使用POST方法传递值的安全方式 [英] Secure way of passing values using POST method

问题描述

我需要使用POST方法的形式将一些值传递给另一个付款处理器站点.这些值就像在我的帐户中生成的令牌一样，并且我目前正在使用基本形式，在这些值上输入type ="hidden".并且还用sha1加密了一个变量.但是我担心的是它的安全性，因为可以在HTML中看到type ="hidden".在这种情况下，这样做的正确方法是什么?通常我应该使用什么?我还真是陌生，所以我们将不胜感激.

I need to pass a few values using POST method form to another payment processor site. Those values are something like tokens which are generated on my account, and I'm currently using basic form with input type="hidden" on those values. And also one variable is encrypted with sha1. But what I'm concerned is the security of it, because the type="hidden", can be seen in HTML. What is the correct way of doing this in this case and generally what should I use? I'm farely new to this, so any help would be appreciated.

代码段:

   <?php $digest = SHA1($key . $order_number . $amount . $currency); ?>

  <input type="hidden" name="digest" value="<?php echo $digest; ?>">
  <input type="hidden" name="authenticity_token" value="123456">

推荐答案

如果您想保护传输的数据免遭窥视，那么答案不是在PHP或HTML中，而是在Web服务器本身中.

If you want to protect transmitted data from prying eyes, then the answer is not to be found in PHP or HTML, but in the web server itself.

默认情况下，浏览器和服务器之间的数据为纯文本格式.甚至二进制数据也被编码为纯文本，然后在另一端进行解码.

By default, data between the browser and the server is in plain text. Even binary data is encoded into plain text and decoded at the other end.

保护传输的唯一方法是使用HTTPS作为协议.

The only way to secure your transmission is to use HTTPS as your protocol.

这需要满足以下条件:

• HTTPS证书.您可以从不同的地方(例如GeoTrust)获得它们.您也可以从许多第三方(例如GoDaddy或Name.com)获得它们.如果可以管理，也可以使用LetsEncrypt免费获取.
• 需要安装证书.如果您位于托管服务器上，则需要与它们进行组织.
• 在链接和URL中，使用https://代替默认的http://.

• An HTTPS certificate. You can get them from various places, such as GeoTrust. You can also get them from many third parties such as GoDaddy or Name.com. If you can manage it, you can also get them for free using LetsEncrypt.
• The certificate needs to be installed. If you are on a hosted server, you will need to organise this with them.
• In your links and urls, use https:// instead of the default http://.

使用可变编码方法对服务器和浏览器之间的通信进行加密，这使得侦听几乎不切实际并且浪费时间. (当然，没有绝对保证.)

The communication is encrypted between the server and the browser using a variable encoding method which makes interception mostly impractical and a waste of time. (No absolute guarantees, of course).

关于其余的编码，请继续正常进行.设置完成后，加密是自动且透明的.

As regards the rest of your coding, just go ahead and do it normally. After the setup, encryption is automatic and transparent.

这篇关于使用POST方法传递值的安全方式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！