时间戳

首页 > 解决方案 > 针对服务器端处理绘制请求的跨脚本攻击

javascript - 针对服务器端处理绘制请求的跨脚本攻击

问题描述

链接: https ://datatables.net/manual/server-side#Returned-data

“此对象响应的绘图计数器 - 来自作为数据请求的一部分发送的绘图参数。请注意,出于安全原因,强烈建议您将此参数转换为整数,而不是简单地回显给客户端它在 draw 参数中发送的内容,以防止跨站点脚本 (XSS) 攻击。”

有人可以用幼儿园语言解释这是什么意思吗?这非常令人沮丧,这对我来说就像阅读胡言乱语。所以只要让draw = 1然后没有黑客?生活容易吗?

我将发布代码,这样就不会关闭:

$(document).ready(function() {
var asc = true;
$('#example').DataTable( {
"processing": true,
"serverSide": true,
"ajax": {
"url": "server.php",
"type": "POST",
},


columnDefs: [{
targets: -1,
defaultContent: '<button type="button">Delete</button>'
}],
rowGroup: {
dataSrc: 1
}
});
});
 </script>
   <body>

 <table id="example" class="display" style="width:100%" class="table table-striped table-bordered table-hover table-condensed">
  <thead class="thead-inverse">
 <tr>
 <th> ID </th>
 <th>First Name </th>
 <th>Last Name </th>
 <th>Position </th>
 <th>Date </th>
<th>Updated </th>
 <th>Action</th>
 </thead> 
 </tr>
         <tbody>

         </tbody>
     </table>
     </div>         
 <?php

 $data=array();
 $requestData= $_REQUEST;

 $count=mysqli_query($con, "SELECT * FROM employees");
 $totalData= $count->num_rows;
 $totalFiltered=$totalData;

 $json_data = array(
            "draw"            => intval( $requestData['draw'] ),   // for every request/draw by clientside , they send a number as a parameter, when they recieve a response/data they first check the draw number, so we are sending same number in draw.
            "recordsTotal"    => intval( $totalData ),  
            "recordsFiltered" => intval( $totalFiltered ), 
            "data"            => $data   // total data array
            );

 echo json_encode($json_data);
 ?>
 </script>
   <body>

 <?php
 $data=array();
 $requestData= $_REQUEST;
 $query=mysqli_query($con, "SELECT * FROM employees");
 $totalData= $count->num_rows;
 $totalFiltered=$totalData;

 if( !empty($requestData['search']['value']) ) {
    // if there is a search parameter
    $sql = "SELECT first_name, last_name, position, date, updated";
    $sql.=" FROM employees";
    $sql.=" WHERE first_name LIKE '".$requestData['search']['value']."%' ";
    // $requestData['search']['value'] contains search parameter
    $sql.=" OR last_name LIKE '".$requestData['search']['value']."%' ";
     $sql.=" OR position LIKE '".$requestData['search']['value']."%' ";
      $sql.=" OR date LIKE '".$requestData['search']['value']."%' ";
       $sql.=" OR updated LIKE '".$requestData['search']['value']."%' ";

    $query=mysqli_query($con, $sql);
    $totalFiltered = mysqli_num_rows($query); // when there is a search parameter then we have to modify total number filtered rows as per search result without limit in the query

    $sql.=" ORDER BY ". $columns[$requestData['order'][0]['column']]."   ".$requestData['order'][0]['dir']."   LIMIT ".$requestData['start']." ,".$requestData['length']."   "; // $requestData['order'][0]['column'] contains colmun index, $requestData['order'][0]['dir'] contains order such as asc/desc , $requestData['start'] contains start row number ,$requestData['length'] contains limit length.
    $query=mysqli_query($con, $sql); // again run query with limit

} else {   

    $sql = "SELECT first_name, last_name, position, date, updated";
    $sql.=" FROM employees";
    $sql.=" ORDER BY ". $columns[$requestData['order'][0]['column']]."   ".$requestData['order'][0]['dir']."   LIMIT ".$requestData['start']." ,".$requestData['length']."   ";
    $query=mysqli_query($con, $sql);

}

$data = array();
while( $row=mysqli_fetch_array($query) ) {  // preparing an array
    $nestedData=array();

    $nestedData[] = $row["titulo"];
    $nestedData[] = $row["descripcion"];

    $data[] = $nestedData;
}

 ?>

服务器.php

<?php
    $table = 'employees';
    $primaryKey = 'id'; // Table's primary key

    $columns = array(
        array( 'db' => 'id', 'dt' => 0 ),
        array( 'db' => 'first_name', 'dt' => 1 ),
        array( 'db' => 'last_name',  'dt' => 2 ),
        array( 'db' => 'position',   'dt' => 3 ),
        array( 'db' => 'date',     'dt' => 4 ),
         array( 'db' => 'updated',     'dt' => 5 ),
    );

    $sql_details = array(
        'user' => 'username',
        'pass' => 'password',
        'db'   => 'database',
        'host' => 'localhost'
    );

    require( 'ssp.class.php' );

    echo json_encode(
        SSP::simple( $_GET, $sql_details, $table, $primaryKey, $columns )
    );
    ?>

一种解释: Draw 是一个序列号。更多信息在这里: https ://datatables.net/manual/server-side#Sent-parameters 它从 1 开始,但每次抽奖都会增加。响应应该具有相同的序列号。您可以在任何这样的 SSP 示例中看到这一点: https://datatables.net/examples/data_sources/server_side.html 打开浏览器的网络工具并查看请求和响应。第一个是 1,如果你排序或搜索,下一个是 2。

这可以简化一点吗?谢谢。

标签: javascriptjsondatatable

解决方案

好像没有人知道。我在'draw'上找到了这个描述:

""draw" => intval( $requestData['draw'] ), // 对于客户端的每个请求/绘制,他们发送一个数字作为参数,当他们收到响应/数据时,他们首先检查绘制数字,所以我们在抽奖中发送相同的号码。

链接:https ://gist.github.com/aziz-blr/f3f645ed1451515597e52ede4be51539

这可以提供更好的图片。我想总比没有好。

推荐阅读