PHP中如何识别用户?
我有一个很大的问题,我已经想了两天了。我写了一个关于捕获未注册(来宾)用户的小课程,这些用户可以通过 URL 尝试 SQL 注入攻击,经过两次实验后,他们的 IP 在我的数据库中被阻止(因此在数组中我存储了一些标志),
$blockSigns = array ("'", "/", "\", ":", "//", "and so on");
但是:
- IP 不是一个好的解决方案(如果服务器在代理下,PHP 无法看到 LAN IP_s),即使可以,我也无法阻止它。我无法阻止 192.168.1.10 :)
- 我不需要 WAN IP,因为我无法因为一个 n00b 就阻止公司的站点。
- PHP 无法捕获 Mac 地址(mac 不包含在标头中)
- 我也想阻止访客用户,所以我不知道他们的用户名或邮件或其他内容
if (isset($_SESSION["用户"])) { $user = $_SESSION["用户"]; } 别的 { $用户=“未知”; }
- 我读到 Perl 有一些名为 NET::MAC 的 API,
我决定通过 perl 查找用户 mac 地址并将其集成到 PHP 中。是否可以? 如果是,请问如何?我无法理解。 如果不是:
我该如何解决这个问题?如果用户未注册,我如何识别他/她?有机会吗?如果您已经遇到过此类问题,请分享您的经验。提前致谢...
I have such a big problem, and i've been thinking about it for 2 days. I wrote a small class about catching unregistered (guest) users who can try SQL injection attack throught the URL and after 2 experiments their IP is blocked in my DB (so in array i store some signs),
$blockSigns = array ("'", "/", "\", ":", "//", "and so on");
but:
- IP is not good solution (PHP cannot see LAN IP_s if server is under proxy), and even it can I cannot block it. I cannot block 192.168.1.10 :)
- I don't need WAN IP because, i cannot block site for a company because of one n00b.
- PHP cannot catch Mac address (mac isnot included in header)
- I want to block users that are guests also, so i don't know their usernames or mail or something
if (isset($_SESSION["user"])) {
$user = $_SESSION["user"]; } else {
$user = "unknown"; }
I read that perl has some API called NET::MAC,
I decided to find user mac address by perl and integrate it in PHP. Is it possible?
if is, please how? I cannot understand.
if not:
how can I fix that problem? how can i identify user, if he/she isnot registered? is there any chance? please share your experience if you already had that kind of problem. thanks in advance...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
不可能获取用户的 MAC 地址。您的服务器看到的唯一 MAC 地址是它所连接的路由器的 MAC 地址。如果您阻止了这一点,您就会阻止所有传入您服务器的流量。
因此,正如 @Jon 所说,如果您的应用程序是安全的,您就不必关心试图注入东西的人。
顺便说一句,你检测 SQL 注入的方法非常糟糕。尤其是
'和:,而且其他字符在大多数情况下都是完全有效。例如,用户的真实姓名可能包括'。但是,您根本不需要添加此类检测代码 - 如果您正确转义所有不受信任的输入,或者您对查询使用准备好的语句(更好),您的应用程序根本不会受到 SQL 注入的攻击。It is impossible to get the MAC address of a user. The only mac address your server sees is that of the router it is connected to. And if you blocked this, you'd block all traffic coming to your server.
So as @Jon said, if your application is secure you shouldn't have to care about people trying to inject things.
Your way to detect SQL injection is horribly by the way. Especially
'and:but also the other characters are perfectly valid in most contexts. For example, a user's real name might include'. However, you do not need to add such detection code at all - if you escape all untrusted input properly or you use prepared statements for your queries (better) your application is not vulnerable to SQL injection at all.您可以尝试将 ip 与用户代理字符串和一些更多信息(例如插件)一起使用。但如果有人用他公司的浏览器尝试一下,IP 和用户代理应该是相同的。
所以唯一的解决方案是:
确保页面安全,这样就没有 SQL 注入的机会
you could try to use the ip together with the user agent string and some more information like plugins. But if some tries it with his companies browser, the ip and the user agent should be the same.
so the only solution is:
Make your page safe, so that there is no chance for a SQL injection
也许没有最终的解决方案。如果您知道注册用户的 IP,您可以只允许他们访问您的页面(Apache 服务器上的 .htacces)。您还可以尝试在用户注册后设置cookie,然后您将能够检查指定的cookie是否存在(只有当用户在同一台计算机上仅使用一个浏览器时才可能,所以您也可以设置它每次登录时)。当用户关闭浏览器时,会话总是结束。
Probably there is no ultimate solution. If you know the IP's of registered users you can allow only them to access your pages ( .htacces on Apache server). You can also try to set cookie after user is being registered and then you will be able to check if that specified cookie is present ( I will be possible only when user is using only one browser on the same computer, so you could also set it on every log in). Sessions always end when user closes a browser.