Question

我有两个网站，一个是a.com另一个是b.com我使用curl从a.com传递数据到b.com，我能成功传递数据但问题是我想让它更安全所以网站b.com在确认帖子来自网站a.com后做出回应。如何获得这个？

网站a.com中的代码

<?php
  $some_data = array(
    'message' =--> 'Hello World',
    'name' => 'Chad'
  ); 

  $curl = curl_init();
  // You can also set the URL you want to communicate with by doing this:
  // $curl = curl_init('http://localhost/echoservice');

  // We POST the data
  curl_setopt($curl, CURLOPT_POST, 1);
  // Set the url path we want to call
  curl_setopt($curl, CURLOPT_URL, 'http://localhost/b.com'); 
  // Make it so the data coming back is put into a string
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  // Insert the data
  curl_setopt($curl, CURLOPT_POSTFIELDS, $some_data);

  // You can also bunch the above commands into an array if you choose using: curl_setopt_array

  // Send the request
  $result = curl_exec($curl);
  // Free up the resources $curl is using
  curl_close($curl);

  echo $result;
?>

B.com中的代码

//I want to check here that the request was from a.com ,if it is ensured then i want to do //the rest of the work
  echo 'Your message was: ' . $_REQUEST["message"] . ' and your name is: ' . $_REQUEST["name"];
?

Answer 1

你可以查看$_SERVER['REFERER']属性，但它非常不可靠/不安全。

更好的方法是使用Basic Auth或类似的东西设置B站点，当您从站点A发出请求时，可以对其进行身份验证。然后，您可以将基本身份验证添加到从A到B的卷曲请求中.B检查身份验证，如果正确继续进行剩余的处理。

Answer 2

$_SERVER['REMOTE_ADDR']将成为解决方案

if($_SERVER['REMOTE_ADDR']=="IP OF A.com"){

//exec code
}else{
log_error($_SERVER['REMOTE_ADDR'] has tried to access B.com at date());//that's an ex .
}

Answer 3

实现此目标的最简单方法是创建网站a.com知道并且网站b.com知道的密钥。

然后你可以通过curl将密钥从一个服务器传递到另一个服务器，只要知道其他人知道密钥是什么，他们就能够访问它（假设你按照这种方式编程）。

这就是大多数API的工作方式，例如Facebook，Twitter，Linkedin等。

您的帖子数据将如下所示（a.com）：

$some_data = array(
    'message' =--> 'Hello World',
    'name' => 'Chad',
    'key' => '4h9rj8wj49tj0wgj0ejwrkw0jt0ekv0ijspxodxk9rje0rg9tskvep9rrgt9wkrgte'
);

然后在b.com上你会这样做：

if(!isset($_POST['key']) && $_POST['key'] != '4h9rj8wj49tj0wgj0ejwrkw0jt0ekv0ijspxodxk9rje0rg9tskvep9rrgt9wkrgte'){
    die("Invalid Key");
}

Answer 4

您可以使用公共/私人配对系统。一个简单的版本就是这样的：

//a.com

$keys  = array(
   'publicKey1' => 'privateKey1',
   'publicKey2' => 'privateKey2',
    //...
   'ksjdlfksjdlf' => '989384kjd90903@kjskdjdsd'
);
$publicKeys = array_keys($keys);
//get a random key from pool
$publicKey  = $publicKeys[rand(0, count($publicKeys))];
$privateKey = $keys[$publicKey];

//your data...
$some_data = array(
   'message' => 'Hello World',
   'name' => 'Chad'
);     

/*generate a verification code from data...*/
//add public key to data
$some_data['key'] = $publicKey;
//sort data (to always generate same verification code regardless of params order)
uksort($some_data);

//generate code with your private key
$verificationKey = sha1($privateKey . http_build_query($some_data) . $privateKey);

//add verification code to sent data
$some_data['verification_code'] = $verificationKey;

//send data
curl_exec(...);

并在b.com上：

$keys = "same keys that exist on a.com";
if (!isset($_POST['key']) || !isset($_POST['verification_code']) || !isset($keys[$_POST['key'])) {
    //do something to handle invalid request
}

$verificationKey  = $_POST['verification_code'];    
$privateKey       = $keys[$_POST['key']];

//remove verification code from data
unset($_POST['verification_code']);
//sort data
uksort($_POST);

$checkKey = sha1($privateKey . http_build_query($_POST) . $privateKey);

//validate key
if ($checkKey != $verificationKey) {
   //handle invalid data
}

//verified. do something with $_POST

如何使用curl验证帖子？

4 个答案: