我如何让$ _GET更安全。 [英] How do i make $_GET more secure.?
问题描述
我使用get方法来执行一些操作,如批准,markasspam,删除,用于评论系统。我知道这是非常不安全的,但我无法帮助它。因为使用$ _GET方法的原因是使用PHP_SELF在页面本身内执行操作,FYI使用复选框使用post方法执行操作。
现在为了使它有点安全,我想随机化数字或生成散列或其他东西,然后比较它,获取id并执行操作。 b
$ b
我现在的代码有点像这样。
<?php
if($ approve == 1)
{
?>
< a href =<?php echo $ _SERVER ['PHP_SELF']。?approve =。$ id;?>>取消批准< / a>
<?php
} else
{
?>
< a href =<?php echo $ _SERVER ['PHP_SELF']。?unapprove =。$ id;?>>批准< / a>
<?php
}
?>
| < a href =<?php echo $ _SERVER ['PHP_SELF']。?spam =。$ id;?>>垃圾邮件< / a>
| < a class =edit-commentshref =edit-comments.php?id =<?php echo $ id;?>>编辑< / a>
| < a href =<?php echo $ _SERVER ['PHP_SELF']。?delete =。$ id;?>>删除< / a>
我使用这段代码执行操作。
if(isset($ _ GET ['approve'])){
$ id = intval($ _ GET ['approve']);
$ query =UPDATE注释SET approve ='0'WHERE id ='$ id';
$ result = mysql_query($ query);
if(isset($ _ GET ['unapprove'])){
$ id = intval($ _ GET ['unapprove']);
$ query =UPDATE注释SET approve ='1'WHERE id ='$ id';
$ result = mysql_query($ query);
}
if(isset($ _ GET ['delete'])){
$ id = intval($ _ GET ['delete']);
$ query =DELETE FROM comments WHERE id ='$ id';
$ result = mysql_query($ query);
}
if(isset($ _ GET ['spam'])){
$ id = intval($ _ GET ['spam']);
$ query =更新评论SET spam ='1'WHERE id ='$ id';
$ result = mysql_query($ query);
}
而不是使用批准或取消批准或删除或垃圾邮件,我想随机化或对这些单词进行散列处理并尽可能冗长地执行操作。
我该怎么做?你在这做什么?
编辑:请注意只有
认证用户即管理员将
能执行此操作。甚至
,虽然它通过身份验证
系统,我想要添加更多安全性
甚至对于管理员。以避免实验
或意外
代码不是确切的,它只是让您理解我想要的样本实现。
无论您使用GET还是POST参数,在这里都无关紧要 - 脚本需要什么是某种认证。 (完成之后,您可以进入安全性细节,其中GET比POST更安全 - 请参阅评论以获取详细信息。)
我会说你有两个选项:
-
使用.htaccess保护整个脚本 - 脚本本身无需更改
-
介绍PHP侧面用户身份验证并仅在登录用户发出请求时才执行操作。需要对脚本进行根本性更改,但最为灵活。
/ p>
原来你的脚本已经被保护了。在这种情况下,我假设你对URL中增加的ID号码,在浏览器中缓存等等感到不舒服。通常的解决方案是在创建时为每个注释生成一个随机密钥(除了增量ID)。这个密钥存储在一个单独的列中(不要忘记添加一个索引),并且匹配它。
更进一步的步骤是创建临时对每一个动作都进行哈希处理,这是针对多种外部攻击的最终保护。
/ p>我从来没有在管理界面中实现一次性哈希,所以我没有经验,但我想像一个非常简单的实现将动作哈希存储在与哈希,记录和动作列分隔表。只要您的工具列出了一些记录并输出删除/批准/取消批准链接,它就会在散列表中为每条评论生成三条记录:一条用于删除,一条用于批准,一条用于未批准。然后,删除/批准/取消批准链接将取代记录标识和命令,获取正确的散列作为唯一参数。
为未使用的散列添加超时函数(加上删除实际使用的散列)并完成。
I am using the get method to perform some operation like, approve, markasspam, delete, for commenting system. i know it is highly insecure to go this way but i cannot help it out. because the reason for using $_GET method is to perform the operation within the page itself using PHP_SELF, and FYI i am using the post method using checkbox to perform the operation too.
now for making it bit secure i want to randomize the number or generate the hash or something and then compare it, get the id and perform the operation
my current code is somewhat like this.
<?php
if($approve == 1 )
{
?>
<a href="<?php echo $_SERVER['PHP_SELF']."?approve=".$id; ?>">Unapprove</a>
<?php
} else
{
?>
<a href="<?php echo $_SERVER['PHP_SELF']."?unapprove=".$id; ?>">Approve</a>
<?php
}
?>
| <a href="<?php echo $_SERVER['PHP_SELF']."?spam=".$id; ?>">Spam</a>
| <a class="edit-comments" href="edit-comments.php?id=<?php echo $id; ?>">Edit</a>
| <a href="<?php echo $_SERVER['PHP_SELF']."?delete=".$id; ?>">Delete</a>
and i perform the operation using this code..
if(isset($_GET['approve'])) {
$id = intval($_GET['approve']);
$query = "UPDATE comments SET approve = '0' WHERE id = '$id'";
$result = mysql_query($query);
}
if(isset($_GET['unapprove'])) {
$id = intval($_GET['unapprove']);
$query = "UPDATE comments SET approve = '1' WHERE id = '$id'";
$result = mysql_query($query);
}
if(isset($_GET['delete'])) {
$id = intval($_GET['delete']);
$query = "DELETE FROM comments WHERE id = '$id'";
$result = mysql_query($query);
}
if(isset($_GET['spam'])) {
$id = intval($_GET['spam']);
$query = "UPDATE comments SET spam = '1' WHERE id = '$id'";
$result = mysql_query($query);
}
instead of using approve or unapprove or delete or spam, i want to randomize or hash that words and want it as lengthy as possible and then perform the operation.
how do i do it? what is your take on this?
EDIT: Please Note Only the Authenticated User i.e Admin will be able to perform this operation. even though it pass through authentication system i want to add more security even for admin. to avoid experiments or accident
the code is not exact it is just the sample to make you understand what i want to achieve.
Whether you use GET or POST parameters here doesn't matter much in this context - what the script needs first is some sort of authentication. (After that is done, you can go into security details where GET is slightly less secure than POST - see the comments for details.)
I'd say you have two options:
Protecting the entire script using .htaccess - no changes needed to the script itself
Introducing PHP side user authentication and perform the operations only if a logged in user makes the request. Needs fundamental changes to the script but is most flexible.
Re your edit:
It turns out your script is already protected. In that case I assume you are uncomfortable with incremental ID numbers turning up in the URLs, getting cached in the browser etc. etc. The usual solution to that is to generate a random key for each comment when it is created (in addition to the incremental ID). That key gets stored in a separate column (don't forget to add an index) and you'd match against that.
A step even further would be to create temporary hashes for every action, which is the ultimate protection against a number of outside attacks.
Re your edit about using one-time hashes:
I've never implemented one-time hashes in an admin interface yet so I have no experience with this, but I imagine that a very simple implementation would store action hashes in a separate table with the columns hash, record and action. Whenever your tool lists a number of records and outputs "delete / approve / unapprove" links, it would generate three record in the hash table for each comment: One for delete, one for approve, one for unapprove. The "delete / approve /unapprove" links would then, instead of the record ID and command, get the correct hash as the only parameter.
Add a time-out function for unused hashes (plus delete any hashes that were actually used) and you're done.
这篇关于我如何让$ _GET更安全。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
