2015-04-23 12:16:58
Today to view the project deployed on the SAE, suddenly see the SAE's log, found that there are several abnormal links in the request verification code, so suddenly germination to do a prevent verification code crawl function. This feature prevents the theft and decryption of verification codes and prevents unwanted malicious attacks and hacks.
Ideas are as follows:
Validating access Links before code generation class calls
1. Verify access from the page with that
2. Next verify the Access address
Steps to resolve:
1. The use of PHP features to determine whether access to the verification code from a page is basically unrealistic, PHP does not seem to have this function (I did not find), so we can only use PHP to achieve indirect judgment, here we use the session to verify whether from the page, Because the number of pages required for verification code is very small, the place where we set the session is not too much, it is relatively acceptable.
2. Verify the access address, this is relatively simple, we can use PHP provided by the $_server function, remove the access address.
3. Set the validation value in the session after the verification code is generated so that it can no longer be verified the next time.
The specific code (you can modify this to provide only one idea according to your needs):
For example
1. Set $_session[' Check ']=true on the page that needs to load the verification code (or in the Controller layer function);
2. Call validation before calling the verification code
<?php/** * Created by Phpstorm. * User:wangyaofeng * date:15-4-23 * Time: 9:36 *//** * Detects if the IP that is accessed is the permitted IP * Enter description here ... *///ip addresses are verified by users based on Your own needs change function check_ip () {$ALLOWED _ip=array (' 127.0.0.1 '); $IP =getip (); $check _ip_arr= explode ('. ', $IP);//The IP to be detected is split into an array #限制IP if (!in_array ($IP, $ALLOWED _ip)) {foreach ($ALLOWED _ip as $val) {if (Strpos ($val, ' * ')!==false) {//found with an * number substitute $arr =array ();//$arr =explode ('. '), $val); $BL =true;//is used to record if there is a successful match in the Loop detection for ($i =0; $i <4; $i + +) {if ($arr [$i]!= ' * ') {//Not equal to * will come in to detect if The * symbol alternates do not check if ($arr [$i]!= $check _ip_arr[$i]) {$BL =false; break;//Terminate check this IP continue check next IP}}}//end for if ($BL) {///If it is true to find a match successfully returns return; Die (' success '); } } }//end foreach header (' http/1.1 403 Forbidden '); echo "Access forbidden"; Die }}function GetIP () {return isset ($_server["http_x_forwarded_for"])? $_server["Http_x_forwarded_for":(isset ($_s erver["Http_client_ip"])? $_server["Http_client_ip"]: $_server["REMOTE_ADDR"]);} if (!$_session[' check ']) {check_ip ();} Reset the value of the Captcha $_session[' check ' = false;
Basically this two-step operation, you can limit the verification code, in this example, through the extranet access to the site when the verification code will be displayed, but through the external network directly access or crawl verification code will be denied, through the local access to the verification code is normal.
Native access
External network access
Extranet Access Login
PHP Verification code to prevent direct access to the external network