具有禁用的< input type =“提交""的表单可以还是被黑客提交了? [英] Can a form with a disabled <input type="submit"> be hacked to submit anyway?
问题描述
我只是对<input type="submit" />
标签的安全性感到好奇.
I'm just curious about the security of the <input type="submit" />
tag.
如果我有一个表单(带有method="post"
),并且只有一个提交"按钮,该按钮已被禁用,而且我还没有编写任何会影响表单,按钮或其其他内容的JS/AJAX/jQuery,有人还能找到一种提交表单的方法吗?
If I have a form (with method="post"
) with just one "Submit" button, which is disabled, and I haven't written any JS/AJAX/jQuery that affects the form, the button, or its other contents, could someone still find a way to submit the form?
这是我所谈论的形式的代码:
Here's the code for a form along the lines I'm talking about:
<form method="post" action="processor.php" enctype="multipart/form-data">
<input type="text" name="foo" value="bar" />
<input type="submit" value="Submit" disabled="disabled" />
</form>
非常感谢!
推荐答案
是的,我什至不需要您的表格来提交它.我可以使用cURL或类似的库来发送POST请求,就像它来自表单一样.
Yes, I don't even need your form to submit it. I can use cURL or a similar library to just send a POST request as if it came from a form.
总是在服务器端验证所有内容,但不一定总能得到期望的结果.
Always validate everything server-side, you don't always get what you expect.
这篇关于具有禁用的< input type =“提交""的表单可以还是被黑客提交了?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!