保护表单数据免受恶意用户使用 Firebug 侵害的最佳方法?

发布于 2024-11-09 15:40:45 字数 491 浏览 4 评论 0原文

我读过 几个 相关问题,但他们没有直接回答我的问题。 Firebug 等开发人员工具允许任何人在发送表单之前查看和操作表单数据。一个很好的例子是调整隐藏的“成员 ID”字段的值,以便将表单提交记入另一个用户的帐户。

防止此类篡改的最佳方法是什么?我的研究建议将敏感的表单输入移至服务器端脚本,但还有其他选择或注意事项吗?

我熟悉 PHP 和 jQuery,因此我理想的解决方案将使用其中一种或两种语言。

I've read a couple of related questions on this, but they don't answer my question directly. Developer tools like Firebug allow anyone to see and manipulate form data before a form is sent. A good example of this is adjusting the value of a hidden "member ID" field so that the form submission is credited to another user.

What are the best ways to prevent this type of tampering? My research suggests moving sensitive form inputs to a server-side script, but are there any other options or considerations?

I'm familiar with PHP and jQuery, so my ideal solution would use one or both of those languages.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

冷了相思 2024-11-16 15:40:45

您不能使用 jQuery 来保证安全,因为它都是在客户端处理的。

在您的示例中,只需在隐藏的输入字段中使用 PHP 会话,因为正如您正确指出的那样,这可以被操纵。

使用会话将如下所示:

登录页面

<form action="login.php" method="post">
  <input type="text" name="username">
  <input type="password" name="password">
  <input type="submit" name="submit" value="submit">
</form>

login.php

// you have to include this on every page to be able to user sessions.
// also make sure that you include it before any output
session_start();

//Always sanitize the user input before doing any db actions.

//For example by using: `mysql_real_escape_string()` ( http://php.net/manual/en/function.mysql-real-escape-string.php ).

// check user credentials against db

$_SESSION['user'] = $dbresult['username'];

page-where-userid-is-required.php

session_start();

if (!isset($_SESSION['user'])) {
    // user is not logged in!
} else {
    // use user info to place order for example
}

会话将处于活动状态,直到用户关闭浏览器/直到会话过期(这是 PHP 设置

)只是一些示例代码,可以给您一个想法。

它适用于较小的项目,但是随着项目变得更加复杂,我建议采用 MVC(模型、视图、控制器)方式。 ( http://en.wikipedia.org/wiki/ Model%E2%80%93view%E2%80%93controller

但这完全是另一个故事了:)

You can't use jQuery for security since it's all handled on the client side.

In your example just use a PHP session in staed of a hidden input field, because as you rightfully noted this can be manipulated.

Using sessions would look something like the following:

login page

<form action="login.php" method="post">
  <input type="text" name="username">
  <input type="password" name="password">
  <input type="submit" name="submit" value="submit">
</form>

login.php

// you have to include this on every page to be able to user sessions.
// also make sure that you include it before any output
session_start();

//Always sanitize the user input before doing any db actions.

//For example by using: `mysql_real_escape_string()` ( http://php.net/manual/en/function.mysql-real-escape-string.php ).

// check user credentials against db

$_SESSION['user'] = $dbresult['username'];

page-where-userid-is-required.php

session_start();

if (!isset($_SESSION['user'])) {
    // user is not logged in!
} else {
    // use user info to place order for example
}

The session will be active until the user closes his browser / until the session expires (which is a PHP setting)

The above is just some sample code to give you an idea.

It works smaller projects, however as projects get more complex I would suggest going for the MVC (Model, View, Controller) way. ( http://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller )

But that's just a whole other story :)

剑心龙吟 2024-11-16 15:40:45

以下是一些基本建议:

  • 您需要使用服务器端 (PHP) 脚本验证表单输入。

  • 您可以将此类数据缓存在服务器会话中,而不是依赖表单中的敏感信息(例如会员 ID)。这样,恶意用户就无法动态更改数据。

您仍然可以使用 jQuery 验证来方便地捕获基本输入问题,但您只能信任使用服务器端代码验证的数据。

Here are a few basic suggestions:

  • You need to validate form inputs using a server-side (PHP) script.

  • Instead of relying on sensitive pieces of information, such as member ID, from the form you could instead cache such data in your server session. That way there is no way for a malicious user to change the data on the fly.

You can still use jQuery validation as a convenience to catch basic input problems, but you can only trust data that is validated using server-side code.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文