从具体形式数据 [英] Data from the exact form
问题描述
我一直在谷歌上搜索了很多,但我仍然没有答案,所以我决定问这个问题在这里: 是否有办法在PHP中如何检查我收到的一些脚本的数据是从页面上的具体形式?我问,因为每个人都可以看到我使用的数据保存到我的数据库脚本的名称,因此,如果有人能够找出整个URL,他也能一些假数据发送到脚本,我需要一个条件,即当数据来自于适当的形式在我的网页保存过程时才会触发。
I have been googling a lot but i am still without an answer so i decided to ask this question here: Is there a way in PHP how to check that the data i am receiving in some script are from the specific form on the page? I am asking because everyone can see the name of the script i am using for saving the data to my database, so if somebody is able to find out the whole URL, he is also able to send some fake data to the script and i need a condition, that the saving process is triggered only when the data comes from the proper form on my page.
我使用jQuery AJAX调用函数,所以基本上,如果我按一下按钮发送,将$ .POST()方法被触发调用脚本保存数据。
I am using jQuery to call AJAX function, so basically if i click on the button "send", the $.POST() method is triggered to call the script for saving the data.
谢谢, 托马斯
推荐答案
在提交数据时,你可以随时添加某种安全令牌的:
Use tokens to check if request is valid
You could always add some kind of security token when submitting data:
令牌可以很容易地扩展到许多不同的用途,覆盖广域当它涉及到检查,如果一些要求是有效的,例如,你可以让你的非重要的形式向公众开放,要求用户从某些网页得到他们的秘密密钥(强迫他们打开该网页),然后使用这些密钥提交数据时,识别它们。
Tokens can be easily extended for many different uses and covers wide area when it comes to checking if some request is valid, for example you could let your non critical forms open for public, ask users to get their secret keys from some page (forcing them to open that page) and then use those keys to identify them when submitting data.
当然,所有这一切都可以是完全透明的用户,你可以给通过cookie由前翻页键(或会话cookie,它不事在这里,没有更多或更少的安全性服务器密钥应在使用后更改和指定时间内失效或当用户的身份变化的)。
在使用中的该实施例,该敞开的前页面可以将数据提交到服务器。只有用户
Of course all of this can be completely transparent to user as you could give keys from front page via cookies (or session cookies, it does not matter here, no more or less security as server keys should change after use and invalidate within specified time or when user's identity changes).
In this example of use, only user that opened front page can submit data to server.
另一种情况是,当饼干被断送在它包含表单数据提交到服务器的同一页面。打开页面的每个用户都会有自己的钥匙提交数据的直线距离,但是如果有人试图让外界将失败的请求。
请参见 OWASP跨站请求伪造
和 codinghorror.com博客CSRF和你
Another case is when cookies is given away at same page which contains form for submitting data to server. Every user that open page will have their keys to submit data straight away, however if someone tries to make request from outside it will fail.
See OWASP Cross Site Request Forgery
and codinghorror.com Blog CSRF and You
下面是我的回答另一个问题时,这样的回答涵盖不同的方法插入附加数据Ajax请求: Liftweb:创建一个表单,既可以是传统的,并与AJAX 提交(仔细看看
Here is my answer to another question, this answer covers different methods for inserting additional data to ajax request: Liftweb: create a form that can be submitted both traditionally and with AJAX (take a closer look at
$.ajax({
...
data: /* here */
...
目前我使用的令牌是这样的:
使用表单提交
这隐藏的输入可以添加到形式,它不要求,因为你可以用上述方法更早 在另一个答案 。
Currently I am using tokens this way:
Form used to submit
This hidden input can be added to form, it is not requirement as you can use methods described earlier at another answer.
<input type="hidden" name="formid" value="<?php echo generateFormId(); ?>" />
功能generateFormId()
简单地生成随机字符串,并将其保存到会话存储
Function generateFormId()
Simply generate random string and save it to session storage
function generateFormId() {
// Insert some random string: base64_encode is not really needed here
$_SESSION['FORM_ID'] = 'FormID'.base64_encode( uniqid() );
// If you want longer random string mixed with some other method just add them:
//$_SESSION['FORM_ID'] = 'FormID'.base64_encode( crypt(uniqid()).uniqid('',true) );
return $_SESSION['FORM_ID'];
}
提交处理表单数据
if (!isset($_SESSION['FORM_ID']) || $_SESSION['FORM_ID'] != $_POST['formid']) {
// You can use these if you want to redirect user back to form, preserving values:
//$_SESSION['RELOAD_POST'] = $_POST;
//$_SESSION['RELOAD_ID'] = uniqid('re');
echo 'Form expired, cannot submit values.';
//echo '<a href="form.php?reload='.$_SESSION['RELOAD_ID'].'">Go back and try again</a>';
exit(1); // <== Stop processing in case of error.
}
如果您需要检查哪些形式提交数据
然后,您可以生成的ID和处理表单数据时,检查该preFIX时,只需加preFIX。
If you need to check which form is submitting data
Then you could just add prefix when generating id's and check for that prefix when processing form data.
这是情况,当一个PHP脚本,涉及许多不同的形式。
This is case when one php script deals with many different forms.
请记住,只有最终的答案,prevent邪恶的用户是拉断的电线都从你的服务器...
Remember that only ultimate answer to prevent evil users is to pull off all wires from your server...
这篇关于从具体形式数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
