表格安全 [英] Form Security

问题描述

我一直试图找到一种方法来确保用户输入来自我网站上的表格，而不是从其他地方自动提交，我就是

不想使用输入图片中显示的代码。方法。我知道

$ _SERVER ['''HTTP_REFERER'']内容可以被欺骗，所以我想到了

做类似的事情：

<？php

session_start（）;

$ code = mt_rand（0,1000000）;

$ _SESSION [ ''code''] = $ code;

？>


然后在我的表单中有：

< input类型= QUOT;隐藏"名称= QUOT;始发QUOT; value ="<？= $ code？>">


在接收表单的页面上：


< ？php

session_start（）;

if（isset（$ _ POST [''originator'']））{

if（$ _ POST） [''originator''] == $ _SESSION [''code'']）{

//处理表格

}

}

？>


我正在寻找有关此方法的反馈。你认为这是一个有效的方法来确保你收到的输入确实来自你的

表格吗？显然，随机代码密钥对于客户端是可见的，但是没有匹配的会话变量，它将是无用的。


您的想法？


Scott

I''ve been trying to come up with a way to ensure user input is coming
from the form on my site, and not auto-submitted from elsewhere, and I
don''t want to use the "enter the code shown in the image" method. I know
the $_SERVER[''HTTP_REFERER''] contents can be spoofed, so I thought of
doing something similar to this:

<?php
session_start();
$code = mt_rand(0,1000000);
$_SESSION[''code''] = $code;
?>

Then in my form have:
<input type="hidden" name="originator" value="<?=$code?>">

On the page receiving the form:

<?php
session_start();
if(isset($_POST[''originator''])) {
if($_POST[''originator''] == $_SESSION[''code'']) {
// process the form
}
}
?>

I''m looking for feedback on this method. Do you think this is an
effective way to ensure the input you''re receiving is indeed from your
form? Obviously, the random code key will be visible to the client, but
without the matching session variable, it will be useless.

Your thoughts?

Scott

推荐答案

_SERVER ['''HTTP_REFERER'']内容可以被欺骗，所以我想到了

做类似的事情：


<？php

session_start（）;

_SERVER[''HTTP_REFERER''] contents can be spoofed, so I thought of
doing something similar to this:

<?php
session_start();

code = mt_rand（0,1000000）;

code = mt_rand(0,1000000);

_SESSION [''code''] =

_SESSION[''code''] =

这篇关于表格安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！