防止恶意注册和暴力破解
1验证码
2防止外站提交数据,验证数据提交页面的来源是否为本站。(同理随机input的name )
<?php
session_start();
if ($_POST["submit"] == "go"){
//check token
if ($_POST["token"] == $_SESSION["token"]){
//continue processing….
}else{
//stop all processing! remote form posting attempt!
}
}
$token = md5(uniqid(rand(), true));
$_SESSION["token"]= $token;
?>
<form action="<?php echo $_SERVER["PHP_SELF"];?>" method="post">
<p><label for="name">Name</label>
<input type="text" name="name" id="name" size="20″ maxlength="40″/></p>
<input type="hidden" name="token" value="<?php echo $token;?>"/>
<p><input type="submit" name="submit" value="go"/></p>
</form>
3. 提交前客户端加密(如加密2中的token),后台解密http://hudeyong926.iteye.com/blog/1594892
4 IP及IP段进行访问限制
<?php
$oblock_ip = new block_ip();
$boolean = $oblock_ip->checkip();
class block_ip {
var $block_ip = array("192.168.1.1","210.10.2.1-20","222.34.4.*");
function __construct(){
}
function __destruct(){
}
private function makepregip($str){
if (strstr($str,"-")) {
$aip = explode(".",$str);
foreach ($aip as $k=>$v) {
if (!strstr($v,"-")) {
$preg_limit .= makepregip($v);
} else{
$aipnum = explode("-",$v);
for($i=$aipnum[0];$i<=$aipnum[1];$i++){
$preg .=$preg?"|".$i:"[".$i;
}
$preg_limit .=strrpos($preg_limit,".",1)==(strlen($preg_limit)-1)?$preg."]":".".$preg."]";
}
}
}else{
$preg_limit .= $str.".";
}
return $preg_limit;
}
private function getallblockip(){
if ($this->block_ip) {
foreach ($this->block_ip as $k=>$v) {
$ipaddres = $this->makepregip($v->start_ip);
$ip = str_ireplace(".","\.",$ipaddres);
$ip = str_replace("*","[0-9]{1,3}",$ip);
$ipaddres = "/".$ip."/";
$ip_list[] = $ipaddres;
}
}
return $ip_list;
}
public function checkip() {
$iptable = $this->getallblockip();
$isjoined = true;
//取得用户ip
$ip = $this->get_client_ip();
$ip = trim($ip);
//剔除黑名单中的ip区段
if ($iptable) {
foreach($iptable as $value) {
if (preg_match("{$value}",$ip)) {
$isjoined = false;
break;
}
}
}
//如果在ip黑名单中就执行如下操作
if( !$isjoined ){
echo "ip error";
exit;
}
}
private function get_client_ip(){
if (getenv("http_client_ip") && strcasecmp(getenv("http_client_ip"), "unknown"))
$ip = getenv("http_client_ip");
else if (getenv("http_x_forwarded_for") && strcasecmp(getenv("http_x_forwarded_for"), "unknown"))
$ip = getenv("http_x_forwarded_for");
else if (getenv("remote_addr") && strcasecmp(getenv("remote_addr"), "unknown"))
$ip = getenv("remote_addr");
else if (isset($_server['remote_addr']) && $_server['remote_addr'] && strcasecmp($_server['remote_addr'], "unknown"))
$ip = $_server['remote_addr'];
else
$ip = "unknown";
return($ip);
}
}
?>