how to prevent PHP's file_get_contents( &#

2019-02-19 19:15发布

问题:

one of my php page returns data like this:

<?php
  //...
  echo "json string";
?>

but someone else use file_get_contents() to get my data and use in other website.

can anybody tell me what can i do to prevent such thing happen.

i consider if i can get the request's domain name to echo something else.but i dont know

the function to get request's domain name.and if the request is sent by a server,that

will be unhelpful. My English is poor, to express doubts, please bear with.

回答1:

you can also use sessions. if somewhere in your application, before the user gets the json data, you start a session, then in this page where you are outputting json data, you can check for the session variable. this way only users that have passed the session generator page, can view your output. suppose you have page A.php that generates the session. use this code before outputting anything in this page.

session_start();
$_SESSION['approvedForJson'] = true;

then in your page where you are outputting json data, before outputting anything, call session_start() again. the beginning of your PHP code is a good place to call it. then before outputting the json data, check if the session variable for approved users exists, or not.

if ( isset($_SESSION['approvedForJson']) && $_SESSION['approvedForJson'] ) {
    echo "json data";
} else {
  // bad request
}


回答2:

You can use $_SERVER['REMOTE_ADDR'] to get the address of the client address. You can also check $_SERVER['HTTP_REFERER'] and block external requests that way, but it's less reliable. There's probably a few other techniques involving $_SERVER that you can try.



回答3:

Your fighting an uphill battle here. I am assuming your serverside process that responds in json is being consumed via javascript in your users browsers... so there is no easy way to encrypt it. You might try some of the techniques used to prevent xspf (see http://en.wikipedia.org/wiki/Cross-site_request_forgery ). If you developed the client to pass along some session token that is uniq per client you could reduce some of the problem. But, chances are whoever is stealing your data is gonna figure out whatever mechanism you put in place ... assuming this is some sort of ajax type thing. If its a server-server thing then as sli mentions, setting up some restrictions based on the remote ip would help, plus setting up some sort of API authentication tokens would help even more (see oauth for some pointers)



回答4:

You could also using .htaccess with apache block every external request to the page if it get's called internally or block every request that is not from your domain:

Google search thingie

EDIT
You could also use some php file which includes the file which can not be read. So for example you have file.php:

<?php
 $allowedFiles[] = 'somefile.php';
 $allowedFiles[] = 'someotherFile.php';
 $allowedFiles[] = 'jsonReturnFile.php';
 if(in_array($_GET['file'], $allowedFiles)){
  include( "include/".$_GET['file'] );
 }
?>

Then you can allow file_ get _contents() on that file and write a rewriteRule in your .htacces to disallow any request to the include/ folder.

RewriteRule include* - [F,NC]

That will return a 403 forbidden error for a request to that directory or any file in the directory.

Then you can do you JSON request to something like: file.php?file=jsonReturnFile.php&someothherParamReadByJsonFile=1

And when someone tries to get the file contents for the JSON file they will get the forbidden error, and getting the file contents for the include.php won't return anything usefull.



标签: php http