如何防止服务器端从非预期来源接收数据 [英] How to prevent server side from receiving data from unintended source

问题描述

我有一个名为 addItem 的 PHP 服务.
当有人在客户端提交表单时调用此服务.

I have a PHP service called addItem.
This service is called when someone submit a form on the client side.

如何确保只有在从预期表单调用时才会添加项目?
例如，试图阻止某人通过自动 curl 调用提交内容.

How can I secure that to make sure that an item will only be added when called from the intended form?
Trying to prevent someone from submitting stuff through automated curl call for example.

谢谢，
三通

推荐答案

简而言之，您不能.只要表单可访问，您用来保护表单的任何方法都可以自动处理.您永远不应指望用户发送的数据是安全的.但是，您可以采取一些措施来让任何想要欺骗您的表单的人都更具挑战性.

Short answer is that you can't. As long as the form is accessible, any method you use to secure the form can be tackled in an automated way. You should never count on data sent by the user to be secure. However, there are a few things you can do to make things more challenging for anyone wanting to spoof your form.

• 添加一个 CAPTCHA 这可能会过滤掉几乎所有的脚本提交，但也有最大的对普通用户的负面影响.
• 采用某种形式的 CSRF 保护(无论如何您都应该拥有).这意味着任何想要通过表单提交数据的人都必须首先请求表单.如果此表单只能在登录墙后面访问，这将使事情变得非常具有挑战性.
• 如果您已经要求您的用户使用 Javascript，请在​​设置 CSRF 保护密钥时尝试使用 JS.这意味着必须解析或执行 JS 才能提交有效的表单.
• 过滤常见的用户代理，例如 cURL 和 wget.
• 检查表单是否是通过 POST 而不是 GET 发送的.
• 在服务器上添加速率限制以将提交限制在合理的水平.
• 检查 HTTP 引荐来源网址.很容易伪造，但要跳过一个圈.

• Add a CAPTCHA which will probably filter out nearly all scripted submission, but also have the greatest negative impact on regular users.
• Employ some form of CSRF protection (which you should have anyway). This will mean that anyone wanting to submit data via the form must request the form first. If this form is only accessible behind a login wall, this will make things quite challenging.
• If you already require your users to have Javascript, try using JS when setting up a key for CSRF protection. This means that the JS must be parsed or executed in order to submit a valid form.
• Filter common user agents such as cURL and wget.
• Check that the form was sent via POST and not GET.
• Add rate limiting on the server to throttle submissions to a reasonable level.
• Check the HTTP referrer. Easily faked, but one more hoop to jump through.

最终，如果有人想通过其他方式向您的表单提交数据，这仍然是可能的.上述步骤可能会使其更具挑战性，但用户可以采取的任何操作始终可以编写脚本，因此请确保在服务器端进行适当的验证.

Ultimately, if someone wants to submit data to your form through some other means, it's still ALWAYS possible. The above steps can make it more challenging, but any action that can be taken by the user can always be scripted, so make sure to have appropriate validation on the server side.

这篇关于如何防止服务器端从非预期来源接收数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！