表单提交安全与 php [英] form submit security with php

问题描述

我让用户点击发送到他们电子邮件的链接，该链接会将他们带到一个表单(例如 register.php)以完成注册.

I have users click on a link sent to their email that takes them to a form (say, register.php) to complete their registration.

我在 register.php 中检查表单提交:

I have a check upon form submission in register.php:

if(isset($_POST['submitted']) and $_SERVER['REQUEST_METHOD'] == 'POST') {
    //register user in database
}

我的问题是:有人可以通过简单地创建一个带有 $_POST['submitted'] 设置的自定义 http POST 请求，在技术上绕过这个正式的注册过程吗?如果是这样，检查这个的好方法是什么?我检查了有人试图以未经授权的方式进入注册页面，但我觉得有人发布到该页面不够安全.如果我决定使用 HTTPS，我是否应该为此担心?我希望这是有道理的.提前致谢.

My question is: could someone technically circumvent this formal registration process by simply creating a custom http POST request with $_POST['submitted'] set? If so, what's a good way to check for this? I have checks for someone trying to GET to the registration page in an unauthorized manner but I feel like someone POSTing to the page isn't secure enough. Should I even be worried about this if I decide to use HTTPS? I hope this makes sense. Thanks in advance.

推荐答案

您描述的问题称为跨站点请求伪造.可以通过生成令牌并将表单中隐藏输入的值设置为令牌来防止攻击.此外，将会话变量设置为令牌值.在接收发布数据的 PHP 表单中，检查会话令牌和发送的令牌是否匹配.如果匹配，则该表单来自您的网站.

The issue you describe is called cross-site request forgery. The attack can be prevented by generating a token, and setting the value of a hidden input in the form to the token. Also, set a session variable to the token value. In your PHP form receiving the post data, check if the session token and the sent token match. If they match, the form came from your site.

这是另一个堆栈溢出问题，其中包含有关防止跨站点请求伪造的更多详细信息:如何在PHP中有效防止跨站请求伪造(CSRF).

Here is another stack overflow question that includes more details about preventing Cross-Site Request Forgery: How to prevent Cross-site request forgery (CSRF) effectively in PHP.

这篇关于表单提交安全与 php的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！