Php postonly,php: only allow form POST from specified domain name

问题

I have a page running a php script that subscribes a user to a newsletter, when a form is posted.

Now, I am worried about getting spammed, cause anyone can post to my page using a form.

Is there any way I can use conditionals in PHP, to only allow incoming submissions from a certain domain?

If the domain doesn't match, using else to echo an error message.

I am just starting to lean php, so I'd appreciate all the help I can get.

Thank you.

回答1:

The closest thing you can do is set a cookie that is restricted to your domain and then check for that cookie on the POST end.

setcookie('checkmydomain', 'something', 3600, '/', 'www.yourdomain.com');

Then you can do

if(isset($_COOKIE['checkmydomain'])) {

//process the POST

}

Obviously it is still trivial to defeat but it would stop "simple" bots from submitting data

回答2:

Some thoughts rather than an intended perfect answer:

Rather than checking the URI from the $_POST data what about putting inputs of tags and hashes into the $_POST, for example a post can contain a hash of something unique to your site/domain - to that script at that point in time, say -the page URL or some identifier + unix timestamp-, encrypted with blowfish and saved as a hidden field, as well as taking plain text details in hidden fields too - so as a brief example:

1) Site sends you a hidden field with a SHA Hash

Hash is made up of an identifying string (such as that domains account number on your system) as well as a IP lookup from that domain

$str = $identity.$ip

2) Site also sends you plain text detail of the domain, so for example "$_POST['domain'] = "www.site.com"

3) At your end, read the $_POST['domain'] value and use PHP to extrapolate the IP address from than domain

4) Then, with the site IP address, and your known identity value - regenerate the hash on your page and if they're exactly the same as the supplied hash then you can trust the data is (probably) from the given domain.

5) carry on.... delete or post...

There are assumptions made here, that you'd be given data from another domain so that biscuits(cookies) would be tricky , and that you have some identity information to hand for each source domain for these posts.

Hidden form data would be easy to copy but not if it is unique and specific each time the form is generated. Also add anti-spam methods such as text fields named "email" or "name" and leave them intentionally blank, but with a bit of CSS to display:none;. As robots will see them and not realise they're hidden and can complete them, indicating a non-human reader.

NOTE: Yes IP addresses for CLIENTS change all the time, but website IP addresses are pretty static - in most but not all cases. These are the IP address I refer to not the IP of the browser.

Further Edit:

timestamp values in the sent Hash data can be put in as for example date("D"); rather than the unix exact time, so that form submission within 24h and not crossing midnight would work. Any date value both changes over time and can be easily reconstructed at the other end.

来源：https://stackoverflow.com/questions/28093779/php-only-allow-form-post-from-specified-domain-name