网站功能受到干扰或被黑 [英] Website functionality disturbed or hacked

问题描述

我的网站上有一个用户消息传递系统. 我有一个< button id="msg" data-id="1"> data-id对应于users表中的user_ id列.现在，我使用ajax jquery和php向用户发送消息. 通过jquery，我得到了单击.msg按钮的data-id并使用php将msg发送给该用户.

I have a user messaging system on my website. I have a < button id="msg" data-id="1"> the data-id corresponds to user_ id column in users table . Now i send message to user using ajax jquery and php . Via jquery i get data-id of clicked .msg button and send msg to that user using php.

现在我的问题是我受到某些人向其他人发送消息的限制.但是那些人可以通过在开发人员模式下更改data-id轻松地非法发送那些消息.我如何防止这种情况发生?

Now my problem is i have restrictions of some people sending message to some other . But those can easily send those messages illegally by changing data-id in developers mode.how i can prevent this?

推荐答案

您总是可以使用服务器端生成的一些散列发送到前端，以确保发送回服务器的用户ID是最初打开服务器的ID.页.甚至不需要为此调用数据库.

You can always use some server side generated hashes sent to the front ends to ensure that the user-id sent back to the server is the one that originally opened the page. There is not even a need to call the database for that.

<button id="msg" data-id="1" data-hash="1234abc">

在其中使用盐/秘密和数据ID计算哈希.提交后，您只需检查提供的哈希值是否与新计算的哈希值相同即可.

where you calculate the hash with a salt/secret and the data-id. And upon submit you just check if the supplied hash is the same like the newly calculated.

因此在php中，您可以执行以下操作:

so in php you could do something like:

$userId = 1;
$secret = 'yourVeryPersonalSecretSentence';
$hash = sha1($secret . $userId); // would create something like "d0be2dc421be4fcd0172e5afceea3970e2f3d940"

在您的html中，您将:

in your html you would have:

<button id="msg" data-id="1" data-hash="d0be2dc421be4fcd0172e5afceea3970e2f3d940">

然后在调用ajax时，请仔细检查:

and upon ajax call, you just double check:

$userId = $idValueFromForm;
$secret = 'yourVeryPersonalSecretSentence';
$hash = $hashFromForm;

$newHash = sha1($secret . $userId);
if ($newHash === $hash) { // the userid was the same as sent to the browser
...
}

希望这会有所帮助.

这篇关于网站功能受到干扰或被黑的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！