网站功能受到干扰或被黑 [英] Website functionality disturbed or hacked
问题描述
我的网站上有一个用户消息传递系统.
我有一个< button id="msg" data-id="1">
data-id
对应于users
表中的user_ id
列.现在,我使用ajax jquery和php向用户发送消息.
通过jquery,我得到了单击.msg
按钮的data-id
并使用php将msg发送给该用户.
I have a user messaging system on my website.
I have a < button id="msg" data-id="1">
the
data-id
corresponds to user_ id
column in users
table . Now i send message to user using ajax jquery and php .
Via jquery i get data-id
of clicked .msg
button and send msg to that user using php.
现在我的问题是我受到某些人向其他人发送消息的限制.但是那些人可以通过在开发人员模式下更改data-id
轻松地非法发送那些消息.我如何防止这种情况发生?
Now my problem is i have restrictions of some people sending message to some other . But those can easily send those messages illegally by changing data-id
in developers mode.how i can prevent this?
推荐答案
您总是可以使用服务器端生成的一些散列发送到前端,以确保发送回服务器的用户ID是最初打开服务器的ID.页.甚至不需要为此调用数据库.
You can always use some server side generated hashes sent to the front ends to ensure that the user-id sent back to the server is the one that originally opened the page. There is not even a need to call the database for that.
<button id="msg" data-id="1" data-hash="1234abc">
在其中使用盐/秘密和数据ID计算哈希.提交后,您只需检查提供的哈希值是否与新计算的哈希值相同即可.
where you calculate the hash with a salt/secret and the data-id. And upon submit you just check if the supplied hash is the same like the newly calculated.
因此在php中,您可以执行以下操作:
so in php you could do something like:
$userId = 1;
$secret = 'yourVeryPersonalSecretSentence';
$hash = sha1($secret . $userId); // would create something like "d0be2dc421be4fcd0172e5afceea3970e2f3d940"
在您的html中,您将:
in your html you would have:
<button id="msg" data-id="1" data-hash="d0be2dc421be4fcd0172e5afceea3970e2f3d940">
然后在调用ajax时,请仔细检查:
and upon ajax call, you just double check:
$userId = $idValueFromForm;
$secret = 'yourVeryPersonalSecretSentence';
$hash = $hashFromForm;
$newHash = sha1($secret . $userId);
if ($newHash === $hash) { // the userid was the same as sent to the browser
...
}
希望这会有所帮助.
这篇关于网站功能受到干扰或被黑的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!