编辑评论 - javascript、php 协同工作
大家好,我面临一个相当严重的安全错误。让我首先概述我的代码。
<li class="comment">
<form action="" method="POST" name="edit-form" class="edit-area">
<textarea style="width: 100%; height: 150px;"><?php echo $response->comment; ?></textarea>
</form>
<div class="comment-area" style="padding-top: 2px"><?php echo (parseResponse($response->comment)); ?></div>
<p class="ranking">
<?php if ($response->user_id == $user_id) : ?>
<a href="" class="editting" data-user="<?php echo md5(convert($response->user_id)); ?>" data-edit="<?php echo $response->short; ?>">Edit</a> • <a href="#d">Delete</a>
<?php else : ?>
<a href="#">Like (<?php echo $response->likes; ?>)</a> • <a href="#">Dislike (<?php echo $response->dislikes; ?>)</a>
<?php endif; ?>
</p>
</li>
这是我体内的内容,这是相关的 JS
$('.editting').bind('click', function(event) {
var num = $(this).data('edit');
var user = $(this).data('user');
if ($(this).hasClass('done')) {
var newComment = $('#comment-' + num + ' .edit-area textarea').val();
var dataString = 'newComment='+ newComment + '&num=' + num;
if(newComment == '')
{
alert('Comment Cannot Be Empty!');
}
else
{
$.ajax({
type: "POST",
url: "edit.php",
data: dataString,
success: function(){}
});
$('#comment-' + num + ' .edit-area').slideDown('slow', function() {
$('#comment-' + num + ' .edit-area').addClass('invisible');
});
$('#comment-' + num + ' .comment-area').slideUp('slow', function() {
$('#comment-' + num + ' .comment-area').removeClass('invisible');
});
$(this).removeClass('done');
$(this).html('Edit');
}
}
else {
$('#comment-' + num + ' .comment-area').slideDown('slow', function() {
$('#comment-' + num + ' .comment-area').addClass('invisible');
});
$('#comment-' + num + ' .edit-area').slideUp('slow', function() {
$('#comment-' + num + ' .edit-area').removeClass('invisible');
});
$(this).html('Done');
$(this).addClass('done');
}
return false;
});
,工作正常,但我遇到了问题。如果用户找到评论(不是他们自己的)并使用像 firebug 这样的插件,他们可以用另一个替换 response->short ,并编辑任何评论。当然,在 edit.php 中,我可以根据响应表检查短路并查看用户是否签出,但我想找到一种不显示文本区域的方法,除非该用户确定该响应。
这可能吗?
提前致谢, 将要
Hey all, I am facing a rather serious security error. Let me first outline my code.
<li class="comment">
<form action="" method="POST" name="edit-form" class="edit-area">
<textarea style="width: 100%; height: 150px;"><?php echo $response->comment; ?></textarea>
</form>
<div class="comment-area" style="padding-top: 2px"><?php echo (parseResponse($response->comment)); ?></div>
<p class="ranking">
<?php if ($response->user_id == $user_id) : ?>
<a href="" class="editting" data-user="<?php echo md5(convert($response->user_id)); ?>" data-edit="<?php echo $response->short; ?>">Edit</a> • <a href="#d">Delete</a>
<?php else : ?>
<a href="#">Like (<?php echo $response->likes; ?>)</a> • <a href="#">Dislike (<?php echo $response->dislikes; ?>)</a>
<?php endif; ?>
</p>
</li>
is what I got in my body, and here's the relevant JS
$('.editting').bind('click', function(event) {
var num = $(this).data('edit');
var user = $(this).data('user');
if ($(this).hasClass('done')) {
var newComment = $('#comment-' + num + ' .edit-area textarea').val();
var dataString = 'newComment='+ newComment + '&num=' + num;
if(newComment == '')
{
alert('Comment Cannot Be Empty!');
}
else
{
$.ajax({
type: "POST",
url: "edit.php",
data: dataString,
success: function(){}
});
$('#comment-' + num + ' .edit-area').slideDown('slow', function() {
$('#comment-' + num + ' .edit-area').addClass('invisible');
});
$('#comment-' + num + ' .comment-area').slideUp('slow', function() {
$('#comment-' + num + ' .comment-area').removeClass('invisible');
});
$(this).removeClass('done');
$(this).html('Edit');
}
}
else {
$('#comment-' + num + ' .comment-area').slideDown('slow', function() {
$('#comment-' + num + ' .comment-area').addClass('invisible');
});
$('#comment-' + num + ' .edit-area').slideUp('slow', function() {
$('#comment-' + num + ' .edit-area').removeClass('invisible');
});
$(this).html('Done');
$(this).addClass('done');
}
return false;
});
which works fine, but i'm having an issue. If the user finds a comment (not by them) and uses a plugin like firebug, they can replace the response->short with another, and edit ANY comment. Of course, within edit.php, I could check the short against the response table and see if the user checks out, but i'd like to find a way to not show the text area unless that response is for-sure by that user.
Is this possible?
Thanks in advance,
Will
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
当然......但它不会阻止用户/修复您的安全漏洞。要解决此问题,请检查服务器端,始终仔细检查服务器端应安全的任何内容,永远不要相信您的输入。尝试执行恶意操作的用户不会被 JavaScript 中的任何内容阻止...向您的服务器发送他们不应该做的数据正是他们会做的事情第一的。
Sure...but it'll do nothing to stop the user/fix your security hole. To fix this check server-side, always double-check anything that should be secure server-side, never trust your input. The users trying to do something malicious won't be stopped by anything in JavaScript...sending data to your server that they shouldn't is exactly what they'll do first.
就像尼克说的;永远不要相信 JavaScript 测试!
它可能适用于“普通用户”,但当涉及到避免黑客攻击时,您不妨要求黑客单击一个按钮来“证明”他的输入是有效的!
您的验证器脚本正在其他人的计算机上运行,因此他/她将能够操纵它(甚至使用 NoScript 等将其转变)
Like Nick said; never ever trust a JavaScript test!
It will/might work for "regular users", but when it comes down to avoiding hacks, you might as well ask the hacker to click a button to "prove" his input is valid!
Your validator script is running on someone else's computer, so he/she will be able to manipulate it (or even turn it of using NoScript etc. )