-f0-9]{1,3})!", "",$input); return $clean;}<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post"><p><label for="name">Name</label><input type="text" name="name" id="name" size="20″ maxlength="></p><input type="hidden" name="token" value="<?php echo $token;?>"><p><input type="submit" name="submit" value="go"></p>?>我的问题是:
如果保存sessionID的cookie可以被找到,那不就可以在远程提交这个表单,然后通过一些操作修改请求的header头,把获取的cookie放进去。
如果上面这种方法可行的话,那这段代码不就不能起到防止远程提交表单的作用了吗?
------解决方案--------------------
这个不一定吧!session的定义是在服务器端生成一个session文件,并放在服务器端,并生成一个session_id,通过cookie放到客户通,当你访问session的时候会用到客户端的session_id;但是是不是可以直接这个session_id去访问服务端的session文件,这个并不清楚,若有方法的话,那就可以通过session_id直接访问session信息了,这个防止远程表单提交的就不起作用了,反之,则ok!
------解决方案--------------------
sessionID 是动态的,找到了也没有!
不过你的这个代码只能方式静态表单的提交。并不能防止机器人提交
只要先进入你的页面(当然是需要的,因为要知道你的表单是否变化了),于是你那宝贵的 token 就到我手上了,然后就.....
------解决方案--------------------
用户能访问的, 计算机一样可以搞.
先访问表单页面正则取TOKEN, 然后提交表单把TOKEN也一起提交了.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1386
52
What are the differences between Huawei GT3 Pro and GT4?
Dec 29, 2023 pm 02:27 PM
Many users will choose the Huawei brand when choosing smart watches. Among them, Huawei GT3pro and GT4 are very popular choices. Many users are curious about the difference between Huawei GT3pro and GT4. Let’s introduce the two to you. . What are the differences between Huawei GT3pro and GT4? 1. Appearance GT4: 46mm and 41mm, the material is glass mirror + stainless steel body + high-resolution fiber back shell. GT3pro: 46.6mm and 42.9mm, the material is sapphire glass + titanium body/ceramic body + ceramic back shell 2. Healthy GT4: Using the latest Huawei Truseen5.5+ algorithm, the results will be more accurate. GT3pro: Added ECG electrocardiogram and blood vessel and safety
How to set session timeout in SpringBoot Session
May 15, 2023 pm 02:37 PM
The problem was found in the springboot project production session-out timeout. The problem is described below: In the test environment, the session-out was configured by changing the application.yaml. After setting different times to verify that the session-out configuration took effect, the expiration time was directly set to 8 hours for release. Arrived in production environment. However, I received feedback from customers at noon that the project expiration time was set to be short. If no operation is performed for half an hour, the session will expire and require repeated logins. Solve the problem of handling the development environment: the springboot project has built-in Tomcat, so the session-out configured in application.yaml in the project is effective. Production environment: Production environment release is
What to do if the login token is invalid
Sep 14, 2023 am 11:33 AM
Solutions to invalid login token include checking whether the Token has expired, checking whether the Token is correct, checking whether the Token has been tampered with, checking whether the Token matches the user, clearing the cache or cookies, checking the network connection and server status, logging in again or requesting a new Token. Contact technical support or developers, etc. Detailed introduction: 1. Check whether the Token has expired. The login Token usually has a validity period set. Once the validity period exceeds, it will be considered invalid, etc.
How to solve the problem of invalid login token
Sep 14, 2023 am 10:57 AM
The problem of invalid login token can be solved by checking the network connection, checking the token validity period, clearing cache and cookies, checking login status, contacting the application developer and strengthening account security. Detailed introduction: 1. Check the network connection, reconnect to the network or change the network environment; 2. Check the token validity period, obtain a new token, or contact the developer of the application; 3. Clear cache and cookies, clear browser cache and Cookie, and then log in to the application again; 4. Check the login status.
How to solve session failure
Oct 18, 2023 pm 05:19 PM
Session failure is usually caused by the session lifetime expiration or server shutdown. The solutions: 1. Extend the lifetime of the session; 2. Use persistent storage; 3. Use cookies; 4. Update the session asynchronously; 5. Use session management middleware.
Solution to PHP Session cross-domain problem
Oct 12, 2023 pm 03:00 PM
Solution to the cross-domain problem of PHPSession In the development of front-end and back-end separation, cross-domain requests have become the norm. When dealing with cross-domain issues, we usually involve the use and management of sessions. However, due to browser origin policy restrictions, sessions cannot be shared by default across domains. In order to solve this problem, we need to use some techniques and methods to achieve cross-domain sharing of sessions. 1. The most common use of cookies to share sessions across domains
What should I do if the php session disappears after refreshing?
Jan 18, 2023 pm 01:39 PM
Solution to the problem that the php session disappears after refreshing: 1. Open the session through "session_start();"; 2. Write all public configurations in a php file; 3. The variable name cannot be the same as the array subscript; 4. In Just check the storage path of the session data in phpinfo and check whether the sessio in the file directory is saved successfully.
How to solve the problem of storing user tokens in Redis
May 31, 2023 am 08:06 AM
Redis stores user tokens. When designing a system similar to e-commerce, a common requirement is that each page needs to carry logged-in user information. There are two common solutions: using cookies to save and using JWT to save. But if Redis cache is used in the system, there is also a third solution - caching the user token in Redis. Generate a token when logging in and store it in Redis //Generate a token object and save it in redis redisTemplate.opsForHash().put("token","user",user)
