检测用户是否修改url

检测思路:
在url用参数和key上生成一段hash值,如果参数别修改则生成的hash值和正确的hash值对不上,则验证失败

使用的加密类库:
PEAR2里的Crypt_HMAC2,需要下载引入

用户url列表,生成hash值
cryptForm.php

<?php
	require( 'D:\PHP\PEAR\Crypt\HMAC2.php' );

	#生成hash值的key
	define( 'HASH_KEY' , 'Test Hash Key' );
	
	#生成hash值类
	function createHash( $paramsArray )
	{
		$data = '';
		$ret = array();
		
		#构造加密字符串
		foreach( $paramsArray as $key => $value )
		{
			$data .= $key . $value;
		}
		
		$cryptor = new Crypt_HMAC2( HASH_KEY , 'md5' );
		
		$hash = $cryptor->hash( $data );
		
		return $hash;
	}
?>
<html>
<head>
</head>
<body>
	<ul>
		<li>
			<a href="validateHash.php?id=1&hash=<?php echo createHash( array( 'id' => 1 ) ); ?>">ChatLiu</a>
		</li>
		<li>
			<a href="validateHash.php?id=2&hash=<?php echo createHash( array( 'id' => 2 ) ); ?>">BruceLee</a>		
		</li>
	</ul>
</body>
</html>

生成的页面为

<html>
<head>
</head>
<body>
	<ul>
		<li>
			<a href="validateHash.php?id=2&amp;hash=5dbd509b6e9dd26a8d3c7d1a5e3cc4e5">ChatLiu</a>
		</li>
		<li>
			<a href="validateHash.php?id=2&amp;hash=84ecf3a0d5859281e074ee58d4f1d51d">BruceLee</a>		
		</li>
	</ul>

</body>
</html>

点击url后的验证类

<?php
	require( 'D:\PHP\PEAR\Crypt\HMAC2.php' );

	define( 'HASH_KEY' , 'Test Hash Key' );
	
	#验证用户是否修改url类
	function validateHash( $paramsArray , $userHash )
	{
		$data = '';
		$ret = array();
		
		#构造加密字符串
		foreach( $paramsArray as $key => $value )
		{
			$data .= $key . $value;
		}
		
		$cryptor = new Crypt_HMAC2( HASH_KEY , 'md5' );
		
		$hash = $cryptor->hash( $data );
		
		#验证url传过来的hash值是否与加密hash值相等
		return $hash == $userHash ? TRUE : FALSE;
	}
	
	if( isset( $_GET['id'] ) && isset( $_GET['hash'] ) )
	{
		$id = $_GET['id'];
		$hash = $_GET['hash'];
		
		$result = validateHash( array( 'id' => $id ) , $hash );
		
		if( $result )
		{
			echo 'good guy, you didn\'t touch my url';
		} else
		{
			echo 'bad guy, don\'t touch my url';
		}
	} else
	{
		die( 'parameter missed' );
	}
?>

若url未被修改,返回

引用

good guy, you didn't touch my url

如果用户修改了id,则传入和hash和正确的hash对不上,返回

引用

bad guy, don't touch my url