在 URL 中发送参数的最佳和安全方式 [英] Best and secure way to send parameters in URL

问题描述

我正在开发一个网站，该网站具有根据 ID 更新和删除数据的功能.现在我担心的是我的网址是

I am working on a website in which there would be functionalities to update and delete data on the basis of id. Now the thing I am worried about is like my url would be

www.example.com/public/controller/action/1

www.example.com/public/controller/action/1

如果操作是delete，任何人都可以将url中的id从1更改为2，id为2的数据将被删除.保持流量安全的最佳方法是什么.我正在使用 Zf2 和 Doctrine2 ......请提出任何建议！！！而且我将 ids 隐藏在字段中，任何人都可以使用 firebug 来更改字段中的值，有什么方法可以保护数据吗?

if the action would be delete, any person can change id from 1 to 2 in url and the data with id 2 would get deleted. What would be the best way to keep the flow secure. I am using Zf2 and Doctrine2... Any suggestions please !!! And moreover I am keeping ids hidden in fields, anybody can use firebug to change the value in fields, is there any way to protect data from that too?

任何加密解密方式都会使其安全，就像有人甚至编辑加密值一样，解密后不会导致所需的ID?哪个好?

Would any encryption-decryption way would make it secure, like if anybody even edits the encrypted value, after decrypting it would not result in a required id? Which one would be good?

推荐答案

当人们更改 URL 中的参数或试图将某些内容侵入您的 HTML(隐藏字段)时，您应该少担心会发生什么，而您应该担心更多了解您的用户实际上可以做什么.

You should worry less about what happens when people change parameters within the URL or try to hack something into your HTML (hidden fields), as much more you should worry about what your users are actually allowed to do.

例如，如果允许管理员删除所有帖子，那么他是否将domain.com/post/delete/1 更改为domain.com/post/delete/42.如果管理员应该删除他们可以删除的所有内容.所以让他们随心所欲地改变它.

If an admin is allowed to delete all posts for example, then it doesn't matter if he changes domain.com/post/delete/1 into domain.com/post/delete/42. If admins are supposed to delete everything they can. So let them just change it as much as they want to.

如果管理员只被允许获得对他们自己条目的管理权限，那么你需要在你的服务层中使用它.服务层将根据当前请求的对象检查当前用户的权限.我个人最喜欢的是 ZfcRbac.

If admins however are only allowed to gain administrative privileges to their own entries, then you need to work this into your Service-Layer. The Service-Layer would check for permissions of the current user against the currently requested object. My personal favorite would be ZfcRbac.

然而，如果您想让人们更难以实际更改 ID，那么您应该给每个条目一个唯一的哈希值.例如，url 将是 domain.com/post/delete/12acd-4a7f7c6-4a7f7c6-12acd-4a7f7c6 或类似的东西.

If however you want to make it more difficult for people to actually change IDs, then you should give every entry a unique hash. So for example the url would be domain.com/post/delete/12acd-4a7f7c6-4a7f7c6-12acd-4a7f7c6 or something like that.

TL/DR不要担心当人们更改 URL/HTML 中的内容时会发生什么，只需担心一般的身份验证和权限.

TL/DR don't worry what happens when people change stuff within the URL/HTML, simply worry about Authentication and Permissions in general.

这篇关于在 URL 中发送参数的最佳和安全方式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！