通过PHP伪造$ _POST [英] Fake a $_POST via PHP
问题描述
我现在都处于安全恐慌中,所以我要尽可能地保证一切安全。我登录了,我引用了这个:
I'm all in a security funk right now so I'm going through making everything as secure as possible. I got a login going and I'm referencing this:
http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/
第一个例子是登录,如果你说?authorization = 1
你就进去了。但是如果我把我的代码包裹在 if($ _ POST)
然后用户必须发帖。用户可以伪造 $ _ POST
吗?我怎么去伪造 $ _ POST
?
The first example is that of a login and if you say ?authorization=1
you get in. But if I wrap my code around a if($_POST)
then the user MUST make a post. Can a user fake a $_POST
? How do I go about faking a $_POST
?
推荐答案
用户只需在本地计算机上创建一个文件:
A user can simply create a file on their local machine with:
<form action="http://yoursite.com/login.php" method="post">
<input type="text" name="username" value="hahaha faked it!" />
<input type="text" name="password" value="hee hee you can't tell this is fake" />
<input type="submit">
</form>
和繁荣,虚假的帖子。换句话说,你必须假设用户发送的任何东西都是假的。
and boom, "fake" post. In other words, you have to assume that anything and everything the user sends is potentially fake.
这篇关于通过PHP伪造$ _POST的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!