防止在PHP/JavaScript/JQuery(PayPal)中进行表单操作 [英] Prevent form manipulation in PHP/JavaScript/JQuery (PayPal)

问题描述

我有一个表格，用户可以使用PayPal或银行转帐购买信用额作为付款方式.

I have a form where users can buy credits with PayPal or banktransfer as payment option.

如果用户选择"PayPal"作为选项，则表单数据将使用JQuery/JS发送到PayPal:

If a user selected "PayPal" as an option, the form data will be send to PayPal, using JQuery/JS:

$(':radio').change(function () {
var $this = $(this).val();
    if ($this === 'pp') {
    $('#form').attr('action','https://www.paypal.com/cgi-bin/webscr');  
     }           
    else
    {
    $('#form').attr('action','');  
    }
});

用户还可以选择要支付的金额，还可以选择要从中获得多少积分.此外，他可以添加优惠券代码. Ajax-Request将检查我们的数据库，如果这是有效的优惠券，然后授予折扣值.

The user can also choose how much he wants to pay, which also selects how many credits he'll get from it. Additionally he can add a coupon-code. An Ajax-Request will check our database, if this is a valid coupon and grants the discount-value then.

所有信息都存储在隐藏的输入字段中(价格是多少，积分多少，折扣(如果有)，用户ID等). 现在，我要确保用户不会使用开发人员工具来操纵这些值，也不要类似的事情来降低费用，使用其他用户ID等等.

All informations are stored in hidden input fields (what the price is, how many credits, how much discount (if any), user id, etc.). Now, I want to make sure that the user doesn't manipulate these values with Developer Tools or similiar things to pay less, use another user id and so on.

防止这种形式的操纵并接收正确的数据的最佳方法是什么?我认为这有点困难，因为要更改的值太多.

What would be the best possible way to prevent this form manipulation and receive the correct data? I assume it's kinda difficult because there are so much values to change.

推荐答案

数据伪造/操纵

有许多将操纵的或伪造的数据发送到Web服务器的邪恶方法-cURL，Http Client(OSX应用程序)仅举两个我在调试时经常使用的名称.无论您使用哪种Java脚本，坚定的攻击者都将向HTTP服务器发送错误数据.

Data Forgery / Manipulation

There are many nefarious means of sending manipulated or forged data to a web server - cURL, Http Client (OSX app) just to name two that I use frequently when debugging. A determined attacker will send bad data to the HTTP server no matter what Javascript you think up.

出于安全需求，是时候打破使用网络浏览器的思维模式了，因为它是一个网站.如前所述，有很多方法可以将数据发送到HTTP服务器.

For security needs, it's time to break out of the mental model of using a web browser because it's a web site. As already stated, there are many ways to send data to an HTTP server.

Javascript对UI有好处，并可以帮助用户，但是在保护服务免受故意的错误/错误/格式错误的数据时，您必须在服务器上执行.

Javascript is good for the UI and helping the user, but when it comes to securing your service against intentionally bad/wrong/malformed data, you must do that on the server.

您可能需要使用隐藏的表单字段来重新考虑.一种方法是使用会话来跟踪此信息.如果这是必须以其格式发送给PayPal的信息，则有一种方法

You may need to re-think using hidden form fields. One approach would be to use sessions to keep track of this info. If this is information that must be sent to PayPal in their form, there is a way to embed the PayPal form using encrypted data.

如果您不想执行此操作，安全点将移至订单处理代码-在考虑交易完成且有效之前，请查看交易详细信息(货币金额等).

If you don't want to do this, the point of security then moves to the order processing code - look at the transaction details (currency amount, etc) before considering that a transaction is complete and valid.

这篇关于防止在PHP/JavaScript/JQuery(PayPal)中进行表单操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！