如何防止用户向php文件发送如此多的post请求
我有一个HTML文件,里面有一个表单。提交此表单时,它会向PHP文件发送POST请求。PHP文件创建与MySQL DB的连接,并更新其中的一行 问题是,任何人都可以获取此POST请求并同时将其发送到PHP文件,,当PHP获取这些请求时,它将在数据库中执行更新,并破坏数据库 如何防止用户发送这些请求?如何更改代码并使其更安全 非常感谢 index.html如何防止用户向php文件发送如此多的post请求,php,mysql,security,http-post,form-submit,Php,Mysql,Security,Http Post,Form Submit,我有一个HTML文件,里面有一个表单。提交此表单时,它会向PHP文件发送POST请求。PHP文件创建与MySQL DB的连接,并更新其中的一行 问题是,任何人都可以获取此POST请求并同时将其发送到PHP文件,,当PHP获取这些请求时,它将在数据库中执行更新,并破坏数据库 如何防止用户发送这些请求?如何更改代码并使其更安全 非常感谢 index.html 投递 而且 send.php 我的数据库是这样的: id | product | date_added | ---------
投递
而且
send.php
我的数据库是这样的:
id | product | date_added |
--------------------------------
1 | wood | 01.01.2020 |
--------------------------------
有一个使用fail2ban的解决方案。请将文档发送到fail2ban 您可以在代码中引入一行,在自定义日志文件中添加一行,例如
/var/log/mysites/somesite.log
以这样的方式:
<?php
# ( we will use this function to determine the corect ip of the spammer)
function getRealUserIp(){
switch(true){
case (!empty($_SERVER['HTTP_X_REAL_IP'])) : return $_SERVER['HTTP_X_REAL_IP'];
case (!empty($_SERVER['HTTP_CLIENT_IP'])) : return $_SERVER['HTTP_CLIENT_IP'];
case (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) : return $_SERVER['HTTP_X_FORWARDED_FOR'];
default : return $_SERVER['REMOTE_ADDR'];
}
}
[...]
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, "INSERT INTO store (product, date_added) VALUES (?,?)")) {
exit('MySQL Error');
} else {
mysqli_stmt_bind_param($stmt, 'ss', $prod, $date);
mysqli_stmt_execute($stmt);
$ip = getRealUserIp(); // <<<<<<<<
error_log("Visitor from - $ip !", 3, "/var/log/mysites/somesite.log"); // <<<<<<
header('Location: index.html');
exit();
}
[...]
然后,您必须在/etc/fail2ban/jail.conf中添加一个部分,并将其添加到末尾
[your_app]
port = http,https
logpath = /var/log/mysites/somesite.log
然后需要在/etc/fail2ban/filter.d/your_app.conf
# Fail2Ban filter for your_app.conf, looks for failed access attempts
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Regexp to fit your logfile entry ... read the fail2ban documentation
# and customize as this is just a example
failregex = ^(*.) <HOST> !$
ignoreregex =
有一个使用fail2ban的解决方案。请将文档发送到fail2ban 您可以在代码中引入一行,在自定义日志文件中添加一行,例如
/var/log/mysites/somesite.log
以这样的方式:
<?php
# ( we will use this function to determine the corect ip of the spammer)
function getRealUserIp(){
switch(true){
case (!empty($_SERVER['HTTP_X_REAL_IP'])) : return $_SERVER['HTTP_X_REAL_IP'];
case (!empty($_SERVER['HTTP_CLIENT_IP'])) : return $_SERVER['HTTP_CLIENT_IP'];
case (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) : return $_SERVER['HTTP_X_FORWARDED_FOR'];
default : return $_SERVER['REMOTE_ADDR'];
}
}
[...]
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, "INSERT INTO store (product, date_added) VALUES (?,?)")) {
exit('MySQL Error');
} else {
mysqli_stmt_bind_param($stmt, 'ss', $prod, $date);
mysqli_stmt_execute($stmt);
$ip = getRealUserIp(); // <<<<<<<<
error_log("Visitor from - $ip !", 3, "/var/log/mysites/somesite.log"); // <<<<<<
header('Location: index.html');
exit();
}
[...]
然后,您必须在/etc/fail2ban/jail.conf中添加一个部分,并将其添加到末尾
[your_app]
port = http,https
logpath = /var/log/mysites/somesite.log
然后需要在/etc/fail2ban/filter.d/your_app.conf
# Fail2Ban filter for your_app.conf, looks for failed access attempts
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Regexp to fit your logfile entry ... read the fail2ban documentation
# and customize as this is just a example
failregex = ^(*.) <HOST> !$
ignoreregex =
请给我们看地图code@nbk很抱歉,我要补充一下。一个同步的POST请求到底应该如何“破坏”数据库?@gre_gor我的意思是,例如,我可以编写一个Python脚本,随机向文件发送1000个POST请求。它将充满随机垃圾。请给我们看code@nbk很抱歉,我要补充一下。一个同步的POST请求到底应该如何“破坏”数据库?@gre_gor我的意思是,例如,我可以编写一个Python脚本,随机向文件发送1000个POST请求。它将充满随机垃圾。