保护表单数据免受恶意用户使用 Firebug 侵害的最佳方法?
我读过 几个 相关问题,但他们没有直接回答我的问题。 Firebug 等开发人员工具允许任何人在发送表单之前查看和操作表单数据。一个很好的例子是调整隐藏的“成员 ID”字段的值,以便将表单提交记入另一个用户的帐户。
防止此类篡改的最佳方法是什么?我的研究建议将敏感的表单输入移至服务器端脚本,但还有其他选择或注意事项吗?
我熟悉 PHP 和 jQuery,因此我理想的解决方案将使用其中一种或两种语言。
I've read a couple of related questions on this, but they don't answer my question directly. Developer tools like Firebug allow anyone to see and manipulate form data before a form is sent. A good example of this is adjusting the value of a hidden "member ID" field so that the form submission is credited to another user.
What are the best ways to prevent this type of tampering? My research suggests moving sensitive form inputs to a server-side script, but are there any other options or considerations?
I'm familiar with PHP and jQuery, so my ideal solution would use one or both of those languages.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您不能使用 jQuery 来保证安全,因为它都是在客户端处理的。
在您的示例中,只需在隐藏的输入字段中使用 PHP 会话,因为正如您正确指出的那样,这可以被操纵。
使用会话将如下所示:
登录页面
login.php
page-where-userid-is-required.php
会话将处于活动状态,直到用户关闭浏览器/直到会话过期(这是 PHP 设置
)只是一些示例代码,可以给您一个想法。
它适用于较小的项目,但是随着项目变得更加复杂,我建议采用 MVC(模型、视图、控制器)方式。 ( http://en.wikipedia.org/wiki/ Model%E2%80%93view%E2%80%93controller )
但这完全是另一个故事了:)
You can't use jQuery for security since it's all handled on the client side.
In your example just use a PHP session in staed of a hidden input field, because as you rightfully noted this can be manipulated.
Using sessions would look something like the following:
login page
login.php
page-where-userid-is-required.php
The session will be active until the user closes his browser / until the session expires (which is a PHP setting)
The above is just some sample code to give you an idea.
It works smaller projects, however as projects get more complex I would suggest going for the MVC (Model, View, Controller) way. ( http://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller )
But that's just a whole other story :)
以下是一些基本建议:
您需要使用服务器端 (PHP) 脚本验证表单输入。
您可以将此类数据缓存在服务器会话中,而不是依赖表单中的敏感信息(例如会员 ID)。这样,恶意用户就无法动态更改数据。
您仍然可以使用 jQuery 验证来方便地捕获基本输入问题,但您只能信任使用服务器端代码验证的数据。
Here are a few basic suggestions:
You need to validate form inputs using a server-side (PHP) script.
Instead of relying on sensitive pieces of information, such as member ID, from the form you could instead cache such data in your server session. That way there is no way for a malicious user to change the data on the fly.
You can still use jQuery validation as a convenience to catch basic input problems, but you can only trust data that is validated using server-side code.