通过 Get 传递 MySQL 唯一 ID 时的 PHP 安全性
假设我有一个网站,主页上有各种书籍的链接。
<a href='books.php?id=1'>Book 1</a>
<a href='books.php?id=2'>Book 2</a>
<a href='books.php?id=4'>Book 3</a>
书籍 1-3 在我的系统中,但是 id=3 是另一个目录的一部分,我没有通过网站的这一部分显示或授权。 因此,如果用户单击 Book 3,然后将 id=4 更改为 id=3,他们可以简单地提取记录(假设我没有适当的会话检查)。
有没有一种好方法可以掩盖您在尝试提取特定记录时传递的 get id? 似乎只传递 id 就可以很容易地请求页面,如果没有适当的查询和会话检查,您将能够得到另一个结果。
有一个更好的方法吗?
干杯
Lets say I have a website with links to various books on my main page.
<a href='books.php?id=1'>Book 1</a>
<a href='books.php?id=2'>Book 2</a>
<a href='books.php?id=4'>Book 3</a>
Books 1-3 are in my system, however id=3 is apart of another catelog that I'm not showing or authorizing through this section of the site. So if a user clicked on Book 3, then changed the id=4 to id=3, they could simply pull up the record (assuming I don't have proper session checking).
Is there a good way to obscure the get id that you're passing when trying to pull a specific record? it seems by passing just the id would be easy to request pages that, without proper querying and session checking, you would be able to get another result.
Is there a better way to do this?
Cheers
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
您可能可以使用
md5
或其他方式对您的 id 或其他内容进行哈希处理,以使其更难以手动输入,但这确实不是一个好主意。您应该做的是在
books.php
脚本中实现服务器端安全性,以防止用户未经授权的访问。 这是保证您网站安全的唯一方法。You probably could hash your id or something using
md5
or whatever to make it harder to manually enter, but that's really not a good idea.What you should do is to implement server side security in your
books.php
script that will prevent users from unauthorized access. That's the only thing that will keep your site secure.只需检查id是否允许显示即可。
使用 get 的一个好习惯是检查您可能拥有的任何参数。
Just check id if it is allowable to display or not.
With get's a good practice is when you check whatever parameters you may have.
只是大声思考:
执行一个 php 函数或 if 语句:
just thinking out loud:
do a php function or if statement that:
您肯定需要检查用户是否有权查看该页面。
但是,如果您将不同目录的 id 分开怎么办? URL 可能类似于 books.php?cat=foo&id=1。 这不一定会让事情变得更加安全,但它会防止人们意外地找到错误的页面并更好地组织事情。
You definitely need to check whether the user is allowed to view the page.
But, what if you separated the ids for the different catalogs? URL's could look like books.php?cat=foo&id=1. That wouldn't necessarily make things any more secure, but it would prevent people from accidentally finding the wrong pages and organize things a little better.
您需要始终、始终检查用户是否能够访问该页面。 这是验证您没有显示错误数据的唯一方法,因为有人总是可以修改他们要访问的链接,即使您以某种方式隐藏它。
无法逃避它。 您始终需要验证该记录是否可以访问。
You need to always, always, check that user is able to access the page. That is the only way to verify that you don't show wrong data, because someone can always modify the link they are going to, even if you somehow hide it.
There is just no escaping it. You always need to verify that the record can be accessed.