在表单中使用隐藏字段不安全吗? [英] Is the use of hidden fields in forms insecure?

问题描述

例如
想象一下我有以下形式

For example
Imagine I have the following form

  <%= form_for(@comment) do |f| %>

    <%= f.hidden_field :user_id%>
    <%= f.hidden_field :article_id%>

    <%= f.label :content %><br />
    <%= f.text_area :content %>

    <%= f.submit %>
  <% end %>

我得到了 :user_id 和 :article_id 值:

I got the :user_id and :article_id values with:

Comment.new(:user_id => current_user.id, :article_id => @article.id)

当我在浏览器中显示表单时，它看起来像这样:

When I display the form in the browser it will look like this:

<form action="/comments" method="post">

  <input some_rails_tokens_here />

  <!-- THIS AREA HERE-->
  <input id="comment_user_id" name="comment[user_id]" type="hidden" value="1" />
  <input id="comment_article_id" name="comment[article_id]" type="hidden" value="1" />
  <!-- THIS AREA HERE-->

  <label for="comment_content">Content</label><br />
  <textarea id="comment_content" name="comment[content]"></textarea>

  <input type="submit" />
</form>

我的问题是，如果有人更改了帖子参数而不是被:user_id => 1 的值改为:user_id => 2.与文章相同.

My question is, what if someone changes the post parameters and instead of being the value for :user_id => 1 it is changed to :user_id => 2. The same with the article.

我想相信这是用 rails 令牌验证的，但我不确定.

I want to believe that is verified with the rails tokens, but I am not sure.

推荐答案

表单中的隐藏字段并不比来自用户的任何其他数据更安全或更不安全.也就是说，它不应该被完全信任:它来自来自用户并且对操纵和特殊注入持开放态度.

A hidden field in a form is no more or less secure than any other data that come from user. That is, it should not be trivally trusted: It comes from the user and is open to manipulation and specialty injection.

当数据发送回服务器时，服务器应该验证该数据，而不是仅仅基于特定用户就假设该操作是允许/无效的——可修改的上下文.根据需要，可以使用诸如哈希校验和之类的方法来确保数据没有被篡改(但同样，每次请求都应该由服务器验证！).使用会话状态"可以将数据排除在用户操作区域之外，从而完全缓解问题.

When the data is sent back to the server, the server should validate that data and not assume that the operation is allowed/invalid just based on a particular user-modifiable context. Depending upon needs, approaches like hash checksums can be used to have a very high degree of confidence that the data was not tampered with (but again, this should be verified by the server each request!). Using "session state" mitigates the problem entirely by keeping the data out of user-manipulation land.

快乐编码.

这篇关于在表单中使用隐藏字段不安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！