与服务器端验证相比，为什么客户端验证存在安全风险? [英] Why is client-side validation a security risk as opposed to server-side validation?

问题描述

我不太明白为什么客户端验证是潜在的安全风险，或者比服务器端验证更具安全风险?有人可以给我一些场景吗?

I don't quite understand why client side validation is a potential security risk or more of a security risk than server side validation? Can someone give me some scenarios?

推荐答案

理想情况下，您应该同时进行客户端和服务器端，而不是两者之一.如果我们看一下这 3 种情况，两者都是唯一安全且用户友好的方式:

Ideally you'd do both client and server side and never one or the other. If we take at look at these 3 scenarios, both is the only secure, user-friendly way to do it:

仅客户端:如前所述，如果有人想要向您的服务器发送格式错误的数据(例如 SQL 注入)，则无需花费太多时间来绕过这些验证.NoScript 不会运行 javascript 验证代码，并且一些浏览器允许用户主动更改所有加载的 javascript 和 html，因此用户可以从控件中取消验证 javascript.

Client Side Only: As mentioned, it doesn't take much to get around these validations if somebody wants to send malformed data to your server (such as SQL injection). NoScript won't run the javascript validation code, and some browsers allow the user to actively change all loaded javascript and html, so a user could unhook the validation javascript from the controls.

仅服务器端:从长远来看，这比仅客户端更安全，但会降低用户友好性.他们必须将表单发送到服务器，对其进行验证并收到错误页面，指出特定字段无效.令人讨厌的是，如果这些字段中的任何一个是密码字段，则默认情况下不会重新填充它们的值.例如，假设用户没有在帐户创建表单中正确输入电话号码.当服务器吐回关于电话号码错误的页面时，用户会看到，更正电话号码并再次点击提交，只是为了收到另一个关于没有输入密码的错误页面(并在第二次再次输入)文本框)即使这不是最初的问题.

Server Side Only: This one is more secure than Client-only by a long shot, but cuts back on user friendliness. They have to send their form to the server, have it validated and receive the error page back saying a particular field was invalid. What's annoying is that if any of those fields were password fields, their values are not repopulated by default. For example, lets say the user didn't input a phone number correctly in an account creation form. When the server spits back the page about how the phone number is wrong, the user will see that, correct the phone number and hit submit again, just to receive another error page about not having entered a password (and entering it again in it's second textbox) even though that wasn't the initial problem.

客户端和服务器端:您获得服务器端验证的安全性，用户将很难干涉的东西，以及无需提交页面的输入验证的用户友好性(无论您是通过纯本地验证javascript 或 AJAX).

Client and Server Side: You get the security of the server side validation, something the user will be hard-pressed to interfere with, and the user friendliness of input validation without having to submit the page (whether you validate through purely local javascript or AJAX).

如果您绝对必须选择一个，服务器端将是您的选择.但您永远不必选择其中之一.

If you absolutely had to pick one, server side would be the way to go. But you shouldn't ever have to pick one or the other.

这篇关于与服务器端验证相比，为什么客户端验证存在安全风险?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！