Question

我在下面有这个代码，我想在新脚本中插入

<?php
session_start();

$host = "localhost";
$username = "#";
$password = "#";	
$dbname = "#";

$ip = getenv("REMOTE_ADDR") ;
$time = time();
$waktu = date("G:i:s",time());
//database connect
mysql_connect($host,$username,$password) or die(mysql_error());
mysql_select_db($dbname) or die(mysql_error());
mysql_query("SET NAMES utf8");

 mysql_query("CREATE TABLE IF NOT EXISTS `cookies` (
`ip` varchar(32) NOT NULL DEFAULT '',
`time` varchar(32) DEFAULT NULL,
`waktu` varchar(255) DEFAULT NULL,
PRIMARY KEY (`ip`)
ENGINE=MyISAM DEFAULT CHARSET=utf8;
) 
");

function get_html($url) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
	curl_setopt($ch, CURLOPT_FAILONERROR, 0);
    $data = curl_exec($ch);
    curl_close($ch);
	return $data;
    }
$token = $_SESSION['token'];

if($token){
	$graph_url ="http://example.com?user=" . $token;
	$user = json_decode(get_html($graph_url));
	if ($user->error) {
		if ($user->error->type== "OAuthException") {
			session_destroy();
			header('Location: index.php?info=403');
			}
		}
	}
	else{
	header('Location: index.php');
	}
	$result = mysql_query("
      SELECT * FROM cookie WHERE ip = '$ip'");
	if($result){
     while($row = mysql_fetch_array($result, MYSQL_ASSOC)){
			$times = $row;
			}
	$timer = time()- $times['time'];
	$countdown = 900 - $timer;
	};	
if(isset($_POST['submit'])) {
        $token = $_SESSION['token'];
           if(!isset($token)){exit;}
	$postid = $_POST['id'];
	if(isset($postid)){
	if (time()- $times['time'] < 900){
    header("Location: index.php?info=404");
	}
	else{
	
	mysql_query("REPLACE INTO cookie (ip,time,waktu) VALUES ( '$ip','$time','$waktu')");
	$ch = curl_init('http://example.com/secure.php'); 
	curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($ch, CURLOPT_POST, 1);
	curl_setopt ($ch, CURLOPT_POSTFIELDS, "id=$postid");
	$hasil = curl_exec ($ch);
	curl_close ($ch);
    if (strpos($hasil,'GAGAL') !== false) {
		echo 'Done';
			}else{
        //header("Location: index.php");
        header("Location: index.php?info=401");
	}
	}
	}else{
	header("Location: index.php");
	};
}else{
$go ="hello";
}

	
	$urlSplitted = explode('?fbid=', $_GET['url']); 
	$fbid = $urlSplitted[1];
	
?>

接下来我有新的脚本仪表板，代码如下：

<?php
session_start();
if(!isset($_SESSION["sess_user"])){
	header("location:index.php");
}

	$fbid = '7676767676';

?>

<form action="" method="post" class="form-wrapper cf">
 Id Is: <font color="red"><strong><?php echo $fbid; ?></strong></font>
<input name="id" value="<?php echo $fbid; ?>" type="hidden">
<input type="submit" value="send">
</form>

现在我想使用那个secure.php隐藏，没有人可以在表单操作中看到该文件，当我发送表单然后它自动发送数据到secure.php
我不需要任何数据库来保存数据没有900秒计时器，我无法编辑这个简单的我能。
任何帮助将不胜感激！感谢。

Answer 1

一种简单的方法是创建第3页，称之为：NotSecure.php。

因此，在您的表单中<form action="NotSecure.php" method="post" class="form-wrapper cf">，用户只会看到NotSecure.php。 NotSecure.php将与Secure.php进行通信，并在之后返回回复。

请注意，Secure.php仅对NotSecure.php可见，而您的用户从不知道Secure.php（这是您正在寻找的:) :)。

NotSecure.php的示例：

<?php
/* init params for forwarding the post request to a page visible
   only to myself
*/ 
$url = "Secure.php";
$postBodyAsAssociativeArray = array();
// getting all POST params from the page that submited the form
$postBodyAsAssociativeArray['param1name'] = $_POST['param1name'];
$postBodyAsAssociativeArray['param2name'] = $_POST['param2name'];

// use "post" function, to post data to "Secure.php"
$result = post($url, $postBodyAsAssociativeArray);  
// print the "Secure.php" response.
echo $result;

/* use PHP CURL method to post an HTTP request */  
function post($url, $postBodyAsAssociativeArray)
{
    if(empty($url))
    {
        return 'Error: invalid Url or Data';
    }

    // encode associative array to a string, in order to post it in body's
    // request
    $body = json_encode ( $postBodyAsAssociativeArray );

    /* CURL configuration shit */
    //init post object and options
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$url);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
    // receive server response ...
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

    // invoke the CURL post
    $server_output = curl_exec ($ch);

    curl_close ($ch);
    // return the post response
    return $server_output;
}

Answer 2

PHP代码对您的问题毫无用处。

要混淆动作网址，您可以使用一些javascript来设置仅在提交时的属性。在这里你可以看到一个愚蠢的例子：http://codepen.io/anon/pen/gprygB

$("form").submit(function() {
  $(this).attr("action", "realAction");
});

由于这个原因，您还可以使用一些crypt / uglify库来隐藏js文件中的realAction。

在post方法中隐藏表单操作URL

2 个答案: