简体繁体 English

在Chrome等浏览器中停止控制台javascript命令

[英]Stop Console javascript commands in browser like chrome

原文 2015-02-06 07:37:34 9 2 javascript/ php/ ajax/ post

I have my website which has this issue. 我的网站存在此问题。 It could be hacked easily through javascript.If the hacker types this in his console he can easily add a user in my database and can signup without going through the stuff like checking password length , checking username length and so on ... 它可以很容易地通过javascript进行黑客攻击。如果黑客在他的控制台中键入此代码，他可以轻松地在我的数据库中添加一个用户，并且可以注册而无需经历诸如检查密码长度，检查用户名长度等工作...

$.post("extra/includes/signup/register.inc2.php",{username:"user1234",email:"email@live.com",p:"here goes password"}) $ .post（“ extra / includes / signup / register.inc2.php”，{用户名：“ user1234”，电子邮件：“ email@live.com”，p：“密码在这里”}）

I want a code that could stop him from using console in my website. 我想要一个可以阻止他在我的网站上使用控制台的代码。 And if there is no way to do that then how to fix it by some other means ? 如果没有办法做到这一点，那么如何通过其他方式解决呢？

2 个解决方案

Disabling the console won't do. 禁用控制台不会。 A hacker can always do the same request to your server as you do. 黑客始终可以像对服务器一样对服务器执行相同的请求。

If it is something that isn't public you can protect it using a username and password, looking at the url it is a public script. 如果它不是公开的，则可以使用用户名和密码来保护它，查看URL是一个公开脚本。

If you require a public register script the best way to protect against this kind of thing is to us a captcha (for example recaptcha . It makes it a lot harder to do a scripted attack on your register script. 如果您需要公共注册脚本，那么防止这种情况的最佳方法是向我们提供验证码（例如recaptcha）。这会使对您的注册脚本进行脚本攻击变得更加困难。

Always validate the data server side, you can not trust the data you receive from your request because it can be easely manipulated. 始终验证数据服务器端，您不能信任从请求中接收到的数据，因为可以轻松地对其进行处理。

You should not rely on client side form validations and it is total bad practice.Try to adapt framework like CI or Laravel . 您不应该依赖客户端表单验证，这是完全不明智的做法。尝试改编CI或Laravel之类的框架。 They have particular set of easy ways to validate the form inputs . 他们有一套简单的方法可以验证表单输入。