安全地将JS变量传递给PHP
[英]Passing a JS variable to PHP Safely
问题描述
I making a javascript game where the player builds up a score against a count down timer. 
我做了一个javascript游戏,玩家在倒数计时器上建立一个分数。 When the timer runs out I display a form that show the score and lets the user enter they username (arcade style). 当计时器用完时,我会显示一个显示分数的表格,并让用户输入他们的用户名(街机风格)。 I'm going to use the POST method send the user score to a php file that will store it somehow (database,textfile. or something). 我将使用POST方法将用户得分发送到将以某种方式存储它的php文件(数据库,文本文件等)。 How do I prevent people from fiddling with the JS code and passing some new value thru that isn't the correct score (or something that isn't malicious). 如何防止人们摆弄JS代码并通过一些不正确的分数(或者不是恶意的东西)传递一些新的价值。
At the very least, what are the safest methods on the PHP/reviving end to at least only accept and integer value? 至少,PHP /复活端最安全的方法是什么,至少只接受和整数值?
1 个解决方案
解决方案1
2 已采纳 2014-02-01 14:09:00
That's a well known and difficult problem. 这是众所周知的难题。 I'm not sure it ever has a good solution. 我不确定它是否有一个好的解决方案。 The user is the client is JS, so they have 100% control over what's sent to the server. 用户是客户端JS,因此他们可以100%控制发送到服务器的内容。
The only thing you can do and force, is server side validation. 您可以做的唯一事情就是服务器端验证。 Don't just send the score. 不要只发送分数。 Send the path, the method, the steps, etc. Starting a session/game/level should also happen on the server, because the timestamp could be faked from the client. 发送路径,方法,步骤等。也应该在服务器上启动会话/游戏/级别,因为时间戳可能是从客户端伪造的。
You can make the whole game in JS, but start and end it on the server and remember all the steps. 您可以在JS中制作整个游戏,但在服务器上开始和结束它并记住所有步骤。 This might mean double step/path validation: JS (instantly) and server. 这可能意味着双步/路径验证:JS(即时)和服务器。
(I had the same problem with http://games.webblocks.nl/110 which stores steps (clicks) in g_stack .) (我在http://games.webblocks.nl/110中遇到了同样的问题,它存储了g_stack步骤(点击次数)。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.