PHP安全性，仅允许来自特定URL的$ _REQUEST

I have a simple PHP script which accepts a $_REQUEST from a javascript Ajax call and adds a post to the DB

But I need to ensure that only javascript requests from my domain is allowed, to prevent someone from submitting thousands of junk posts to my DB.

My question is, how do I ensure that my script only accepts $_REQUEST from my domain?

Thanks

The short answer is: You can't.

It sounds like you need to introduce the usual defences against CSRF (i.e. to generate a random security token and store it in a cookie (or session) as well as in your HTML document. You then submit the token as part of your request and compare it to the one in the cookie. If they match, then it is an intentional post from the user and not their browser being tricked into making the request by another site).

This won't stop people submitting "thousands of junk posts" though. You also need to authenticate users and check they are authorised to make a submission before allowing it to go through.

You can consider also including rate limiting checks and spam filtering.

You use a 'secret' key, a response and a remote IP to validate.

Google has provided this for you

• https://developers.google.com/recaptcha/docs/verify
• https://developers.google.com/recaptcha/docs/display
• https://developers.google.com/recaptcha/docs/invisible#auto_render

works like a charm. Once you implement you get an ADMIN panel here:

• https://www.google.com/recaptcha/admin

At which time you set the Domains to be ONLY your URL's.

Which will do what you want and make sure the form validates from your domain using both keys from server side and client side integration. If someone try's to generate the "key" using their domain recaptcha will detect it as spam. (see the verify link above)