PHP prevents remote illegal submission of form program code_PHP tutorial

Preventing remote form submission is a way to prevent hackers from illegally submitting data remotely to bring security to our website. Let me introduce an example of preventing remote illegal form submission in PHP.

Detailed method

1. PHP method to prevent data submission outside the site

代码如下	复制代码
$servername=$HTTP_SERVER_VARS['SERVER_NAME']; $sub_from=$HTTP_SERVER_VARS["HTTP_REFERER"]; $sub_len=strlen($servername); $checkfrom=substr($sub_from,7,$sub_len); if($checkfrom!=$servername){ echo("警告！你正在从外部提交数据！！请立即终止！！"); exit; } ?>

Put the above code into a page that needs to prevent external submission of data. If you enter the URL directly or link to this page from an external network, it will display: Warning! You are submitting data from outside! ! Please terminate immediately! ! ; If you link to this page from this site or submit it through a form, there will be no such prompt. This is mainly done to prevent some fake forms from submitting data to the site.

The above code can be skipped directly through curl. We can refer to the method of dz forum login

A better way to handle remote form submission is to generate a token based on a unique string or timestamp and place this token in the session variable and the form. After submitting the form, check if the two tokens match. If it doesn't match, you know someone is trying to send data from a remote copy of the form.

To create a random token, you can use PHP’s built-in md5(), uniqid() and rand() functions as shown below

The code is as follows	Copy code
代码如下	复制代码
session_start(); if ($_POST['submit'] == "go"){ //check token if ($_POST['token'] == $_SESSION['token']){ //strip_tags $name = strip_tags($_POST['name']); $name = substr($name,0,40); //clean out any potential hexadecimal characters $name = cleanHex($name); //continue processing.... }else{ //stop all processing! remote form posting attempt! } } $token = md5(uniqid(rand(), true)); $_SESSION['token']= $token; function cleanHex($input){ $clean = preg_replace("![][xX]([A-Fa-f0-9]{1,3})!", "",$input); return $clean; } ?>                        Name

session_start();           if ($_POST['submit'] == "go"){ //check token If ($_POST['token'] == $_SESSION['token']){               //strip_tags                                                                  $name = strip_tags($_POST['name']);                                                             $name = substr($name,0,40);                                          //clean out any potential hexadecimal characters          $name = cleanHex($name);                                                               //continue processing....                         }else{   //stop all processing! remote form posting attempt! }   }            $token = md5(uniqid(rand(), true)); $_SESSION['token']= $token;                     function cleanHex($input){ $clean = preg_replace("![][xX]([A-Fa-f0-9]{1,3})!", "",$input); Return $clean; }  ?>                    

 

Name

 

 

If you have nothing to do, write out the ASP I wrote before

How ASP prevents external submission of data

代码如下	复制代码
<% Server_v1=Cstr(Request.ServerVariables("HTTP_REFERER")) Server_v2=Cstr(Request.ServerVariables("SERVER_NAME")) If mid(server_v1,8,len(server_v2))<>server_v2   then      Response.write "警告！你正在从外部提交数据！！请立即终止！！"      Response.End End if %>