安全的方式来阻止伪造形式的用户 [英] Secure way to stop users from forging forms

问题描述

我怎样才能prevent伪造的PHP或jQuery的一面形式，我使用jQuery的Ajax功能提交表格，这意味着高科技智慧的人可以改变一些变量，如东西的价值用户（这不应该被改变/是用户ID或类似的东西）通过使用萤火虫或网络督察，同样。

How can I prevent users from forging forms on the PHP or jquery side, I am using Jquery's ajax functionality to submit the forms, and this means that tech-wise people can change some variables such as the value of something (that shouldn't be changed / is a user id or something like that) through the use of firebug or web inspector and likewise.

那么，怎样才能更改这些变量或确保它们是不变的，通过一个安全的好方法我prevent用户？

So how can I prevent users from changing these variables or making sure they are unchangeable through a secure and good way?

感谢

推荐答案

由于别人已经说过，您不可以 prevent篡改用户。

As the others have already stated, you can't prevent the user from tampering.

您是从我这里接收数据，我可以给你任何我想要的，我甚至可以用手做一个HTTP请求，甚至不需要使用浏览器，你不能做任何事情。

You are receiving data from me, and I can send you anything I want, I can even do an HTTP request by hand, without even using a browser, and you can't do anything about it.

如果您不希望用户能够改变一个信息，不提供给他。

If you don't want a user to be able to alter an information, don't provide it to him.

您可以将其存储在PHP中的会话，它存储服务器端（不使用cookies时，也将发送到用户），或将其保存在数据库中，两人都无法接触到最终用户。

You can store it in PHP's session, which is stored server side (do not use cookies, they too are sent to the user) or save it in a database, both of them are not accessible to the end user.

如果你仍然想将数据传递给用户，计算某种散列（A 安全的散列，使用的安全的散列算法和安全的消息摘要作为浓汤<一个href="http://stackoverflow.com/questions/8532356/secure-way-to-stop-users-from-forging-forms#comments-8532507">noted,这排除了像CRC32或MD5和互助的数据并将其存储服务器端的如您的姓名和生日）的算法，那么当用户提交回数据，检查散列匹配。

If you still want to pass the data to the user, compute some sort of hash (a secure hash, using a secure hashing algorithm and a secure message digest as Gumbo noted, this rules out algorithms like CRC32 or MD5 and MACs like your name or birthday) of the data and store it server side, then when the user submits back the data, check if the hashes match.

但很清楚，这种解决方案不是100％的安全。散列函数有碰撞，有坏的实现存在。

But do know that this solution is not 100% secure. Hashing functions have collisions, and bad implementation exists.

我会建议坚持的黄金法则：如果它不存在，它不能打破/篡改/被盗的/ etc

I would recommend to stick to the golden rule: if it's not there, it cant break / be tampered / be stolen / etc.

这篇关于安全的方式来阻止伪造形式的用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！