Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
244 views
in Technique[技术] by (71.8m points)

php - 是传入的帖子Curl或html表单(Is incoming post Curl or html form)

有没有一种方法可以确定传入的POST是来自html表单发布还是来自服务器到服务器的发布(例如,curl)?

  ask by user1910437 translate from so

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

There is a way, but be mindful it can be easily masked and overridden by the HTTP client so its not reliable.

(有一种方法,但是请注意,HTTP客户端很容易掩盖和覆盖它,因此它不可靠。)

You're looking for the User-Agent header.

(您正在寻找User-Agent标头。)

cURL will default to User-Agent: curl/7.54.1 while web browser will default to a description of their browser.

(cURL将默认为User-Agent: curl/7.54.1而Web浏览器将默认为其浏览器的说明。)

Well... often.

(好吧...经常。)

Some browsers will fake their UA because some website do browser detection not feature detection which despite being a bad idea, is still pretty widespread.

(有些浏览器会伪造其UA,因为某些网站会执行浏览器检测而不是功能检测的功能 ,尽管这是一个坏主意,但仍相当普遍。)

In PHP you can retrieve the user agent from $_SERVER['HTTP_USER_AGENT'] .

(在PHP中,您可以从$_SERVER['HTTP_USER_AGENT']检索用户代理。)

For example if I run curl -sS https://mywebsite.dev/example.php , then example.php will have $_SERVER['HTTP_USER_AGENT'] be somewhat similar to curl/7.54.0 .

(例如,如果我运行curl -sS https://mywebsite.dev/example.php ,则example.php将具有$_SERVER['HTTP_USER_AGENT']类似于curl/7.54.0 。)

The User-Agent header (like all client request headers) can be easily faked.

(User-Agent标头(像所有客户端请求标头一样)很容易被伪造。)

Using cURL I could easily send a fake header.

(使用cURL,我可以轻松地发送伪造的标头。)

Take this command for example:

(以以下命令为例:)

curl -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36" http://stackoverflow.com/questions/28760694/how-to-use-curl-to-get-a-get-request-exactly-same-as-using-chrome

(yes - check out that SO answer too).

((是的-还要检查出答案)。)

Given this example, your server code would have absolutely no idea if it was a web browser or cURL making this request.

(在此示例中,您的服务器代码绝对不知道是Web浏览器还是发出此请求的cURL。)

You might be able to go on other signals such as cookies and other headers but they can be faked too.

(您可能可以继续使用其他信号,例如cookie和其他标头,但它们也可以被伪造。)

Given that the User-Agent header is so frequently masked its probably not the most reliable thing to be basing your code on.

(鉴于User-Agent标头经常被屏蔽,因此将其作为代码的基础可能不是最可靠的方法。)

For example if you're building an API and you want to figure out if its your own application or someone else calling your API then you want to rely on things like API tokens, authentication and other custom headers to provide stronger trust signals to your app... but thats beyond the scope of your question.

(例如,如果您正在构建一个API,并且想弄清楚它是您自己的应用程序还是其他人在调用您的API,那么您希望依靠API令牌,身份验证和其他自定义标头之类的东西为您的应用程序提供更强的信任信号...但是那超出了您的问题范围。)

So TLDR;

(因此,TLDR;)

yes - you can use the User-Agent header to determine the calling application... but don't rely on it.

(是的-您可以使用User-Agent标头来确定正在调用的应用程序...但是不要依赖它。)


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...