php - 如何防止 PHP HTML type="hidden" 中断?
问题描述
html 中的 type = "hidden" 由 f12 更改并中断。我怎样才能防止这种情况。我展示了下面的地方。我不懂php,请帮忙。我搜索但找不到任何东西。我做了几次尝试,但没有奏效。用 if 做我的查询吗?
type="hidden" f12 "devtools" 每个人都可以编辑 type="email" 或类似内容并更改输入值。然后您可以填写其他内容并发送
<?php
// Include configuration file
require_once 'config.php';
// Include User library file
require_once 'User.class.php';
if (isset($_POST['part'])) {
$data = $sql->fetch_assoc();
exit(createCommentRow($data));
}
if(isset($_GET['code'])){
$gClient->authenticate($_GET['code']);
$_SESSION['token'] = $gClient->getAccessToken();
header('Location: ' . filter_var(GOOGLE_REDIRECT_URL, FILTER_SANITIZE_URL));
}
if(isset($_SESSION['token'])){
$gClient->setAccessToken($_SESSION['token']);
}
if($gClient->getAccessToken()){
// Get user profile data from google
$gpUserProfile = $google_oauthV2->userinfo->get();
// Initialize User class
$user = new User();
// Getting user profile info
$gpUserData = array();
$gpUserData['oauth_uid'] = !empty($gpUserProfile['id'])?$gpUserProfile['id']:'';
$gpUserData['first_name'] = !empty($gpUserProfile['given_name'])?$gpUserProfile['given_name']:'';
$gpUserData['last_name'] = !empty($gpUserProfile['family_name'])?$gpUserProfile['family_name']:'';
$gpUserData['email'] = !empty($gpUserProfile['email'])?$gpUserProfile['email']:'';
$gpUserData['gender'] = !empty($gpUserProfile['gender'])?$gpUserProfile['gender']:'';
$gpUserData['locale'] = !empty($gpUserProfile['locale'])?$gpUserProfile['locale']:'';
$gpUserData['picture'] = !empty($gpUserProfile['picture'])?$gpUserProfile['picture']:'';
// Insert or update user data to the database
$gpUserData['oauth_provider'] = 'google';
$userData = $user->checkUser($gpUserData);
// Storing user data in the session
$_SESSION['userData'] = $userData;
// Render user profile data
if (!empty($userData)) {
$output = '<div class="user-card">';
$output .= '<img class="userimg" src="'.$userData['picture'].'">';
$output .= '<div class="userinfo">';
$output .= '<div class="username">'.$userData['first_name'].' '.$userData['last_name'].'</div>';
$output .= '<div style="padding-bottom: 10px;"><a class="usera">'.$userData['email'].'</a></div>';
$output .= '<a class="logout usera" href="logout.php">Logout</a>';
$output .= '</div></div>';
}else{
$output = '<h3 style="color:red">Some problem occurred, please try again.</h3>';
}
}else{
// Get login url
$authUrl = $gClient->createAuthUrl();
// Render google login button
$output = '
<a href="'.filter_var($authUrl, FILTER_SANITIZE_URL).'">
<div id="googleButton">
<span class="icon"></span>
<span class="text">Log In With Google</span>
</div>
</a>
';
}
?>
<head>
<link rel="stylesheet" type="text/css" href="css/gwuser.css">
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
</head>
<div class="container">
<form action="gwenter.php" method="POST">
<div class="form-group">
<?php
if (!empty($userData)) {
echo( '<input type="hidden" id="email" name="email" value="'.$userData['email'].'">');
} else {}
?>
</div>
<div class="form-group">
<?php
// Kullanıcı giriş buton
if (!empty($userData)) {
echo( '<button class="btn btn-success" id="part" type="submit">Join</button>');
} else {
echo( '<a class="btn btn-success alertsignin">Join</a>');
}
?>
</div>
</form>
</div>
<div class="container">
<!-- Display login button / Google profile information -->
<?php echo $output; ?>
</div>
<!-- partial -->
<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.2/jquery.min.js'></script><script src="./js/alertjs.js"></script>
在这个地方,输入place type="hidden" 请帮帮我
<?php
if (!empty($userData)) {
echo( '<input type="hidden" id="email" name="email" value="'.$userData['email'].'">');
} else {}
?>
解决方案
不要那样做。
TL;DR如果您没有足够的知识来安全地做到这一点,那么在您变得更有经验之前不要这样做- 或者相信我,您会后悔的。我一直等到我认为我有足够的经验。哈!我错了,我后悔了。做的比我好。
始终假设您发送给用户的所有内容都完全由用户摆布。您能做的最好的事情就是尝试检测篡改。
在这种情况下:
echo( '<input type="hidden" id="email" name="email" value="'.$userData['email'].'">');
例如,您可以存储$userData['email']在用户会话变量中(请参阅 参考资料$_SESSION)。
例如:
// At the beginning of all involved scripts
session_start();
...
// This comes off!
/* echo( '<input type="hidden" id="email" name="email" value="'.$userData['email'].'">'); */
// Replaced by:
$_SESSION['email'] = $userData['email'];
然后在另一个脚本中,即接收表单的脚本中,您甚至可以假装从表单中接收到“电子邮件”变量,而实际上您不再这样做:
session_start();
$_POST['email'] = $_SESSION['email'];
// But use filter_var all the same!
// See: https://www.w3schools.com/php/filter_validate_email.asp
现在接收脚本可以确定 $_POST['email'] 变量没有被篡改,因为它甚至没有被发送。
否则,您可以将变量存储到受保护的字符串中:
$secret = 'SeekritPasswrd';
$hash = md5($secret.$userData['email']);
$protected = $hash.$userData['email'];
echo( '<input type="hidden" id="email" name="email" value="'.$protected.'">');
当你读回数据时,验证它$protected是正确的:
$protected = $_POST['email'];
$hash = substr($protected, 0, 32);
$email = substr($protected, 32);
$secret = 'SeekritPasswrd';
$expect = md5($secret.$email);
if ($hash !== $expect) {
die("Data has been tampered with!");
}
(你认为这很聪明?好吧,为什么,我也这样做了。经验教训:在某些情况下,以上还不够)。
如果您需要将一些信息发送给其他地方的客户,请不要:
CLIENT ---> YOUR SERVER form request
YOUR SERVER ---> CLIENT form, in which you reveal critical information
CLIENT ---> SOMEWHERE ELSE # DANGER, WILL ROBINSON!
相反,使用中间人代理或其他方式来保护信息:
CLIENT ---> YOUR SERVER form request
YOUR SERVER ---> CLIENT incomplete form, in which you DO NOT reveal information
CLIENT ---> YOUR SERVER incomplete form with client info
YOUR SERVER --> SOMEWHERE complete form with information the client can't see
您可以使用 cURL 扩展或其他提供相同功能的库在 PHP 中执行上述操作。注意:并非所有 ISP 都允许这种连接(从服务器到另一台服务器)。
SOMEWHERE --> YOUR SERVER reply
YOUR SERVER --> CLIENT reply, with critical data removed if needed
它更长,更复杂,毫无疑问,但它更安全。
推荐阅读
- haskell - Haskell中有一个空字符吗?
- java - Java Spring Data JPA 和 REST API:排除嵌套 JSON 对象的字段
- javascript - 点击获取边框时反应图像
- javascript - HTML 使任务栏和选项卡中的 Google Chrome 图标闪烁,并发送桌面通知
- reactjs - 如何使用 React 在 Apollo 客户端中交互 Query 和 Mutation
- c - C 代码编译没有错误但运行不正确(命令行参数和指针)
- github - 如何将来自 github 的代码与 Visual Studio 一起使用?
- python - 如何将 feed_dict 与 Tensorflow 层的输出一起使用?
- json - 在 Google 地球引擎中:最有效地减少 ImageCollection 中每个图像的区域,将均值保存为特征属性?
- python-3.x - 如何在 python 3.7 中创建新对象时使用“类型提示 - PEP 484”以便能够在 pycharm 2019.2.4 中完成代码