extjs的安全问题 [英] Security issue of extjs

问题描述

我如何说服我的客户端，extjs可以安全使用？
或
更好的我如何保证我的编程是安全的extjs-3.x，所以数据不会陷入错误的手或不能被黑客或有人下载我的网站javascript通过一些工具
在桌面上我将如何使它不会运行和更多???
喜欢sql注入

how can i convince my client that extjs is safe to use ??? or Better how can i assure my programming is safe in extjs-3.x , so that data donot get into wrong hands or cannot be hacked or if somebody download my website javascript by some tool on desktop how will i makesure it will not run and many more ??? like sql injection

推荐答案

bmoeskau的书推荐看起来不错。我不知道那个头衔，但我想我要去买它。

bmoeskau's book recommendation looks good. I wasn't aware of that title, but I think I'm going to go buy it.

在他的答案的第二部分，你会想确保你完全了解你在做什么。请不要冒犯，但您的问题表明您没有非常完整地了解这些应用程序的工作原理。

Building on the second part of his answer, you'll want to ensure that you fully understand what you're doing. Please don't take offense, but your question suggests that you don't have a very complete grasp of how these kinds of applications work.

在任何基于Web的应用程序，您不能信任客户端。客户端是否是纯旧的HTML，某种AJAXified DHTML，完全ExtJS驱动的应用程序，Flash电影或本机桌面应用程序，这并不重要。他们都是客户，他们都是微不足道的。

In any web-based application, you cannot trust the client. It doesn't matter if the client is plain old HTML, some kind of AJAXified DHTML, a completely ExtJS-driven applicaiton, a Flash movie, or a native desktop application. They're all clients, and they're all trivially corruptible.

您的服务器端代码是您保护自己的地方。总是。没有例外。永远。

Your server-side code is where you defend yourself. Always. No exceptions. Ever.

担心SQL注入（应该是）？ - 在服务器上保护它。 （如果您正在编写创建SQL并将其发送到服务器的客户端代码，那么几乎肯定非常非常错误）。

Worried about SQL Injection (as you should be)? -- Protect against it on the server. (If you're writing client code that creates SQL and sends it to the server, you're almost certainly very, very wrong).

需要确保只有一定用户看到/触摸某些数据？ - 您需要在服务器上使用一个坚实的身份验证/授权框架。

Need to make sure only certain users see/touch certain data? -- You need a solid authentication/authorization framework on the server.

您还应该担心 CSRF - 同样，服务器端架构需要防范。

You should also be worried about CSRF -- Again, the server-side architecture needs to protect against it.

任何人使用您的应用程序将在您的本地机器上拥有所有Javascript代码。这是一个生活的事实。这就是为什么你不信任客户端。

Anyone using your app will have all your Javascript code on their local machine. That's a fact of life. And that's exactly why you never trust the client.

几乎每个可能影响基于ExtJS的应用程序的漏洞都可能会影响任何其他应用程序。

Almost every vulnerability that can affect an ExtJS-based app can affect any other app as well.

所以，您可以告诉客户ExtJS的安全性要比其他客户端技术更安全。这是因为安全性是服务器端代码的工作，而不是客户端。

So, you can tell your client that ExtJS is no more or less secure than any other client-side technology. That's because security is the server-side code's job, and not the client.

为了避免这些漏洞，您需要仔细阅读，理解和编写代码。无论您正在使用哪些图书馆或技术。

To avoid these vulnerabilities, you need to read, comprehend, and write your code thoughtfully. No matter what libraries or technologies you're using.

这篇关于extjs的安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！