通过PHP伪造$ _POST [英] Fake a $_POST via PHP

问题描述

我现在都处于安全恐慌中，所以我要尽可能地保证一切安全。我登录了，我引用了这个：

I'm all in a security funk right now so I'm going through making everything as secure as possible. I got a login going and I'm referencing this:

http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/

第一个例子是登录，如果你说？authorization = 1 你就进去了。但是如果我把我的代码包裹在 if（$ _ POST）然后用户必须发帖。用户可以伪造 $ _ POST 吗？我怎么去伪造 $ _ POST ？

The first example is that of a login and if you say ?authorization=1 you get in. But if I wrap my code around a if($_POST) then the user MUST make a post. Can a user fake a $_POST? How do I go about faking a $_POST?

推荐答案

用户只需在本地计算机上创建一个文件：

A user can simply create a file on their local machine with:

<form action="http://yoursite.com/login.php" method="post">
    <input type="text" name="username"  value="hahaha faked it!" />
    <input type="text" name="password" value="hee hee you can't tell this is fake" />
    <input type="submit">
</form>

和繁荣，虚假的帖子。换句话说，你必须假设用户发送的任何东西都是假的。

and boom, "fake" post. In other words, you have to assume that anything and everything the user sends is potentially fake.

这篇关于通过PHP伪造$ _POST的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！