How does PHP determine whether a request comes from the local domain and is an ajax request? How does PHP determine whether a request comes from the local domain and is an ajax request?
Reply content:
How does PHP determine whether a request comes from the local domain and is an ajax request?
In jquery, ajax is written like this. The xhr object has the setRequestHeader method and sets the header:
if ( !options.crossDomain && !headers["X-Requested-With"] ) { headers["X-Requested-With"] = "XMLHttpRequest";}// Set headersfor ( i in headers ) { xhr.setRequestHeader( i, headers[ i ] );}
So if it is verified on the PHP side, it is like this:
public static function isAjax() { return 'XMLHttpRequest' == @$_SERVER['HTTP_X_REQUESTED_WITH'];}
if ( !isset($_SERVER['HTTP_X_REQUESTED_WITH']) || $_SERVER['HTTP_X_REQUESTED_WITH'] !== 'XMLHttpRequest' ) {}
The source can be obtained through the Referer attribute of the Request Header. The X-Requested-With attribute (does not indicate that ajax must require this request header attribute) can be used to determine whether it is ajax. But the request header, as you know, is easy to forge. The request header is sufficient for business judgment. If Security Anti-crawling is performed, the request header will be weak.