在超链接中隐藏实际链接
我有
echo <a href=\"javascript:;\" onClick=\"window.open('". $link ."','no','scrollbars=yes,width=550,height=400')\" >View report</a>
$link 包含敏感信息,所以我想知道是否有一种简单的方法可以防止当您在浏览器上“查看源代码”时显式显示此链接。 href 的任何替代方案都可以。我只需要给用户一个选项,在他提交一些数据后单击并查看他的处理结果。我想避免在提交处理后立即出现自动弹出窗口。
更新:所以 $link 是一个 GET URL,其中包含用户 ID 和密码。它现在是内部的,所以没问题,但我正在考虑将来把它放在我们的在线服务器上。我是 PHP 的新手,所以这可能不会在不久的将来发生,因为我对互联网上的实时站点需要实现的安全功能了解不多。目前看来,利用数据库是最好的方法。如有错误,请指正,感谢大家的支持!
I have
echo <a href=\"javascript:;\" onClick=\"window.open('". $link ."','no','scrollbars=yes,width=550,height=400')\" >View report</a>
$link contains sensitive information, so I'm wondering if there is a simple way to prevent this link showing up explicitly when you "view source code" on the browser. Any alternative to href would be fine. I just need to give the user an option to click and see his processing result after he submits some data. I would like to avoid having auto popups as soon as the processing is submitted.
UPDATE: so the $link is a GET URL that includes a user ID and password.. It's internal right now so it's fine, but I'm thinking of putting this on our online server in the future. I'm very much a novice with PHP, so this is probably not in the near future as I don't know much about security features that need to be implemented for a live site on the Internet. Right now, it seems that utilizing a database would be the best way to go. Correct me if I'm wrong, please, and thanks for all of the support!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
如果用户必须导航到该链接,则无法实际隐藏该信息。您应该重新考虑流程的工作方式,以便敏感信息不会显示在链接中。
也许您可以将信息存储在数据库表中,并且链接将仅使用包含该信息的行的 ID。
If the user has to navigate to the link, there is no way to actually hide the information. You should rethink how your process works so sensitive information is not displayed in the link.
Perhaps you can store the information in a database table and the link would just use the id of the row that has the information.
简而言之:不。如果您向我发送一个 URL,我将能够使用某种工具看到它。 Wireshark、Fiddler 等。考虑使用不同的链接结构。
Simply put: No. If you send me to a URL, I will be able to see it using some sort of tool. Wireshark, Fiddler, etc. Consider using a different link structure.
如果用户已经拥有会话,则可以选择以下选项:
如果您呈现页面并需要保护此给定示例秘密 URL,
请将 URL 保存在用户会话中,并将哈希值与秘密 URL。
不要将 URL 发送到结果 HTML 页面,而是插入另一个 URL,例如,
如果调用此 URL,请检查用户的会话并检索并删除秘密 URL。然后继续评估,就好像用户调用了秘密URL一样。
这样,原始秘密 URL 的任何参数都不会到达用户的浏览器。
要优化架构,请将生命周期附加到会话中保存的 URL。如果生命周期结束后出现请求,则返回错误。
如果以这种方式保护所有 URL,用户将无法调用任意 URL,因为所有可接受的 URL 都是其会话内的 URL。因此,用户甚至无法更改不太秘密的 URL 的参数。
If the user already owns a session, this is an option:
If you render a page and need to protect this given sample secret URL
save the URL in the user's session and associate a hash value with the secret URL.
Instead of sending the URL to the result HTML-page, insert another URL, e.g.
If this URL gets called, check the user's session and retrieve and delete the secret URL. Then continue to evaluate, as if the user had called the secret URL.
This way, no parameter of the original secret URL ever reaches the user's browser.
To refine the schema, attach a lifetime to the URL saved in the session. If a request comes later as the end of life, return an error.
If you protect all URL in such a way, users won't be able to call arbitrary URLs, since all acceptable URLs are those inside their sessions. Thus, a user will even not be able to change parameters of less secret URLs.
$link是如何生成的?如果它是敏感的,则意味着用户已经通过某种方式进行了身份验证。因此,$link中的信息可以存储在安全的会话中How is
$linkgenerated in the first place? If it is sensitive, this implies that the user has already been authenticated somehow. Thus, the information in$linkcan be stored in the session where it's safe将所有信息保存在 PHP 会话(或者最好是 PHP 框架使用的会话系统)中,然后在链接中发送某种非数据库关联的标识符,以便代码知道您下一步要做什么。
例如,您可以有一个指向“http://www.yourdomain.com/sec/special_action/4”的链接,其中“sec”表示安全,“special_action”是要采取的操作的名称,“4”是操作 ID 参考。
假设您必须将其与他们的社会安全号码相关联。然后,您将在后端使用加盐哈希来加密 SSN 并将其保存到会话数据中。然后将其附加到会话数组的末尾并获取数组计数。如果它返回 5,那么您就知道加密的 SSN 保存在索引 4 中(因为 PHP 使用基于 0 的索引)。因此,您将该索引作为链接的一部分发送,这会使事情更加混乱。如果你愿意的话,你甚至可以对索引加盐和散列。
用户点击链接,代码找到索引,抓取加密内容,解密,然后使用它。简单又安全。
Save all the information in your PHP session (or preferably the session system your PHP framework uses) and then just send some kind of non-db-associated identifier in the link so that the code knows what you want to do next.
For example you could have a link to "http://www.yourdomain.com/sec/special_action/4" with "sec" meaning secure, "special_action" being the name of the action to take, and "4" being the action id reference.
So lets say you have to have it associated to their social security number. Then you would in your back end use a salted hash to encrypt the SSN and save it to the session data. You then append it to the end of your session array and get an array count. If it returns 5 then you know that the encrypted SSN is saved in index 4 (since PHP uses 0 based indexing). So you send along that index as part of the link to confuse things even more. Heck you can even salt and hash the index if you want.
The user clicks on the link, the code finds the index, grabs the encrypted content, decrypts it, then uses it. Easy and secure.