使用 ajax 进行防黑客 html 编码
我的网页上有很多列表,例如待办事项列表、购物列表等。我正在使用 AJAX 来添加或删除项目。例如,对于待办事项列表,我的 HTML 如下所示:
<tr id="todo_userttypea_23"> <td>name</td><td>Delete</td></tr>
请注意,如果用户按删除键,那么我将删除该行。
我获取该行的 id,然后将其分解以查找要执行的操作以及要删除的 id。
但我发现,如果我使用 firebug,那么我可以动态地将 id 更改为任何数字,并且我发现可以通过编辑 HTML 来删除任何 id,即使不属于该用户。
我应该怎么做才能防止这种情况发生?
I have many lists e.g. a todo list, a shopping list etc. on my web page. I am using AJAX to add or delete the items. For example, for a todo list my HTML is like:
<tr id="todo_userttypea_23"> <td>name</td><td>Delete</td></tr>
Note if the users press delete then I am deleting that row.
I get the id of the row and then break it to find which operation to perform and which id to delete.
But the I have found that if I use firebug then I can change the id dynamically to any number and I have found that it is possible to delete any id, even if does not belong to that user, by editing the HTML.
What should I do to prevent this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
主要原则是“永远不要相信传入的数据”。 您从外部发送的任何数据都可以被操纵 - 参数、标头、引用地址,一切。一个良好且安全的系统不信任其中任何一个。
如果您有多个用户在同一个数据库上工作,您可能需要实施一个授权系统,明确定义允许谁对哪条记录执行什么操作。
这通常是使用某种基于会话的登录系统来完成的,该系统基于 PHP、Ruby、ASP 或 Perl 等脚本语言之一。有可用的预构建解决方案。
The main principle is "never trust incoming data". Any data you get sent from outside can be manipulated - Parameters, Headers, Referers, everything. A good and safe system does not trust any of these.
If you have multiple users working on the same data base, you will probably need to implement an authorization system that defines clearly who is allowed to do what to which record.
That is usually done using a session-based login system of some sort, based on one of the scripting languages like PHP, Ruby, ASP or Perl. There are pre-built solutions available.
我认为您将 Javascript 功能与安全性混淆了。如果您的用户不允许删除 AuntMarysShoppingList#32,那么无论客户端请求什么,服务器都不应该允许他删除。
你可以混淆你的 JS 代码,但在某种程度上,你必须假设你的用户是一个诚实的经纪人,并且不会不遗余力地删除他们拥有的东西(困难的方法是通过黑客攻击 JS)无论如何删除的权利。
I think you are confusing Javascript functionality with security. If your user is not allowed to delete AuntMarysShoppingList#32, then the server shouldn't let him no matter what the client requests.
You can obfuscate your JS code, but on some level, you have to assume your user is an honest broker, and isn't going to go out of their way to delete something (the hard way, by hacking JS) that they have the rights to delete anyway.
您需要在服务器端添加授权检查。请求是否是ajax 或其他方式都无关紧要。
You need to add Authorization checking on the server side. Whether the request is ajax or otherwise is irrelevant.
也许您应该在删除 ajax 请求时检查执行删除操作的用户是否有权删除该项目。
Perhaps you should check to see, on a delete ajax request, whether the user doing the deletion is permitted to delete the item.
您基本上在服务器端上需要类似的东西:
You basically need something like this on the server-side: