传递给 php 脚本的参数的安全性
我目前正在开发一个寄存器和使用 HTML、CSS、JavaScript 和 PHP 的登录系统。
过期
用户在 html 的 CSS 样式输入字段中输入他的电子邮件和密码。现在,如果用户按下登录按钮,JavaScript 就会获取这些输入字段的用户电子邮件和密码,并使用参数电子邮件和密码调用 login.php 脚本。 PHP 脚本完成主要工作,并将访问或拒绝返回给 JavaScript。最后 JavaScript 显示用户错误或根据 PHP 脚本答案授予访问权限。
Javascript 的详细信息片段
function loginuser(email, password) {
if (email || password) {
query('./php/login.php', null, [['email', email], ['password', password]]).then(function(obj) {
console.log("REPLY");
if (obj.error) {
//ERROR
}
else {
//ACCESS
}
});
}
else {
//PASSWORD , EMAIL CAN NOT BE EMPTY
}
}
function query(url, cmd_type, data_array) {
var request = new XMLHttpRequest();
var params= '';
params = params + 'cmdtype=' + encodeURIComponent(cmd_type) + '&';
if (data_array) {
data_array.forEach(function(item) {
if (Array.isArray(item[1])) {
var serialized_tda = '';
item[1].forEach(function(tdai) {
serialized_tda = serialized_tda + "|" + tdai[0] + "," + tdai[1] + "|";
});
params = params + item[0] + '=' + encodeURIComponent(serialized_tda) + '&';
}
else {
params = params + item[0] + '=' + encodeURIComponent(item[1]) + '&';
}
});
}
return new Promise(function(resolve, reject) {
request.open('POST', url, true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.onreadystatechange = function() {
if (request.readyState === XMLHttpRequest.DONE) {
if (request.status === 200) {
var response = JSON.parse(request.response);
resolve(response);
}
else {
resolve({error: 'Cant connect!'});
}
}
};
request.send(params);
});
}
疑问 - 问题
由于我正在调用带有参数的脚本,因此可以在浏览器开发控制台的网络选项卡中找到它,其中包含我发送的所有参数。 
当我稍后在生产中使用 SSL 证书时,这种情况会消失吗?我是否必须在 JavaScript 中加密数据,然后才能通过参数将其发送到 php,或者这是正常的吗?
I am currently developing a register & login system with HTML, CSS, JavaScript and PHP.
Expiration
The user inputs his email and password in the with CSS styled input fields of html. Now if the user press the login button, JavaScript gets the user email and password of these input fields and calls the login.php script with the parameters email and password. The PHP script does the main work than and returns the access or denial to JavaScript. At last JavaScript shows the user error or give access based on the PHP script answer.
Detailsnippet of Javascript
function loginuser(email, password) {
if (email || password) {
query('./php/login.php', null, [['email', email], ['password', password]]).then(function(obj) {
console.log("REPLY");
if (obj.error) {
//ERROR
}
else {
//ACCESS
}
});
}
else {
//PASSWORD , EMAIL CAN NOT BE EMPTY
}
}
function query(url, cmd_type, data_array) {
var request = new XMLHttpRequest();
var params= '';
params = params + 'cmdtype=' + encodeURIComponent(cmd_type) + '&';
if (data_array) {
data_array.forEach(function(item) {
if (Array.isArray(item[1])) {
var serialized_tda = '';
item[1].forEach(function(tdai) {
serialized_tda = serialized_tda + "|" + tdai[0] + "," + tdai[1] + "|";
});
params = params + item[0] + '=' + encodeURIComponent(serialized_tda) + '&';
}
else {
params = params + item[0] + '=' + encodeURIComponent(item[1]) + '&';
}
});
}
return new Promise(function(resolve, reject) {
request.open('POST', url, true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.onreadystatechange = function() {
if (request.readyState === XMLHttpRequest.DONE) {
if (request.status === 200) {
var response = JSON.parse(request.response);
resolve(response);
}
else {
resolve({error: 'Cant connect!'});
}
}
};
request.send(params);
});
}
Doubts - The problem
Since I am calling a script with parameters it can be found in the network tab in browser dev console with all parameters I sent.
Does this disappear when I use a SSL certificate in production later, do I have to encrypt data in JavaScript before I can send it via parameters to php or is this normal?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
不会,使用 SSL 不会导致该信息从生产中的“网络”选项卡中消失。
SSL 对客户端(即登录的用户)和处理该数据的服务器之间的数据进行加密。以纯文本形式发送通常是可以的,只要它始终通过 HTTPS 进行即可,因为这会加密流量并使其对任何嗅探攻击都毫无意义。
此外,网络选项卡中的信息仅对输入密码的客户端可见(因此他们知道密码),因此不应将其视为应用程序的安全缺陷。
No, using SSL will not cause that information to disappear from the Network tab in production.
SSL encrypts the data between the client (i.e. the user logging in) and the server that handles it. Sending it in plain text is generally okay, so long as it's always going via HTTPS, since that will encrypt the traffic and make it nonsense to any sniffing attack.
Furthermore, the information from the network tab is only visible to the client, who entered the password anyway (so they know it), so it should not be considered a security flaw with your app.
正如前面的答案所说,浏览器的开发人员工具仅显示浏览器看到的内容。一旦它通过 HTTPS 离开您的浏览器,它就会被加密。
不再建议在发送之前在应用程序中加密密码,因为总会存在一些其他安全隐患。例如,这是在 HTTP Digest 身份验证中实现的,其影响是必须将未散列的密码存储在服务器上。
以明文形式发送您的密码。确保您的服务器仅接受 HTTPS(永久重定向)并将其以哈希形式存储在服务器上。
As the previous answer says, the browser’s developer tools only shows what the browser sees. Once it leaves your browser over HTTPS it is encrypted.
Encrypting passwords in the application before sending is no longer recommended because there will always be some other security compromise. For example, this was implemented in HTTP Digest authentication and the impact was having to store the password unhashed on the server.
Send your password as plaintext. Make sure your server only accepts HTTPS (permanent redirect) and store it in hashed form on the server.
,您看到了步骤
2内容and you was seen the step
2content