HTML - 如何防止用户编辑表单的值?
我正在开发一个简单的网络应用程序,当我发现我可以使用 Chrome -> 编辑该表单的输入默认值时,该应用程序允许用户使用表单键入信息。检查元素并提交具有不同 hacked 值的页面。
代码:
<input id="radioOk_100237" name="radio_100237" type="radio" checked="" value="0">
像平常一样,我加载页面,然后使用 Google Chrome Check Element,我定位了此复选框并在提交之前将值更改为“9”,在我的后台页面中,它读取“9”而不是预设值“ 0”从此输入元素。
如果每个用户都更改值并提交,它将彻底破坏我的数据库。这怎么可能?我是否应该加密页面或在提交之前做一些事情?我完全迷失了,顺便说一句,我正在使用 PHP。
I am developing a simple web apps that allowed user to key in information using a form when I discovered I could edit that form's input default value using Chrome -> Check Element and submit the page with a different hacked value.
Code:
<input id="radioOk_100237" name="radio_100237" type="radio" checked="" value="0">
As normal, I load the page then using Google Chrome Check Element, I targeted this checkbox and changed the value to "9" before submitting it, in my background page, it reads "9" instead of pre-set value of "0" from this input element.
If every user changed the value and submit, it will completely thrashed my DB. How is this possible and am I supposed to encrypt the page or do something prior to submitting? I am totally lost, btw I am using PHP.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
对于典型用户,您只需将属性
readonly添加到表单字段即可。对于尝试操纵您的服务器的更高级的用户/黑客,您需要验证提交的每条数据,以确保篡改被捕获并拒绝。没有任何客户端技术可以防止篡改。
For typical users, you can just add the attribute
readonlyto the form field(s).For more advanced users/hackers that try to manipulate your server, you need to validate every piece of data that is submitted to ensure that tampering is caught and rejected. There is no client-side technique for this that is tamper-proof.
您可以在服务器端检查正确的值类型。事实上,您应该检查从客户端发送的每个数据以防止攻击
You could check for the correct kind of value in the server side. In fact you should check every data send from the client side to prevent an attack
您需要进行服务器端验证,以确保从客户端应用程序获得的值有意义。如果您知道值“9”会“破坏您的数据库”,请不要接受来自客户端的值 9。
强制性 XKCD 链接:http://xkcd.com/327/
You need to be doing server-side validation, to make sure the values you get from your client app make sense. If you know that a value of "9" will "thrash your DB", don't accept values of 9 from the client.
Obligatory XKCD link: http://xkcd.com/327/
您无法阻止用户修改、添加或删除 DOM 中的元素。如果您想要这种控制,您应该将要输出的元素的值存储在一个对象中,然后将传入的内容与表单帖子进行比较。
如果你想发布一个例子,有一百万种方法可以做到这一点
You can't prevent users from modifying, adding or removing elements in the DOM. If you want that kind of control you should store the values of the elements you are outputting in an object and then compare what's coming in with the form post.
There are a million ways of doing this, if you want to ill post an example