檢查表單資料是不是“來自它應該來的地方”,有心人士可以在本地端建立一個表單,可以藉此略過一些檢查來送出資料。
PHP 可以用 $_SERVER['HTTP_REFERER'] 取得referer,但就如同PHP Manual寫的,這個值是不可靠的,所以只能當做基本的檢查。比較好的方法,可以用hidden欄位插入特定的值…(秘)。
- 'HTTP_REFERER'
- The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
No comments:
Post a Comment
Comment Form Message