从数据库中删除内容,安全预防措施 [英] Removing content from database, security precautions
问题描述
UPDATE:
我添加了CSRF保护,像Berdir告诉我,在以下链接的帮助下, 。但我不知道我现在做了什么:D这将如何使我的应用程序更安全?我特别困扰的事实,我现在得到一个cookie值在我的ajax代码,因为我必须传递它与我的ajax调用..否则它只是不工作。这不会提供关于cookie的一些重要信息?或者我只是偏执狂。谢谢!
I added the CSRF protection like Berdir told me, with the help of the link below to make my application work again. However.. I'm not quite sure what I did right now :D How is this going to make my app more secure? I'm particularly bothered by the fact that I'm now getting a cookie value in my ajax code, because I have to pass it with my ajax call.. otherwise it just doesn't work. Doesn't this give away some crucial information about the cookie? Or am I just being paranoid. Thanks!
http:// aymsystems.com/ajax-csrf-protection-codeigniter-20
// old
Hi。
//old Hi.
在这个网络应用程序我正在建设,我有一个功能,添加提示和技巧关于某些科目。这些页面只能由具有管理员角色的帐户添加。但是,我还希望能够删除这些页面。 (总是方便,右)。因为我使用CodeIgniter,我想到的只是做一个控制器函数,它需要一个ID,并将此ID传递到该ID对应的页面将从数据库中删除的模型。
In this web app I'm building, I have a functionality to add 'tips and tricks' about certain subjects. These pages can be added only by accounts with the admin role. However, I also want the ability to remove these pages. (Always handy, right). Since I'm using CodeIgniter, I was thinking of just making a controller function which takes an ID, and passes this ID to the model where the page corresponding to that ID would get deleted from the database.
只是为了清楚起见:
控制器:
public function del_content($id)
{
$this->content_model->del_content($id)
}
模型:
public function del_content($id)
{
// database code which I can't be bothered to look up now
// something like $this->db->where(), $this->db->delete()
}
很害怕,也可能是太简单。这不是真的看起来对我很安全,是吗?由于您可以从浏览器的URL地址栏中调用函数,因此基本上可以删除整个内容表。 (因为对于ID为3的项目,您将执行 http:// mywebsite / controller / del_content / 3 )。当然,只有管理员帐户才能访问该功能,但仍然可以使用。
This is all really simple, but I'm scared that it might be too simple. This doesn't really seem oh so very secure to me, is it? Since you would be able to call the function from the URL address bar in your browser, you could basically remove the whole content table through that. (Since you'd be doing http://mywebsite/controller/del_content/3 for the item with ID 3). Of course, only administrator accounts would have access to that function, but still..
我从来没有编程过这样的,所以从来没有考虑过安全措施我应该在这种情况下。任何人都会很好,给我一些事情,我应该留意一下,或许一些想法,建议,如何使这更安全?
I have never programmed anything like this before and thus never had to think about the security measures I should take in this case. Would anyone be kind enough to give me some things I should keep an eye out for and perhaps some ideas, suggestions, on how to make this more secure?
非常感谢!
推荐答案
是 CSRF 攻击。简单来说,它们是攻击,通过GET或POST请求管理员访问某个网址。
What you need to protect against are CSRF attacks. Put simply, they are attacks which trick administrators into visiting a certain URL by GET or POST request.
典型的做法是令牌。当生成指向删除操作的链接或表单时,您将生成一个令牌,您发送到客户端(作为隐藏表单字段或作为GET URL的一部分),还将其存储在当前会话的服务器上,以及何时
The typical way to do that are tokens. When generating the link or form that points to the delete action, you generate a token that you send to the client (either as hidden form field or as part of the GET URL), also store it on the server for the current session and when that action is executed, you compare the submitted and the stored token and only continue if they match.
许多框架/系统在某些方面具有这种内置功能,例如,都是使用Drupal中的Form API生成的防止此类攻击的表单。
Many frameworks/systems have this built-in in some ways, for example are all forms generated with the Form API in Drupal protected against such attacks.
这篇关于从数据库中删除内容,安全预防措施的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
