php environment using session to prevent page refresh specific implementation
- 2020-12-16 05:52:34
- OfStack
b php code
The code is very simple, nothing more than to write ip and the data submitted to the page to be refreshed by POST through md5 encryption into session, and then determine the refresh interval through the stored session to decide whether to allow the refresh. "$fs1=$_POST['a'];" , "$$_POST fs1 = [' a];" The two parameters are the parameters that other pages are submitted to the refresh-proof page via post. The reason for adding these parameters in addition to ip is to distinguish the different post results. (In fact, the so-called anti-refresh is to prevent a page from being repeatedly submitted.)
More specifically, for example, the above code is placed at the beginning of the b.php page. On the a.html page, we have the following form:
You can see that the two parameters a and b submitted for this page are exactly the two parameters in the previous b.php (actually, the reverse is true, depending on the parameters of the submitted page). In the previous php code, has identified only through post access is submitted data page, so direct input address will get a 404 error page, can get the page through post way, at the same time address post refresh will bring himself parameters, thus realize the with 1 page each ip prevent refreshing effect.
In addition, we can add referer to the page of post to determine the source website to prevent cross-site submission, but referer can be forged, and firefox and ie8 often inexplicable referer lost, so we do not add this code for the time being.
<?php
// Only through post Access to
if ($_SERVER['REQUEST_METHOD'] == 'GET')
{header('HTTP/1.1 404 Not Found'); die(' Pro - , The page doesn't exist ');}
session_start();
$fs1=$_POST['a'];
$fs2=$_POST['b'];
// Anti-refresh time , The unit is in seconds
$allowTime = 30;
// Visitors to read ip In order to facilitate the target ip Limit the refresh
/* Get real ip start */
if ( ! function_exists('GetIP'))
{
function GetIP()
{
static $ip = NULL;
if ($ip !== NULL)
{
return $ip;
}
if (isset($_SERVER))
{
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$arr = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
/* take X-Forwarded-For In the first x A non unknown The effective IP character ? */
foreach ($arr as $xip)
{
$xip = trim($xip);
if ($xip != 'unknown')
{
$ip = $xip;
break;
}
}
}
elseif (isset($_SERVER['HTTP_CLIENT_IP']))
{
$ip = $_SERVER['HTTP_CLIENT_IP'];
}
else
{
if (isset($_SERVER['REMOTE_ADDR']))
{
$ip = $_SERVER['REMOTE_ADDR'];
}
else
{
$ip = '0.0.0.0';
}
}
}
else
{
if (getenv('HTTP_X_FORWARDED_FOR'))
{
$ip = getenv('HTTP_X_FORWARDED_FOR');
}
elseif (getenv('HTTP_CLIENT_IP'))
{
$ip = getenv('HTTP_CLIENT_IP');
}
else
{
$ip = getenv('REMOTE_ADDR');
}
}
preg_match("/[\d\.]{7,15}/", $ip, $onlineip);
$ip = ! empty($onlineip[0]) ? $onlineip[0] : '0.0.0.0';
return $ip;
}
}
/* Get real ip The end of the */
$reip = GetIP();
// Related parameters md5 encryption
$allowT = md5($reip.$fs1.$fs2);
if(!isset($_SESSION[$allowT])){
$_SESSION[$allowT] = time();
}
else if(time() - $_SESSION[$allowT]-->$allowTime){
$_SESSION[$allowT] = time();
}
// If the refresh is too fast, give it directly 404header Heads and tips
else {header('HTTP/1.1 404 Not Found'); die(' from '.$ip.' The pro , You refreshed too fast ');}
?>
The code is very simple, nothing more than to write ip and the data submitted to the page to be refreshed by POST through md5 encryption into session, and then determine the refresh interval through the stored session to decide whether to allow the refresh. "$fs1=$_POST['a'];" , "$$_POST fs1 = [' a];" The two parameters are the parameters that other pages are submitted to the refresh-proof page via post. The reason for adding these parameters in addition to ip is to distinguish the different post results. (In fact, the so-called anti-refresh is to prevent a page from being repeatedly submitted.)
More specifically, for example, the above code is placed at the beginning of the b.php page. On the a.html page, we have the following form:
<!DOCTYPE>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>b.html</title>
</head>
<body>
<form action="b.php" method="post" >
<input type="hidden" id="a" name="a" value="a"/>
<input type="hidden" id="b" name="b" value="b"/>
<button name="" type="submit" > submit </button>
</form>
</body>
</html>
You can see that the two parameters a and b submitted for this page are exactly the two parameters in the previous b.php (actually, the reverse is true, depending on the parameters of the submitted page). In the previous php code, has identified only through post access is submitted data page, so direct input address will get a 404 error page, can get the page through post way, at the same time address post refresh will bring himself parameters, thus realize the with 1 page each ip prevent refreshing effect.
In addition, we can add referer to the page of post to determine the source website to prevent cross-site submission, but referer can be forged, and firefox and ie8 often inexplicable referer lost, so we do not add this code for the time being.