保护来自使用Firebug的恶意用户的表单数据的最佳方法? [英] Best ways to secure form data from malicious users wielding Firebug?

问题描述

我已经阅读了相关问题，但是他们没有直接回答我的问题. Firebug等开发人员工具允许任何人在发送表单之前查看和操作表单数据.一个很好的例子是调整隐藏的成员ID"字段的值，以便将表单提交记入其他用户.

I've read a couple of related questions on this, but they don't answer my question directly. Developer tools like Firebug allow anyone to see and manipulate form data before a form is sent. A good example of this is adjusting the value of a hidden "member ID" field so that the form submission is credited to another user.

防止此类篡改的最佳方法是什么?我的研究建议将敏感的表单输入移至服务器端脚本，但是还有其他选择或考虑事项吗?

What are the best ways to prevent this type of tampering? My research suggests moving sensitive form inputs to a server-side script, but are there any other options or considerations?

我熟悉PHP和jQuery，因此理想的解决方案是使用其中一种或两种语言.

I'm familiar with PHP and jQuery, so my ideal solution would use one or both of those languages.

推荐答案

您不能将jQuery用于安全性，因为它全部在客户端处理.

You can't use jQuery for security since it's all handled on the client side.

在您的示例中，只需在隐藏的输入字段中使用PHP会话即可，因为正如您正确指出的那样，可以对其进行操作.

In your example just use a PHP session in staed of a hidden input field, because as you rightfully noted this can be manipulated.

使用会话如下所示:

登录页面

<form action="login.php" method="post">
  <input type="text" name="username">
  <input type="password" name="password">
  <input type="submit" name="submit" value="submit">
</form>

login.php

login.php

// you have to include this on every page to be able to user sessions.
// also make sure that you include it before any output
session_start();

//Always sanitize the user input before doing any db actions.

//For example by using: `mysql_real_escape_string()` ( http://php.net/manual/en/function.mysql-real-escape-string.php ).

// check user credentials against db

$_SESSION['user'] = $dbresult['username'];

page-where-userid-is-required.php

page-where-userid-is-required.php

session_start();

if (!isset($_SESSION['user'])) {
    // user is not logged in!
} else {
    // use user info to place order for example
}

在用户关闭浏览器之前/直到会话终止(这是PHP设置)之前，会话将一直处于活动状态

The session will be active until the user closes his browser / until the session expires (which is a PHP setting)

以上只是一些示例代码，可以使您有所了解.

The above is just some sample code to give you an idea.

它适用于较小的项目，但是随着项目变得越来越复杂，我建议采用MVC(模型，视图，控制器)方式. ( http://en.wikipedia.org/wiki/型号％E2％80％93view％E2％80％93controller )

It works smaller projects, however as projects get more complex I would suggest going for the MVC (Model, View, Controller) way. ( http://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller )

但这只是一个完整的故事:)

But that's just a whole other story :)

这篇关于保护来自使用Firebug的恶意用户的表单数据的最佳方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！