PHP - 隐藏 url (GET) 参数
[英]PHP - hide url (GET) parameters
问题描述
I have a link in my PHP/HTML like this:
我的 PHP/HTML 中有一个这样的链接:
<a href="http://search.mywebsite.com/login.aspx?checktype=uid&user=adam&password=pass1234&profile=dart&defaultdb=kts"> Log me into this website </a>
When users click on the link, the parameters are handled by a 3rd party website which log the users in seamlessly.当用户点击链接时,参数由第三方网站处理,用户无缝登录。
Is it possible to hide/mask/camouflage the url so that users don't see the parameters while still passing them over to the designated site?是否可以隐藏/屏蔽/伪装网址,以便用户在将参数传递到指定站点的同时看不到参数?
If no, how would you guys go about this?如果没有,你们会怎么做? I'm mainly worried about the user and password params and need those hidden.我主要担心用户和密码参数并需要隐藏这些参数。 (user=adam&password=pass1234) (用户=亚当&密码=pass1234)
The only way i know how to hide params is when using a form post method but in this case it is not an option because im working with a direct link.我知道如何隐藏参数的唯一方法是使用表单发布方法,但在这种情况下,它不是一个选项,因为我使用的是直接链接。
EDIT: To those who keep suggesting using a POST method, this is not an option because I'm not using a form and the receiving website is out of my control.编辑:对于那些一直建议使用 POST 方法的人,这不是一个选项,因为我没有使用表单并且接收网站不在我的控制范围内。 I'm logging in from one site to another (3rd party) website我正在从一个站点登录到另一个(第 3 方)网站
7 个解决方案
解决方案1
8 已采纳 2014-06-27 20:23:41
Your only option is to use a form and POST if the page your are logging into is controlled by a 3rd party:如果您登录的页面由第 3 方控制,您唯一的选择是使用表单和 POST:
<form action="http://search.mywebsite.com/login.aspx" method="post">
<input type="hidden" name="checktype" value="uid" />
<input type="hidden" name="user" value="adam" />
<input type="hidden" name="password" value="pass1234" />
<input type="hidden" name="profile" value="dart" />
<input type="hidden" name="defaultdb" value="kts" />
<input type="submit" value="Log me into this website" />
</form>
EDIT : If it must be a link and javascript can be required then you can use javascript to create and submit a form on the fly :编辑:如果它必须是一个链接并且可能需要 javascript,那么您可以使用 javascript 即时创建和提交表单:
<a href="#" onclick="postLogin()">Log me into this website</a>
<script type="text/javascript">
function postLogin() {
var form = document.createElement("form");
form.setAttribute("method", "post");
form.setAttribute("action", "http://search.mywebsite.com/login.aspx");
var params = {checktype: 'uid', user: 'adam', password: 'pass1234', profile: 'dart', defaultdb: 'kts'};
for(var key in params) {
if(params.hasOwnProperty(key)) {
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", key);
hiddenField.setAttribute("value", params[key]);
form.appendChild(hiddenField);
}
}
document.body.appendChild(form);
form.submit();
}
</script>
解决方案2
2 2014-06-27 20:12:31
Don't use $_GET to pass any personal, confidential or crucial data.不要使用 $_GET 传递任何个人、机密或关键数据。 Use $_POST instead.改用 $_POST 。
I don't know what stops you from using $_POST but if you insist on using it anyway, try md5() to code these data and validate them when necessary.我不知道是什么阻止了您使用 $_POST 但如果您仍然坚持使用它,请尝试 md5() 对这些数据进行编码并在必要时对其进行验证。 You can always use $_SESSION to pass $_POST login data for further use.您始终可以使用 $_SESSION 传递 $_POST 登录数据以供进一步使用。
解决方案3
1 2014-06-27 20:11:45
Agree on and encryption/hash approach (MD5 for example).同意加密/散列方法(例如 MD5)。 Then have a reprocessing page that decrypts the message before calling the required script.然后有一个重新处理页面,在调用所需的脚本之前解密消息。 I'm doing this in php... Just to show you the idea.我在 php 中这样做...只是为了向您展示这个想法。
eg.例如。 www.mydomain.com/preporcessor.php?request=qouiapfiwe0i9qrr9qyy83r34rqejl www.mydomain.com/preporcessor.php?request=qouiapfiwe0i9qrr9qyy83r34rqejl
preprocessor.php (pseudo code) preprocessor.php(伪代码)
$request = $_REQUEST["request"];
$decrypted = mydecryptfunction($request);
//$decrypted will now contain: targetpage=login.php?username=abc&password=34453js&location=ABJ...
//Now you can route the parameters to login.php.
Note that mydecryptfunction($request) is a function you will create.请注意 mydecryptfunction($request) 是您将创建的函数。
解决方案4
0 2014-06-27 20:10:12
A login should be done via POST, not GET.登录应该通过 POST 完成,而不是 GET。 Furthermore, sensitive details should be sent via HTTPS.此外,敏感详细信息应通过 HTTPS 发送。
The process of creating secure login functionality could have an entire book written about it, so I suggest you start out by reading the definitive guide to web-based forms authentication .创建安全登录功能的过程可能需要写一整本书,所以我建议您从阅读基于 Web 的表单身份验证的权威指南开始。
If you have further specific questions about security, I suggest you try over at Security.SE .如果您对安全性有进一步的具体问题,我建议您在Security.SE 上尝试。
解决方案5
0 2014-06-27 20:18:46
You can't do this using the GET method.您不能使用 GET 方法执行此操作。 It would be helpful if you gave us more information.如果您向我们提供更多信息,将会有所帮助。 Are you trying to get a user from your site to log into another website?您是否试图让用户从您的网站登录到另一个网站? In that case, they might have an API for that which you could check.在这种情况下,他们可能有一个 API 供您检查。
解决方案6
0 2014-06-27 20:19:22
You can generate tokens for this functions: in your database generate an random string: This is an function which returns an random string您可以为此函数生成令牌:在您的数据库中生成一个随机字符串:这是一个返回随机字符串的函数
function gt_rnd_str($min=2,$max=9){
$str="";
while (strlen($str)<$max)
$str.=rtrim(base64_encode(md5(microtime())),"=");
return substr($str, 0, rand($min, $max));
}
now save an token with username/id and using this you can easily generate more tokens for same user as well as cancel any token easily..现在保存一个带有用户名/id 的令牌,使用它你可以轻松地为同一用户生成更多的令牌以及轻松取消任何令牌..
解决方案7
0 2020-03-22 14:19:03
You can use iframe with URL of the page and style it to fill parent and remove border.您可以将 iframe 与页面的 URL 一起使用,并为其设置样式以填充父级并删除边框。
<!DOCTYPE html>
<html>
<body>
<iframe id="win" src="bookmarks_3_22_20.html" frameborder="0">
</iframe>
<script>
this.onload=function(){
document.getElementById("win").style="width:"+window.innerWidth+"px;height:"+window.innerHeight+"px;";
}
</script>
</body>
</html>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.