- 论坛徽章:
- 0
|
[PHP安全] 防止从外部提交数据的方法(非:HTTP_REFERER )
原帖由 "gzdkj" 发表:
1。防止别人把网页抓到本地,修改表单控件后和各种参数后远程提交数据;
2。防止那种自动发文的软件在网站发布垃圾信息,就好像那种一次可以几百个讨论区发文的软件;
郁闷,http_referer伪造一个就行了,不知你如何防止
- <?php
- $host = "www.123cha.com";
- $referer = "http://".$host;
- $fp = fsockopen ($host, 80, $errno, $errstr, 30);
- if (!$fp){
- echo "$errstr ($errno)<br>;\n";
- }else{
- $request = "
- GET / HTTP/1.1
- Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */"."*
- Referer: http://$host
- Accept-Language: zh-cn
- Accept-Encoding: gzip, deflate
- User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
- Host: $host
- Connection: Close"
- ."\r\n\r\n";
- fputs ($fp, "$request");
- while (!feof($fp))
- {
- $res[] = fgets($fp,1024);
- }
- $html = join("",$res);
- fclose ($fp);
- $fp = file_put_contents("123cha.html",$html);
- echo "done";
- }
复制代码
这不就行了?
不过很奇怪的是,
www.hao123.com
的页面抓下来是乱码(除了http头),这是为什么?难道是因为用了gzip之类压缩?
- <?php
- $host = "www.hao123.com";
- $html = file_get_contents("http://".$host);
- $fp = file_put_contents("hao123.html",$html);
- echo "done";
- ?>;
复制代码
但这样抓的就没问题.
再来分析开始抓的http头
- HTTP/1.1 200 OK Date: Wed, 31 Aug 2005 00:59:36 GMT Server: Apache/1.3.27 Cache-Control: max-age=1296000 Expires: Thu, 15 Sep 2005 00:59:36 GMT Last-Modified: Mon, 29 Aug 2005 13:56:00 GMT Accept-Ranges: bytes Connection: close Content-Type: text/html Content-Encoding: gzip Content-Length: 14567
复制代码
果然有这句,Content-Encoding: gzip
原来压缩了的,长度14567字节了,
用第二种方法抓,原来没压缩的html是71143字节,原来file_get_contents还可以自动解压缩.
对这种不需要验证http_referer和cookie之类的网页,当然可以用第二种方法抓,但我想知道,如果用第一种方法抓,如何得到和第二种一样的结果??? |
|