对 URL 字符串中的 ID 进行加密/编码

发布于 2024-10-16 09:33:42 字数 447 浏览 6 评论 0原文

只是想在我的网站上做一些安全工作,并尝试找出确保 ID 安全的最佳途径。

例子: http://localhost/page.php?id=90 到: http://localhost/share/22349234987sdsdf9sdf87423498asf9

我正在使用 HTACCESS 来执行共享部分。但想隐藏“90”并尝试阻止任何人仅添加随机数字来尝试接收不同的响应。

关于如何创建这样的东西,或者是否已经存在可以很好地实施的东西,有什么想法吗?

安全是一个因素,所以只是想找到最好的解决方案......

Just trying to do some security on my website and trying to figure out the best route to secure an ID.

EXAMPLE:
http://localhost/page.php?id=90
TO:
http://localhost/share/22349234987sdsdf9sdf87423498asf9

I am using HTACCESS to do the share part. But would like to hide the '90' and try to discourage anyone from just adding random numbers to try and receive a different response.

Any thoughts on how to create something like this, or if something already exists that works well with implementation?

Security is a factor, so just trying to find the best solution out there...

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

倒带 2024-10-23 09:33:42

隐藏 ID 是为了模糊性,而不是为了安全。

如果您想要更好的模糊性,请查看 PHP 中的 mcrypt 函数。确保在编码和解码之前附加盐,否则很容易猜测加密/解密。

请注意,其他人可能仍然会偶然发现您的 URL,从而彻底击败这一点。如果您也需要安全性,我会在 HTTPS 上使用某种形式的 HTTP 身份验证。

Hiding the ID is obscurity, not security.

If you want good obscurity, look at the mcrypt functions in PHP. Make sure to append a salt before encoding and decoding, otherwise it will be easy to guess the encryption/decryption.

And be aware that anyone else might still stumble across your URLs, defeating this entirely. I'd use some form of HTTP Auth over HTTPS if you want security, too.

吃兔兔 2024-10-23 09:33:42

我的一个朋友实现了一种使用当前会话令牌和密钥对所有 GET 请求进行签名的方法,以防止 CSRF 攻击。

但您想要做的是拥有一个可以与其他人共享的 URL。

您可以创建类似于原始 url 的 MD5 哈希值,并将两者保存在数据库中。

现在,当 /share/someLongId 打开时,您可以在数据库中检查该哈希属于哪个 URL,并可以将用户重定向到该 URL。

另一种可能性是首先使用 GUID 而不是自动递增 ID。这样所有的 ID 都会变得更长并且不容易被猜到。

A friend of mine implemented a method of signing all the GET requests with the current session token and a secret to prevent CSRF attacks.

But what you are trying to do is to have an URL that you can share with other people.

You could create an MD5 hash that resembles the original url, and save both in the database.

Now when /share/someLongId is opened, you can check in the database where to which URL that hash belongs and can redirect the user to that URL.

Another possibility is to use GUIDs instead of auto-incrementing IDs in the first place. That way all the IDs are just longer and not that easy to guess.

拥抱我好吗 2024-10-23 09:33:42

根据您是否需要它(URL)持久化,您可以执行以下任一操作:

非持久化:执行如下操作:

function getLink($id) {
   $random = md5(uniqid());
   $_SESSION['links'][$random] = $id;
   return "http://localhost/share/$random";
}
echo getLink(10);

然后:

function getTrueId($id) {
  if(isset($_SESSION['links'][$id]) {
     return $_SESSION['links'][$id];
  } else {
     die("Unknown link!");
  }

}

这将使链接仅对当前会话中的当前用户可用。如果您需要持久化,您可以生成随机 ID 并将它们与真实 ID 一起存储在数据库中,但这可能毫无意义,因为可以使用随机 ID 代替真实 ID 来执行相同的操作...

Depending on if you need it (the URL) to be persistent or not, you cold do either:

non-persistent: do something like this:

function getLink($id) {
   $random = md5(uniqid());
   $_SESSION['links'][$random] = $id;
   return "http://localhost/share/$random";
}
echo getLink(10);

and then:

function getTrueId($id) {
  if(isset($_SESSION['links'][$id]) {
     return $_SESSION['links'][$id];
  } else {
     die("Unknown link!");
  }

}

This will make links usable only to the current user in current session. If you need it persistent, you can generate random IDs and store them in the database along with real IDs, but this may be pointless, as the random ID can be used instead of real ID to do the same things...

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文