javascript - 针对服务器端处理绘制请求的跨脚本攻击
问题描述
链接: https ://datatables.net/manual/server-side#Returned-data
“此对象响应的绘图计数器 - 来自作为数据请求的一部分发送的绘图参数。请注意,出于安全原因,强烈建议您将此参数转换为整数,而不是简单地回显给客户端它在 draw 参数中发送的内容,以防止跨站点脚本 (XSS) 攻击。”
有人可以用幼儿园语言解释这是什么意思吗?这非常令人沮丧,这对我来说就像阅读胡言乱语。所以只要让draw = 1然后没有黑客?生活容易吗?
我将发布代码,这样就不会关闭:
$(document).ready(function() {
var asc = true;
$('#example').DataTable( {
"processing": true,
"serverSide": true,
"ajax": {
"url": "server.php",
"type": "POST",
},
columnDefs: [{
targets: -1,
defaultContent: '<button type="button">Delete</button>'
}],
rowGroup: {
dataSrc: 1
}
});
});
</script>
<body>
<table id="example" class="display" style="width:100%" class="table table-striped table-bordered table-hover table-condensed">
<thead class="thead-inverse">
<tr>
<th> ID </th>
<th>First Name </th>
<th>Last Name </th>
<th>Position </th>
<th>Date </th>
<th>Updated </th>
<th>Action</th>
</thead>
</tr>
<tbody>
</tbody>
</table>
</div>
<?php
$data=array();
$requestData= $_REQUEST;
$count=mysqli_query($con, "SELECT * FROM employees");
$totalData= $count->num_rows;
$totalFiltered=$totalData;
$json_data = array(
"draw" => intval( $requestData['draw'] ), // for every request/draw by clientside , they send a number as a parameter, when they recieve a response/data they first check the draw number, so we are sending same number in draw.
"recordsTotal" => intval( $totalData ),
"recordsFiltered" => intval( $totalFiltered ),
"data" => $data // total data array
);
echo json_encode($json_data);
?>
</script>
<body>
<?php
$data=array();
$requestData= $_REQUEST;
$query=mysqli_query($con, "SELECT * FROM employees");
$totalData= $count->num_rows;
$totalFiltered=$totalData;
if( !empty($requestData['search']['value']) ) {
// if there is a search parameter
$sql = "SELECT first_name, last_name, position, date, updated";
$sql.=" FROM employees";
$sql.=" WHERE first_name LIKE '".$requestData['search']['value']."%' ";
// $requestData['search']['value'] contains search parameter
$sql.=" OR last_name LIKE '".$requestData['search']['value']."%' ";
$sql.=" OR position LIKE '".$requestData['search']['value']."%' ";
$sql.=" OR date LIKE '".$requestData['search']['value']."%' ";
$sql.=" OR updated LIKE '".$requestData['search']['value']."%' ";
$query=mysqli_query($con, $sql);
$totalFiltered = mysqli_num_rows($query); // when there is a search parameter then we have to modify total number filtered rows as per search result without limit in the query
$sql.=" ORDER BY ". $columns[$requestData['order'][0]['column']]." ".$requestData['order'][0]['dir']." LIMIT ".$requestData['start']." ,".$requestData['length']." "; // $requestData['order'][0]['column'] contains colmun index, $requestData['order'][0]['dir'] contains order such as asc/desc , $requestData['start'] contains start row number ,$requestData['length'] contains limit length.
$query=mysqli_query($con, $sql); // again run query with limit
} else {
$sql = "SELECT first_name, last_name, position, date, updated";
$sql.=" FROM employees";
$sql.=" ORDER BY ". $columns[$requestData['order'][0]['column']]." ".$requestData['order'][0]['dir']." LIMIT ".$requestData['start']." ,".$requestData['length']." ";
$query=mysqli_query($con, $sql);
}
$data = array();
while( $row=mysqli_fetch_array($query) ) { // preparing an array
$nestedData=array();
$nestedData[] = $row["titulo"];
$nestedData[] = $row["descripcion"];
$data[] = $nestedData;
}
?>
服务器.php
<?php
$table = 'employees';
$primaryKey = 'id'; // Table's primary key
$columns = array(
array( 'db' => 'id', 'dt' => 0 ),
array( 'db' => 'first_name', 'dt' => 1 ),
array( 'db' => 'last_name', 'dt' => 2 ),
array( 'db' => 'position', 'dt' => 3 ),
array( 'db' => 'date', 'dt' => 4 ),
array( 'db' => 'updated', 'dt' => 5 ),
);
$sql_details = array(
'user' => 'username',
'pass' => 'password',
'db' => 'database',
'host' => 'localhost'
);
require( 'ssp.class.php' );
echo json_encode(
SSP::simple( $_GET, $sql_details, $table, $primaryKey, $columns )
);
?>
一种解释: Draw 是一个序列号。更多信息在这里: https ://datatables.net/manual/server-side#Sent-parameters 它从 1 开始,但每次抽奖都会增加。响应应该具有相同的序列号。您可以在任何这样的 SSP 示例中看到这一点: https://datatables.net/examples/data_sources/server_side.html 打开浏览器的网络工具并查看请求和响应。第一个是 1,如果你排序或搜索,下一个是 2。
这可以简化一点吗?谢谢。
解决方案
好像没有人知道。我在'draw'上找到了这个描述:
""draw" => intval( $requestData['draw'] ), // 对于客户端的每个请求/绘制,他们发送一个数字作为参数,当他们收到响应/数据时,他们首先检查绘制数字,所以我们在抽奖中发送相同的号码。
链接:https ://gist.github.com/aziz-blr/f3f645ed1451515597e52ede4be51539
这可以提供更好的图片。我想总比没有好。
推荐阅读
- ios - SwiftUI 针对损坏的暗模式/强调色的综合解决方法 - 是否存在?
- python - 保持numpy数组的内部值
- sql-server - 更改 MS Access 表中的数据类型产生错误消息
- python - 限制 systemd 服务访问文件
- python - 我在 Python 中不断收到 Django 的“ModuleNotFoundError”
- python - 有没有办法一次将多个视频文件转录成文本?
- python - 循环虽然我需要在开始时获取/添加0
- visual-studio-code - 如何根据文件名而不是vscode中的扩展名设置自定义图标?
- java - 使用 Java JSch“exec”与“shell”运行多个命令时性能受到影响?
- mysql - 使用 Mysql 打印板球比赛的积分表