如何保护请求帖子 - C# 和 PHP [英] How to secure requesting post - C# and PHP

问题描述

我在使用 C#、PHP、MYSQLi 时遇到问题.我制作了一个登录表单注册系统与

I have a problems with C#, PHP, MYSQLi. I made a form for Login & Registration system with

这是一个用于用户注册的简单 C# 函数.

This a simple C# function for user registration.

IEnumerator 注册器(字符串名称，字符串用户名，字符串电子邮件，字符串密码) {

IEnumerator registrar( string name, string username, string email, string password ) {

// This is what sends messages to our php script
WWWForm form = new WWWForm();

// The fields are the variables we are sending
form.AddField("name", name);
form.AddField("username", username);
form.AddField("email", email);
form.AddField("password", password);

//string url = "http://www.my-server.com/registrar.php";
string url = "http://localhost/registrar.php";

UnityWebRequest www = UnityWebRequest.Post(url, form);

// Wait for php to send something back to unity
yield return www.SendWebRequest();

if (
    www.isNetworkError || www.isHttpError
) {
    Debug.Log("Error!");
} else {
    Debug.Log("Complete!");
}}

__

// Database variables
$db_host        = "localhost";
$db_user        = "root";
$db_password    = "test";
$db_name        = "test";

// Connect to database.
$db = mysqli_connect($db_host, $db_user, $db_password, $db_name);

// User variables
$name           = $db->real_escape_string($_POST["name"]);
$username       = $db->real_escape_string($_POST["username"]);
$email          = $db->real_escape_string($_POST["email"]);
$password       = $db->real_escape_string($_POST["password"]);
$password_hash  = password_hash($password, PASSWORD_DEFAULT);

// E-mail can not be empty
if(
    !empty($email)
    &&
    !empty($username)
    &&
    !empty($password)
) {
    // Insert user data
    $db->query("INSERT INTO `user`(`username`, `name`, `email`, `password`) VALUES ('$username', '$name', '$email', '$password_hash')");

    // Display...
    echo "Success!";
} else {
    // Display an error
    echo "Error!";
}
?>

一切正常，PHP 代码正常运行.

Everything is OK, The PHP code are work to.

但我现在的问题是，如果黑客获得了注册页面的 URL，并为自己制作一个类似于我的表单并使用我的注册页面 URL 并使用的表单，会发生什么.

But my problem now what gonna happen if the hackers get the URL of registration page, And make for himself a form just like my form and use my URL of registration page and using.

这是我的问题，这个问题会破解游戏数据，比如(得分、总上场时间、上场时间、其他数据).

This is my problem, This problem will hack the Game data Like (Score, Total play, Time play, Otherss data).

那么我该如何保护 &安全(请求发布)我有没有用 PHP 或 C# 做一些事情.

So how can I protect & secure (request post) Do I have do something in PHP or C#.

推荐答案

我一眼就能看出你代码中的一些弱点:

At a glance I can identify some weaknesses in your code:

• 您没有使用 HTTPS.客户端和服务器之间的流量可以被拦截并清晰可见.
• 您没有使用准备好的语句.虽然 real_escape_string 可能没问题，但要知道:1) 它正在改变数据.2) 这取决于为数据库连接配置的字符集(您似乎没有设置).
• 您没有验证用户注册(即发送包含代码的电子邮件并等待其确认).这意味着很容易创建大量虚假帐户.

• You are not using HTTPS. Traffic between the client and server could be intercepted and seen in clear.
• You are not using prepared statements. While real_escape_string is probably ok, know that: 1) It is altering the data. 2) It depends on the character set configured for the database connection (which you do not seem to be setting).
• You are not validating user registration (i.e. sending an email with a code and waiting for it to confirm). Which means that it is easy to create lots of fake accounts.

您要求的似乎是向服务器验证您的应用程序.服务器不知道客户端是否有效(它可能是执行请求的第三方软件)，因此您想找到一种方法来确保.

What you ask seem to be authenticating your application to the server. The server does not know if the client is valid (it could be third party software doing the requests), so you want to find a way to make sure.

不，没有办法做到.如果用户控制客户端并且可以对其进行逆向工程，则不会.

No, there is no way to do it. Not if the user is in control of the client and can reverse engineer it.

Fredrik Schön 的回答 提供了一种在不同环境下有用的解决方案.这个想法是会有一个密码"apikey 标识您的应用程序，服务器将检查它是否正确.如果我想要连接两个应用程序，这很有用……但是，当一个应用程序在用户计算机上时，这根本不安全.

Fredrik Schön answer offers an solution that is useful in a different context. The idea is there will be a "password" apikey that identifies your application, and the server will check if it is correct. This is useful if I want two applications to connect... however, when one application is on the user machine, this is not secure at all.

请记住，您的客户端可能会被修改，或者 apikey 被盗，因为它在客户端机器上运行.

Remember that your client could be modified, or the apikey stolen, since it is running on the client machine.

您可以向客户端添加数字签名(在您的客户端上添加完整性检查，以便它可以验证它没有被修改)，但这也可以被规避.

You could add a digital signature to the client (to add an integrity check on your client, so that it can verify that it has not been modified), yet that can also be circumvented.

在这一点上，一切都是缓解措施.没有办法做到这一点.

On this point, it is all mitigations. There is no way to do it.

破解游戏数据，例如(得分、总上场时间、上场时间、其他数据).

hack the Game data Like (Score, Total play, Time play, Otherss data).

永远不要相信客户

不应该有 API 来执行这些操作.客户端不应该设置分数(或设置任何其他形式的奖励).相反，客户端将事件发送到服务器(它们可以像每个用户输入一样精细，无论如何这就是您在多人客户端 - 服务器游戏中所做的事情)，然后服务器决定分数、奖励等

There should be no API to do these. There should be no way for the client to set the score (or to set any other form of reward). Instead the client sends events to the server (they can be as granular as one per user input, this is what you would be doing on a multiplayer client-server game anyway), and the server decides on score, rewards, etc.

我再说一遍，不会有 API.客户端无法直接发送您玩了多少.

I repeat, there would be no API. There would be no way for the client to just send how much you played.

删除流程是确保您消除风险的唯一方法.否则，一切都是缓解措施.

在 gamedev.stackexchange.com 上搜索 Anti-Cheat 可以给你一些想法.

A search for Anti-Cheat at gamedev.stackexchange.com can give you some ideas.

附录:

游戏客户端访问Web表单的问题和恶意用户创建访问同一表单的自定义客户端的问题...与的问题没有根本区别访问 Web 表单的 Web 浏览器和创建访问同一表单的自定义客户端的恶意用户.网络的所有服务器端安全措施都适用于游戏.请注意，将这种安全性基于特定浏览器并不是一个好主意.

The problem of a game client that accesses a web form and a malicious user that creates a custom client that accesses the same form... is not fundamentally different from the problem of a web browser that accesses a web form and a malicious user that creates a custom client that accesses the same form. All server side security measures for the web apply for the game. And please notice that basing this security on a particular browser is not a good idea.

我们想要的不是阻止第三方自定义客户端的创建，也不是让它变得无用.而是确保它最多可以做合法客户端可以做的事情.

What we want is not to prevent the creation of the third party custom client, nor to make it useless. Instead to make sure it can at best do the same things that the legitimate client can do.

客户端和服务器之间有一个 API.如果该 API 中允许客户端做一些客户端不应该做的事情(例如设置虚假分数)，则必须重新设计服务器及其 API，使其不可能.

There is an API between the client and the server. If there is something in that API that allows the client to do something that the client should not do (such as setting a fake score), then the server and its API must be reworked so that it is not possible.

这篇关于如何保护请求帖子 - C# 和 PHP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！