加密 URL 变量中的 ID [英] Encrypt IDs in URL variables

问题描述

我正在开发一个 HTTP 服务器应用程序(在 PHP 中，它确实如此).我担心出现在 URL 中的表 ID.是否可以加密 URL 变量和值来保护我的应用程序?

I am developing an HTTP server application (in PHP, it so happens). I am concerned about table IDs appearing in URLs. Is it possible to encrypt URL variables and values to protect my application?

推荐答案

好吧，那么对于敏感信息最好使用会话，将表 ID 等放入 GET var 是否安全?

oh ok, so for sensitive information best to use sessions then, are table Ids etc safe to throw in the GET var?

是的，敏感信息首先不能离开您的服务器.使用会话.

Yes, sensitive information must not leave your server in the first place. Use sessions.

至于URL 中的表 ID 是否安全":我不知道，用户可以知道表 ID 有什么不好的吗?如果是这样，你需要解决这个问题.通常你需要传递一些类型的id，无论是本地表id"还是你梦想的其他一些随机id通常都无关紧要.在 URL 中显示记录的 id 没有任何本质上的不安全，这本身绝对没有任何意义.您的应用使用此 ID 的方式可能会或可能不会打开安全漏洞.
此外，请考虑用户是否可以轻松猜出他不应该知道的其他 ID，以及这是否对您的安全造成任何不利影响.

As for "are table ids safe in the URL": I don't know, is there anything bad a user could do knowing a table id? If so, you need to fix that. Usually you need to pass some kind of id around though, whether that's the "native table id" or some other random id you dream up usually doesn't matter. There's nothing inherently insecure about showing the id of a record in the URL, that by itself means absolutely nothing. It's how your app uses this id that may or may not open up security holes.
Additionally think about whether a user can easily guess other ids he's not supposed to know and whether that means anything bad for your security.

安全性不是一次性的，您需要在编写的每一行代码中都考虑到这一点.

Security isn't a one-off thing, you need to think about it in every single line of code you write.

这篇关于加密 URL 变量中的 ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！