隐藏敏感的PHP脚本 [英] Hide sensitive PHP script
问题描述
嘿那里,我是一个年轻的程序员!
我正在制作一个原型网站建设者,我有一个PHP脚本能够创建一个来自我表单的子域。
有什么方法可以阻止恶意用户发送垃圾邮件吗?我的HTML如下:
Hey there, I'm a young coder!
I'm making a prototype website builder, and I have a PHP script that is able to create a sub-domain from my form.
Is there any way that I can prevent malicious users from, say, spamming the form? My HTML is as follows:
<form action="website-build/build.php" method="post">
这将允许人们知道脚本的位置,然后将输入用作数据。
这些是我的输入(它们通过HTML验证,我只是没有包含模式值):
This would allow people to know the location of the script and subsequently use the inputs as data.
These are my inputs (they are validated through HTML, I just didn't include the pattern value):
<input name="first_name" type="text" />
<input name="last_name" type="text" />
<input name="email" type="email" />
<input name="cms" type="radio" value="wordpress" />
<input name="cms" type="radio" value="drupal" />
<input name="cms" type="radio" value="joomla" />
<input name="subdomain" type="text" />
网址如下:... build .PHP如first_name = VALUE &安培;姓氏= VALUE 电子邮件= VALUE &安培; CMS = VALUE &安培;子域= VALUE
那么如何阻止人们在URL(GET)或工具(POST)中提交此内容,从而不允许访问所述脚本,除非我的网站使用过?
我认为最好的做法是以某种方式隐藏输入的 name 属性然后人们不会知道。
我尝试了什么:
我考虑删除操作并在实际文档中运行PHP,但这不是没有帮助,它做同样的事情。我还没弄明白如何删除输入的 name 属性。
The URL would look like: ...build.php?first_name=VALUE&last_name=VALUEemail=VALUE&cms=VALUE&subdomain=VALUE
So how can I stop people from submitting this in the URL (GET) or with a tool (POST) and thereby allowing no access to said script unless used by my website?
I'm thinking the best course of action would be to hide the name attribute of the inputs somehow and then people wouldn't know.
What I have tried:
I thought about deleting the action and having the PHP run in the actual document, but that doesn't help, it does the same thing. I have yet to figure out how to remove the name attribute of the inputs.
推荐答案
那么如何阻止人们在URL(GET)或工具(POST)中提交此内容,从而除非我的网站使用,否则不允许访问所述脚本?
So how can I stop people from submitting this in the URL (GET) or with a tool (POST) and thereby allowing no access to said script unless used by my website?
你无法阻止人们这样做。
我不是这方面的专家,但是:
- 你可以考虑一下任何客户端检查都可以被恶意用户绕过。
- 您必须重新检查PHP脚本中的所有内容,包括通常在客户端进行的所有检查。
- 隐藏脚本URL没有帮助,因为URL将用于发布答案,这可以被用户检测到。
- 其中一个认为你必须检查的是用户是合法的合法的会话。
You can't stop people from doing this.
I am not expert on this, but:
- You can consider that any client side check can be bypassed by malicious user.
- You have to recheck everything in your php script, including all the checks normally done on client side.
- Hiding the script URL will not help because the URL will be used to post the answer, and this can be detected by user.
- One of the thinks you have to check is that the user is legitimate and in a legitimate session.
这篇关于隐藏敏感的PHP脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
