Secure way to stop users from forging forms

2019-03-01 02:58发布

How can I prevent users from forging forms on the PHP or jquery side, I am using Jquery's ajax functionality to submit the forms, and this means that tech-wise people can change some variables such as the value of something (that shouldn't be changed / is a user id or something like that) through the use of firebug or web inspector and likewise.

So how can I prevent users from changing these variables or making sure they are unchangeable through a secure and good way?

Thanks

5条回答
来,给爷笑一个
2楼-- · 2019-03-01 03:34

Store these variables in a Session.

查看更多
迷人小祖宗
3楼-- · 2019-03-01 03:46

You can never trust the client. Validate the form on the server to ensure the data is sane. This means checking that a given user ID has permissions to post their form, etc.

查看更多
太酷不给撩
4楼-- · 2019-03-01 03:48

I'm going to go with... you can't. You never trust the user's data; client side verification is always only the first line of defense.

查看更多
祖国的老花朵
5楼-- · 2019-03-01 03:52

You cannot prevent users from doing so.

查看更多
Rolldiameter
6楼-- · 2019-03-01 03:56

As the others have already stated, you can't prevent the user from tampering.

You are receiving data from me, and I can send you anything I want, I can even do an HTTP request by hand, without even using a browser, and you can't do anything about it.

If you don't want a user to be able to alter an information, don't provide it to him.

You can store it in PHP's session, which is stored server side (do not use cookies, they too are sent to the user) or save it in a database, both of them are not accessible to the end user.

If you still want to pass the data to the user, compute some sort of hash (a secure hash, using a secure hashing algorithm and a secure message digest as Gumbo noted, this rules out algorithms like CRC32 or MD5 and MACs like your name or birthday) of the data and store it server side, then when the user submits back the data, check if the hashes match.

But do know that this solution is not 100% secure. Hashing functions have collisions, and bad implementation exists.

I would recommend to stick to the golden rule: if it's not there, it cant break / be tampered / be stolen / etc.

查看更多
登录 后发表回答