PHP prevents malicious refresh and ticket brushing implementation code

Malicious refresh means constantly refreshing the submission page, resulting in a large amount of invalid data. Let’s summarize the methods of preventing malicious page refresh in PHP. The principle of preventing malicious page brushing is

Requires a verification string to be passed between pages,
When generating the page, randomly generate a string,
Passed as a required parameter in all connections. At the same time, save this string in the session.

After clicking the link or entering the form, it will be judged whether the verification code in the session is the same as the one submitted by the user. If it is the same, it will be processed. If it is not the same, it will be considered as repeated refresh.
After the processing is completed, a verification code will be regenerated for the generation of a new page

The code is as follows

Copy code

代码如下	复制代码
session_start(); $k=$_GET['k']; $t=$_GET['t']; $allowTime = 1800;//防刷新时间 $ip = get_client_ip(); $allowT = md5($ip.$k.$t); if(!isset($_SESSION[$allowT])) { $refresh = true; $_SESSION[$allowT] = time(); }elseif(time() - $_SESSION[$allowT]>$allowTime){ $refresh = true; $_SESSION[$allowT] = time(); }else{ $refresh = false; } ?>

session_start();
$k=$_GET['k'];
$t=$_GET['t'];
$allowTime = 1800;//Anti-refresh time
$ip = get_client_ip();
$allowT = md5($ip.$k.$t);
if(!isset($_SESSION[$allowT]))
{
$refresh = true;

$_SESSION[$allowT] = time();

代码如下

复制代码

if(isset($_POST))
{
if(变量不符合要求)
<script> history.go(-1); </script>
else
操作数据
...
if(操作完成)
header( "location: ".$_SERVER[ 'PHP_SELF ']);
}

}elseif(time() - $_SESSION[$allowT]>$allowTime){

$refresh = true;

$_SESSION[$allowT] = time();

代码如下

复制代码

$c_file="counter.txt"; //文件名赋值给变量
if(!file_exists($c_file)) //如果文件不存在的操作
{
$myfile=fopen($c_file,"w"); //创建文件
fwrite($myfile,"0"); //置入“0”
fclose($myfile); //关闭文件
}
$t_num=file($c_file); //把文件内容读入变量
if($_COOKIE["date"]!="date(Y年m月d日)") //判断COOKIE内容与当前日期是否一致
{
$t_num[0]++; //原始数据自增1
$myfile=fopen($c_file,"w"); //写入方式打开文件
fwrite($myfile,$t_num[0]); //写入新数值
fclose($myfile); //关闭文件
//重新将当前日期写入COOKIE并设定COOKIE的有效期为24小时
setcookie("date","date(Y年m月d日)",time()+60*60*24);
}
?>

}else{ $refresh = false; } ?> I have also encountered ie6 submitting twice. Generally speaking, when using a picture instead of submit, there is a submit() on the picture, which will submit twice. If it is just a submit button, I have not encountered the situation of submitting twice. Now to sort it out: The method is basically the same as the previous ones The received page 2.php is divided into two parts, one part processes the submitted variables, and the other part displays the page After processing the variables, use header( "location: ".$_SERVER[ 'PHP_SELF ']) to jump to the own page This part needs to be judged. If there is no post variable, skip it. Of course, you can also jump to other pages. There will be problems when jumping to other pages and returning. It is recommended to do it in a php file. If the variables passed through the previous page do not meet the requirements, you can force the return to <script> history.go(-1); </script> I just talked about the general idea. Maybe masters will not encounter such problems, but not everyone is a master.

The code is as follows	Copy code
if(isset($_POST)) { if (variable does not meet the requirements) <script> history.go(-1); </script> else Operation data ... if (operation completed) header( "location: ".$_SERVER[ 'PHP_SELF ']); }

You can also use COOKIE

The code is as follows

Copy code

$c_file="counter.txt"; //Assign the file name to the variable<🎜> if(!file_exists($c_file)) //Operation if the file does not exist<🎜> {<🎜> $myfile=fopen($c_file,"w"); //Create file<🎜> fwrite($myfile,"0"); //Place "0"<🎜> fclose($myfile); //Close the file<🎜> }<🎜> $t_num=file($c_file); //Read the file content into the variable<🎜> if($_COOKIE["date"]!="date(Y year m month d day)") //Judge whether the COOKIE content is consistent with the current date<🎜> {<🎜> $t_num[0]++; //The original data increases by 1<🎜> $myfile=fopen($c_file,"w"); //Open the file in writing mode<🎜> fwrite($myfile,$t_num[0]); //Write new value<🎜> fclose($myfile); //Close the file<🎜> //Re-write the current date into the COOKIE and set the validity period of the COOKIE to 24 hours<🎜> setcookie("date","date(Y year m month d day)",time()+60*60*24);<🎜> }<🎜> ?>

session

Main page file index.php code:

代码如下

复制代码

通过session禁止页面刷新

//使用文本存储数据
   if($_SESSION[temp]==""){
   if(($fp=fopen("counter.txt","r"))==false){ echo "打开文件失败!";
     }else{ $counter=fgets($fp,1024);   //读取文件中数据
     fclose($fp);                        //关闭文本文件
     $counter++;                         //计数器增加1
     $fp=fopen("counter.txt","w");       //以写的方式打开文本文件

     fputs($fp,$counter);                //将新的统计数据增加1
     fclose($fp);    }                   //关闭文
//从文本文件中读取统计数据
       if(($fp=fopen("counter.txt","r"))==false){echo "打开文件失败!";}else{
        $counter=fgets($fp,1024);
        fclose($fp);
           echo "数字计数器: " .$counter ; }   //输出访问次数
     $_SESSION[temp]=1; //登录以后,$_SESSION[temp]的值不为空,给$_SESSION[temp]赋一个值1
     }else{
     echo "<script>alert('您不可以刷新本页!!'); history.back();</script>";
     }
?>

通过session禁止页面刷新

$counter=fgets($fp,1024);
fclose($fp);
echo "网页访问量: " .$counter ; } //输出访问次数?>

The counter.txt file is a file that records the number of logins in the same directory...
$counter=fgets($fp,1024); is a method for reading numerical values in files (can include decimal point values)...

Related labels：

php and code refresh go accomplish lead to malicious submit data invalid of prevent page

source：php.cn

Previous article：Description of PHP safe mode safe_mode_PHP tutorial Next article：PHP webpage prevention method configuration for SQL injection_PHP tutorial

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn