When the PHP website registers, the SMS interface is used to simulate the post request to swipe the SMS. How to solve this problem?
It’s not too much trouble to add a verification code.
There are two things I know:
1. Add csrf_token to the page, and the CI framework of PHP will replace it.
2. Access frequency limit (the same as IP limit, the same as number limit), etc.
Instead, a token is required to send a message. For example, add a picture verification code.
Add a limit. You can only send it once a minute, up to 50 times a day. This is also the practice of most websites.
csrf_tokenIt can’t be broken. I can use the software to visit the page generating token first.
A request a token, valid value once, set expiration time. I do the same now. Token verification failure and missing are all illegal submissions. If it’s more safe, please refer to the above friends. Are very common means, listen to other friends.
1. Add token at the front end (graph validation)
2. Set the request interval of 60-100 seconds for the same number.
3. Set the number of requests for consent number in a day (6-8)
The above three steps can block most robots,
Finally, HTTPS transmission can be considered
In addition, we recommend a short message API for developers:http://www.shsixun.com
At present, there are several new graphic verification schemes on the market, which are still good. You can take a look at this:https://luosimao.com/service/captcha
Centralized common practices to prevent attacks, 1. When requesting the SMS verification code interface, add the graphic verification code. Only when the graphic verification code is input correctly, can the request be sent. This is the most common practice of Internet companies 2. Process verification: users can only request SMS verification code interface after they have registered and obtained user name and password, which is not commonly used 3. It is required to input a large number of registration data before requesting the SMS verification code interface, which is easy to use on the PC side and not recommended on the mobile side 4. The server sets the time interval for continuous requests of the same number, for example, one time in 120 seconds 5. IP, mobile device name, limit. How many times can an IP or device request a day 6. Limit the number of daily requests for the same mobile phone number The most commonly used method is 1 + 6, which can basically solve the problem of malicious access to SMS interface It is recommended to use the Lexin SMS interface, 1 with 13 years of operation experience: [http://www.lx598.com/]