问题描述
我正在使用 get 方法为评论系统执行一些操作,如批准、标记垃圾邮件、删除.我知道走这条路是非常不安全的,但我无能为力.因为使用 $_GET 方法的原因是使用 PHP_SELF 在页面本身内执行操作,仅供参考,我也使用使用复选框的 post 方法来执行操作.
I am using the get method to perform some operation like, approve, markasspam, delete, for commenting system. i know it is highly insecure to go this way but i cannot help it out. because the reason for using $_GET method is to perform the operation within the page itself using PHP_SELF, and FYI i am using the post method using checkbox to perform the operation too.
现在为了使它有点安全,我想随机化数字或生成哈希或其他东西,然后比较它,获取 id 并执行操作
now for making it bit secure i want to randomize the number or generate the hash or something and then compare it, get the id and perform the operation
我目前的代码有点像这样.
my current code is somewhat like this.
<?php
if($approve == 1 )
{
?>
<a href="<?php echo $_SERVER['PHP_SELF']."?approve=".$id; ?>">Unapprove</a>
<?php
} else
{
?>
<a href="<?php echo $_SERVER['PHP_SELF']."?unapprove=".$id; ?>">Approve</a>
<?php
}
?>
| <a href="<?php echo $_SERVER['PHP_SELF']."?spam=".$id; ?>">Spam</a>
| <a class="edit-comments" href="edit-comments.php?id=<?php echo $id; ?>">Edit</a>
| <a href="<?php echo $_SERVER['PHP_SELF']."?delete=".$id; ?>">Delete</a>
我使用此代码执行操作..
and i perform the operation using this code..
if(isset($_GET['approve'])) {
$id = intval($_GET['approve']);
$query = "UPDATE comments SET approve = '0' WHERE id = '$id'";
$result = mysql_query($query);
}
if(isset($_GET['unapprove'])) {
$id = intval($_GET['unapprove']);
$query = "UPDATE comments SET approve = '1' WHERE id = '$id'";
$result = mysql_query($query);
}
if(isset($_GET['delete'])) {
$id = intval($_GET['delete']);
$query = "DELETE FROM comments WHERE id = '$id'";
$result = mysql_query($query);
}
if(isset($_GET['spam'])) {
$id = intval($_GET['spam']);
$query = "UPDATE comments SET spam = '1' WHERE id = '$id'";
$result = mysql_query($query);
}
我不想使用批准或取消批准或删除或垃圾邮件,而是想随机化或散列这些词并希望它尽可能长,然后执行操作.
instead of using approve or unapprove or delete or spam, i want to randomize or hash that words and want it as lengthy as possible and then perform the operation.
我该怎么做?您对此有何看法?
how do i do it? what is your take on this?
请注意仅经过身份验证的用户,即管理员将是能够执行此操作.甚至虽然它通过了认证系统我想增加更多的安全性即使是管理员.避免实验或意外
代码并不准确,它只是让您了解我想要实现的目标的示例.
the code is not exact it is just the sample to make you understand what i want to achieve.
推荐答案
在这种情况下,您在这里使用 GET 参数还是 POST 参数并不重要 - 脚本需要首先是某种验证.(完成后,您可以进入安全细节,其中 GET 的安全性略低于 POST - 有关详细信息,请参阅评论.)
Whether you use GET or POST parameters here doesn't matter much in this context - what the script needs first is some sort of authentication. (After that is done, you can go into security details where GET is slightly less secure than POST - see the comments for details.)
我想说你有两个选择:
使用 .htaccess 保护整个脚本 - 无需对脚本本身进行更改
Protecting the entire script using .htaccess - no changes needed to the script itself
引入 PHP 端用户身份验证并仅在登录用户发出请求时执行操作.需要对脚本进行根本性更改,但最灵活.
Introducing PHP side user authentication and perform the operations only if a logged in user makes the request. Needs fundamental changes to the script but is most flexible.
重新
事实证明您的脚本已经受到保护.在这种情况下,我假设您对在 URL 中出现的增量 ID 号、在浏览器中缓存等感到不舒服.通常的解决方案是在创建每个评论时为每个评论生成一个随机密钥(除了增量 ID).该键存储在单独的列中(不要忘记添加索引),您将与之匹配.
It turns out your script is already protected. In that case I assume you are uncomfortable with incremental ID numbers turning up in the URLs, getting cached in the browser etc. etc. The usual solution to that is to generate a random key for each comment when it is created (in addition to the incremental ID). That key gets stored in a separate column (don't forget to add an index) and you'd match against that.
更进一步的方法是为每个操作创建临时哈希值,这是抵御多种外部攻击的终极保护措施.
A step even further would be to create temporary hashes for every action, which is the ultimate protection against a number of outside attacks.
重新编辑关于使用一次性哈希的内容:
我从未在管理界面中实现一次性哈希,所以我没有这方面的经验,但我想一个非常简单的实现会将动作哈希存储在一个单独的表中,列 hash
、record
和 action
.每当您的工具列出许多记录并输出删除/批准/取消批准"链接时,它会在哈希表中为每个评论生成三个记录:一条用于删除,一条用于批准,一条用于未批准.然后,删除/批准/取消批准"链接将获得正确的哈希作为唯一参数,而不是记录 ID 和命令.
I've never implemented one-time hashes in an admin interface yet so I have no experience with this, but I imagine that a very simple implementation would store action hashes in a separate table with the columns hash
, record
and action
. Whenever your tool lists a number of records and outputs "delete / approve / unapprove" links, it would generate three record in the hash table for each comment: One for delete, one for approve, one for unapprove. The "delete / approve /unapprove" links would then, instead of the record ID and command, get the correct hash as the only parameter.
为未使用的散列添加一个超时函数(加上删除任何实际使用的散列),你就完成了.
Add a time-out function for unused hashes (plus delete any hashes that were actually used) and you're done.
这篇关于我如何使 $_GET 更安全.?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!