将ID(将插入数据库)安全地放入隐藏的输入中? [英] Is it safe to put an ID (will insert in DB) into a hidden input?
问题描述
下面是我的代码摘要:
我的网站基本上只循环某个表的所有行的内容;不过,有时候,我需要从某一行获取个人ID。隐藏的输入工作,但我知道这将是一个很大的安全负担。在我从隐藏的输入中获得ID之后,我需要将它插入到另一个表中。黑客可以简单地改变隐藏输入的值,并入侵系统。我找不到在服务器端验证的方法。加密可能会有所帮助,但我认为黑客总能找到一种方法来解密它。有没有人有关于如何使这更安全的想法?
更新:
我很抱歉有点模糊与我的网站所做的一样。基本上,它只是一个类似于Facebook的类似和不喜欢的系统。我的表的结构为:id,user_that_liked_id,post_id。当用户喜欢帖子时,帖子的ID被插入到post_id中,并且喜欢该帖子的用户的ID被插入到user_that_liked_id中。这里存在一个安全问题,因为用户可能会简单地更改隐藏输入的ID,这将允许他们插入各种无意义的内容。请参阅下面的代码。
HTML(摘要):
< div class =thumbsup mini_thumbsname =mini_thumbs>
< input type =hiddenvalue =<?php echo $ row-> id;?> ID = POST_ID/>
< input class =upname =thumbsup_votetype =submitvalue =1title =Vote uponclick =liked(this)/ >
< input class =downname =thumbsup_votetype =submitvalue =0title =Vote downonclick =disliked(this)/ >
< / div>
JavaScript / jQuery(摘要)
function liked(e){
var post_id = $(e).siblings(#post_id)。val();
alert(post_id);
客户端,那么用户可以改变它。
如果您无法避免将其提供给客户端,那么当表单提交时,您需要检查用户是认证(即您知道是谁,例如因为他们输入了密码)和授权(即允许他们做任何请求所要求的) 。
您如何确定授权完全取决于您的业务规则(您没有向我们解释过)。这些可能是这样的:
如果id属于用户创建的条目
或者如果用户是一个管理员
显然,这需要您记录哪些用户创建了哪些条目或哪些用户是管理员。
这里存在一个安全问题,因为用户可能只需更改隐藏输入的ID,这将允许他们插入所有
我可以想象的唯一一种废话可能会导致多次喜欢某个帖子,或者喜欢这样的帖子用户看不到。这只是回到授权。拒绝请求,如果它是重复的或者用户不被允许看到他们想要投票的帖子。
Here's the summary of my code:
My website basically just loops the content of all the rows of a certain table; however, at times, I'll need to obtain an individual ID from a certain row. The hidden input works but I know that it will be a big burden on security. After I get the ID from the hidden input, I need to insert it into another table. Hackers can simply change the value of the hidden input and hack into the system. I can't find a way to validate that on the server side. Encryption may help but I think hackers can always find a way to decrypt it. Does anyone have an idea on how to make this more secure?
UPDATE: I'm sorry for being a bit vague with what my website does. Basically, it's just a like and dislike system similar to that of Facebook. My table has a structure of: id, user_that_liked_id, post_id. When a user likes a post, the ID of the post is then inserted into post_id, and the ID of the user that liked the post is inserted into user_that_liked_id. There is a security issue here because users may simply change the ID of the hidden input which will allow them to insert all sorts of non sense. Please refer to the code below.
HTML (Summary):
<div class="thumbsup mini_thumbs" name="mini_thumbs">
<input type="hidden" value="<?php echo $row->id; ?>" id="post_id"/>
<input class="up" name="thumbsup_vote" type="submit" value="1" title="Vote up" onclick = "liked(this)" />
<input class="down" name="thumbsup_vote" type="submit" value="0" title="Vote down" onclick = "disliked(this)" />
</div>
JavaScript/jQuery (Summary)
function liked(e) {
var post_id = $(e).siblings("#post_id").val();
alert(post_id);
}
If you give it to the client, then the user can change it.
If you can't avoid giving it to the client then, when the form is submitted, you need to check if the user is authenticated (i.e. that you know who there are, e.g. because they have entered a password) and authorized (i.e. that they are allowed to do whatever the request is asking for).
How you determine authorization depends entirely on your business rules (which you haven't explained to us). These may be something like:
IF the id belongs to an entry created by the user
OR IF the user is an admin
This would, obviously, require that you keep a record of which users created which entries or which users was admins.
There is a security issue here because users may simply change the ID of the hidden input which will allow them to insert all sorts of non sense.
The only sort of nonsense I can imagine that could cause is liking a post multiple times, or liking posts that the user cannot see. This just comes back to authorization. Reject the request if it is a duplicate or if the user isn't allowed to see the post they are trying to vote on.
这篇关于将ID(将插入数据库)安全地放入隐藏的输入中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
