1. Some websites use to detect the login density of this IP address. After multiple logins, you need to enter the verification code. At this time, the CURL simulation submission needs to analyze the verification code picture, which will take a lot of time. Of course, This is to prevent the login from being blasted and user data leaked.
2. Another is to save the generated random code directly in the session, and then put it in the hidden field of the input, which is much worse than the verification code.
3. Note that javascipt itself cannot be submitted across domains, not because it cannot be done, but to prevent others from maliciously stealing user information, such as clicking to open his website, using an iframe to open a regular web page, and then stealing it in another iframe .
To implement ajax cross-domain access, you need to set
- header("Access-Control-Allow-Origin:*"); //Cross-domain permission settings, allow all
To prevent ajax cross-domain access, you need to set
- header("Access-Control-Allow-Origin:http://www.test.com"); //Only test.com is allowed to submit data across domains
4. If you want to prevent php simulated requests, such as post requests, you can set it to be an ajax request to process.
- / / Determine whether it is an ajax request to prevent others from using curl's post to grab data
- if(isset($_SERVER["HTTP_X_REQUESTED_WITH"])&&strtolower($_SERVER["HTTP_X_REQUESTED_WITH"])=="xmlhttprequest"){ }
Complete solution:
- header("Access-Control-Allow-Origin:http://leshen.applinzi.com/cet"); //Only allow this site to submit data, the front end prevents ajax cross-domain, in fact, js can't cross-domain
- / / Determine whether it is an ajax request, the backend prevents others from using curl's post to grab data
- if(isset($_SERVER["HTTP_X_REQUESTED_WITH"])&&strtolower($_SERVER["HTTP_X_REQUESTED_WITH"])=="xmlhttprequest"){
- // handle business logic
- }else{
- echo "we caught you! you have no access!";
- };