防止后退按钮攻击?PHP [英] Prevent back button exploits? PHP
问题描述
我使用 Javascript 和 PHP 构建了一个简单的游戏.一旦用户达到目标分数,他们就可以将他们的名字添加到高分 mysql 数据库中.我正在使用 PHP POST 获取他们的分数并将其添加到 mysql.
I've built a simple game using Javascript and PHP. Once the user hits the target score, they are allowed to add their name to a highscore mysql database. I'm using PHP POST to get their score and add it to mysql.
在某人获得高分并输入他们的名字后,它会将分数变量重置为零,并将他们重定向回带有 header('location') 的主游戏页面.如果他们按一次后退按钮,一切都很好,这表明他们的分数为零,因为我重置了变量.但是,如果他们按两次后退按钮,就会显示他们的高分,他们可以再次输入自己的名字,并用他们的名字淹没高分数据库.
After someone get's a highscore and enters their name, it resets the score variable back to zero and redirects them back to the main game page with header('location'). If they hit the back button once, all is good, it shows their score is zero since I reset the variables. However if they hit the back button twice it brings up their high score and they can enter their name again and flood the highscore database with their name.
无论如何要防止这种情况发生?
Anyway to prevent this?
推荐答案
您需要检查用户的至少一项识别特征,并在提供表单之前检查他们是否提交了分数.有多种方法可以做到这一点,每种方法都有自己的弱点,所以最好混合搭配,但我最想知道的包括:
You need to check for at least one identifying feature of the user and check if they have submitted a score before serving up the form. There are various ways you can do this, each with their own weaknesses, so it's best to mix and match, however some off the top of my head include:
检查具有相同 IP 和用户代理字符串的人在过去 x 分钟内没有提交高分(尽管这可能会阻止提交一些合法的分数 - 想想使用相同浏览器的学校/办公室并具有相同的IP)
Checking that a person with the same IP and user-agent string hasn't submitted a highscore in the last x minutes (though this may prevent some legit scores from being submitted - think a school / office using same browser and having same ip)
在到达时放置一个带有识别用户 ID 的跟踪 cookie.然后检查用户 ID 在过去 x 分钟内没有提交分数.(例如,如果需要,可以启动 PHP 会话)
Putting a tracking cookie on arrival with an identifying user id. Then checking that user id hasn't submitted a score in the last x minutes. (e.g. start a PHP session if you want)
在分数提交后向浏览器添加 cookie,然后在提供表单之前检查此 cookie(是的,可以通过删除 cookie 轻松解决此问题).或者您可以在会话中设置一个值)
Adding a cookie to the browser after score submit, then checking for this cookie before serving up the form (yes, it can be easily worked around by deleting the cookie). Alternatively You could set a value in the session)
这篇关于防止后退按钮攻击?PHP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
