停止会话劫持 [英] Stopping session hijacking

问题描述

我曾与一位黑客联系，称那里将使用会话劫持来摧毁我的网站，他曾说我的文本框存在会话劫持的漏洞.

I have been contacted by a hacker saying there gonna take my site down using session hijacking he has said that my text boxes are session hijacking vulnerable.

无论如何，有没有保护文本框免遭会话劫持的保护 我使用它来逃避和保护免受SQL注入.

Is there anyway to protect text boxes from session hijacking Im using this to escape and protect from sql injection.

这是我的表格

      <form name="hide" action="hideboxupdate.php" method="post">
          <input type="radio" name="yes" value="1" />
  Yes<br />
  <input type="radio" name="no" value="0" />
  No
  <input name="submit" type="submit" value="Submit" />
        </form>

然后这是我的hideboxupdate.php

Then here is my hideboxupdate.php

<?php

$yes= mysql_real_escape_string($_POST['yes']);
$yes2 = strip_tags($yes);




$no= mysql_real_escape_string($_POST['no']);
$no2 = strip_tags($no);
?>
             <?php

             if (isset($yes2)) {





   $result3333 = mysql_query("UPDATE users SET hide_box='1' WHERE username = '".$_SESSION['username']."'")
or die(mysql_error());  

echo "Users now can not see your user box";
}

 if (isset($no2)) {


$result3333 = mysql_query("UPDATE users SET hide_box='0' WHERE username = '".$_SESSION['username']."'")
or die(mysql_error());  

echo "Users can now see your box on your profile";

}
?>

反正有保护措施以防止会话劫持吗?

is there anyways to protect from session hijacking ???

推荐答案

将会话，浏览器数据和ip的md5放入数据库中，在每个页面加载时检查其是否仍然相同，如果不销毁，会议.

make an md5 of the session, browser data and ip and put in in the database, on every page load check if its still the same, if not destroy the session.

这篇关于停止会话劫持的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！