如何防止在php中提交检查元素值
[英]How to prevent inspect element value on submit in php
问题描述
i faced very weird issue in my web. 
我在网上遇到了一个非常奇怪的问题。
i make a product page and its price. 我制作产品页面及其价格。 When i go to cart and submit the paypal, it submit perfectly but when i get inspect element and change the value the value of input has been changed and when i submit the button the inspected value submited. 当我去购物车并提交贝宝时,它提交完美,但是当我获得检查元素并更改值时,输入的值已经改变,当我提交按钮时,检查值被提交。
i do somthing in code but nothing happen 我在代码中做了一些事情但没有任何事情发生
here is my code 这是我的代码
function wp_paypal_product($atts) {
extract(shortcode_atts(array(
'prodname' => 'no value'
), $atts));
global $wpdb;
$table = $wpdb->prefix . 'paypal_products';
$prodname = str_replace('-', ' ', $prodname);
$shorcode_product = $wpdb->get_row("SELECT * FROM $table WHERE product_name ='$prodname'");
$product_name = $shorcode_product->product_name;
$product_price = $shorcode_product->product_price;
$product_id = $shorcode_product->id;
$paypalID = get_option('paypalID');
$currency = get_option('currency');
$upload_image = get_option('upload_image');
$return_url = get_option('return_url');
$email_subject = get_option('email_subject');
$email_message = get_option('email_message');
if (!$upload_image) {
$upload_image = 'http://www.paypalobjects.com/en_US/i/btn/btn_buynow_LG.gif';
}
$output = $product_name . '<br>'
. $product_price . '<br>'
. $paypalID . '<br>'
. $currency . '<br>'
. $upload_image . '<br>'
. $return_url . '<br>'
. $email_subject . '<br>'
. $email_message . '<br>';
$output = '<form name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="' . $paypalID . '">
<input type="hidden" name="return" value="' . $return_url . '">
<input type="hidden" name="currency_code" value="' . $currency . '">
<input type="hidden" name="item_name" value="' . $product_name . '">
<input type="hidden" name="amount" value="' . $product_price . '">
<input name="notify_url" value="' . plugin_dir_url(__FILE__) . 'ipn.php" type="hidden">
<input type="image" src="' . $upload_image . '" border="0" name="submit" alt="Make payments with PayPal - its fast, free and secure!">
</form>';
return $output;
}
add_shortcode('wp-paypal-product', 'wp_paypal_product');
How can i prevent the inspected value on submit......PLEASE HELP ME. 如何防止提交时的检查价值......请帮助我。
2 个解决方案
解决方案1
3 2014-04-08 07:48:31
You can't prevent that. 你不能阻止这一点。 The correct way would be to only transmit the id of the product to the server and read the price from the database before adding it to the cart. 正确的方法是只将产品的ID传输到服务器,并在将数据添加到购物车之前从数据库中读取价格。 Or, even better, only store the ID in the cart and read the price from the database when you display the cart. 或者,更好的是,只显示购物车中的ID并在显示购物车时从数据库中读取价格。
Do not rely on POST data when you transmit crucial data, there are just too many ways the user can modify it. 传输关键数据时不要依赖POST数据,用户可以通过太多方式对其进行修改。 If you use JavaScript to prevent the submit of a form that has been tempered with, the user can just disable JavaScript. 如果您使用JavaScript来阻止提交经过调整的表单,则用户可以禁用JavaScript。 Or he can use a proxy application ( Paros , Fiddler , WebScarab are examples of proxy apps that are designed to analyze and modify HTTP requests and responses between the browser and the server) to modify the POST data before it is actually transmitted. 或者他可以使用代理应用程序( Paros , Fiddler , WebScarab是用于分析和修改浏览器与服务器之间的HTTP请求和响应的代理应用程序的示例),以在实际传输之前修改POST数据。
Only store crucial data in a session. 仅在会话中存储关键数据。
解决方案2
0 已采纳 2014-04-09 04:49:33
Ok, this is for every one you can prevent data save in Inspect Element....this work 100000% work. 好的,这是为了防止数据保存在Inspect Element中的每一个....这项工作100000%工作。
This is very helpful for online shoping 这对在线购物非常有帮助
Now you can put jQuery code after your Form. 现在,您可以在表单之后放置jQuery代码。
Like this 像这样
$output = '<form name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="' . $paypalID . '">
<input type="hidden" name="return" value="' . $return_url . '">
<input type="hidden" name="currency_code" value="' . $currency . '">
<input type="hidden" name="item_name" value="' . $product_name . '">
<input type="hidden" name="amount" id="p'.$product_id.'" value="' . $product_price . '">
<input name="notify_url" value="' . plugin_dir_url(__FILE__) . 'ipn.php" type="hidden">
<input type="image" src="' . $upload_image . '" border="0" name="submit" alt="Make payments with PayPal - its fast, free and secure!">
</form>';
$output .= "<script>
jQuery(document).ready(function(){
var a=".$product_price.";
jQuery('form[name=_xclick]').submit(function(c){
var b=jQuery('input[id=p".$product_id."]').val();
if(b==a){
return
}else{
c.preventDefault()
}
})
});
</script>";
return $output;
First we make an id in price text field. 首先,我们在价格文本字段中创建一个id。
We save price from DB in jQuery. 我们在jQuery中保存DB的价格。
Then we call a form on submit save a value of amount text field. 然后我们在提交时调用表单保存金额文本字段的值。
Then we check if DB value and amount value is same then it proceed else it stop. 然后我们检查DB值和金额值是否相同然后继续它停止。
if any on can change the value of amount in inspect element, then the form is not submited. 如果有任何on可以更改inspect元素中的amount值,则表单不会被提交。
Hope this will help you. 希望这会帮助你。
But you should know that, using this method, a determined attacker could still change your prices, even though joe user might not be able to inspect element. 但是你应该知道,使用这种方法,确定的攻击者仍然可以改变你的价格,即使joe用户可能无法检查元素。 So a better option would be to only submit the product id and use a server side process to communicate with PayPal. 因此,更好的选择是仅提交产品ID并使用服务器端流程与PayPal进行通信。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.