如何防止用户更改HTML或JavaScript中的值
[英]How to prevent the user from changing values in the HTML or the JavaScript
问题描述
I am trying to make a user can change they are changing profile text color and background color. 
我试图使用户可以更改他们正在更改配置文件的文本颜色和背景颜色。
I created this DEMO from codepen.io 我从codepen.io创建了这个DEMO
In this demo you can see when you checked any radio button then .colored-text div inside text will changing automatically. 在此演示中,您可以看到选中任何单选按钮后.colored-text div会自动更改。
I want to allow only that color: #fa743e,#323949,#0000,#d8dbdf . 我只允许该颜色: #fa743e,#323949,#0000,#d8dbdf 。 But the problem is here if user change for example #fa743e to #ffffff using developer console the #ffffff color posting in database. 但问题是,如果在这里例如用户改变#fa743e到#ffffff使用开发者控制台上#ffffff数据库颜色张贴。 It is not good. 不好
this is form : 这是表格:
<form method="post" action="">
<!--Text Color-->
<div class="renk">
<input type="radio" id="red" class="sr ja" name="change-text-color" value="#fa743e">
<label for="red" class="llr"></label>
</div>
<!--Background Color-->
<div class="renk">
<input type="radio" id="lr" class="lr ja" name="change-background-color" value="#000000">
<label for="lr" class="llr"></label>
</div>
</form>
I am using this ajax post method: 我正在使用此ajax发布方法:
$.ajax({
type: "POST",
url: 'change_theme.php',
data: {change-text-color:$('input[name="change-text-color"]:checked').val(),change-background-color:$('input[name="change-background-color"]:checked').val()},
beforeSend: function(){$("#posting").html('<img src="icons/ajaxloader.gif"/>'); },
success: function(html) {
$('.tduzalani, .temayi-degistir-alani').animate({'opacity':'0'}, 300, 'linear', function(){
$('.tduzalani, .temayi-degistir-alani').css('display', 'none');});
swal({ title: "Theme was changing succuesfully!", text: ":)", timer: 5000 });
}
});
and this is change_theme.php 这是change_theme.php
<?php
include_once 'includes.php';
$colors = array( '#fa743e','#ffcc4d','#94d487','#4a913c','#89c9fa','#3b94d9','#abb8c2','#dd2e44','#f5abb5','#bfcfee','#be72ea','#ea729f','#000000','#0e1d40','#0e4034','#40310e','#451468','#ffffff','#006cff','#bb0707','#660202','#44404b','#422929','#323949');
if((isSet($_POST['change-text-color']) && in_array($_POST['change-text-color'], $colors)) || (isSet($_POST['change-change-background-color']) && in_array($_POST['change-background-color'], $colors)))
{
$text-color=mysql_real_escape_string($_POST['change-text-color']);
$background-color=mysql_real_escape_string($_POST['change-background-color']);
$data=$Suavi->change_theme($uid,$text-color,$background-color);
}
?>
3 个解决方案
解决方案1
3 已采纳
The bottom line: Never trust anything from the client. 底线:永远不要信任客户的任何东西。 The client can change whatever they desire, and can even edit the data that's going to the server. 客户端可以更改他们想要的任何内容,甚至可以编辑要发送到服务器的数据。 If you wish to ensure they can't do something, then you will have to put checks on the only thing they can't change (The server). 如果您希望确保他们无法执行某些操作,则必须检查他们唯一无法更改的内容(服务器)。 Here is a good guide explaining the benefits of what I mentioned. 这是一个很好的指南,解释了我提到的好处。
To answer your comment below: 要在下面回答您的评论:
Javascript : Javascript :
$.ajax({
type: "POST",
url: 'change_theme.php',
data: {change-text-color:$('input[name="change-text-color"]:checked').val(),change-background-color:$('input[name="change-background-color"]:checked').val()},
beforeSend: function(){$("#posting").html('<img src="icons/ajaxloader.gif"/>'); },
success: function(html) {
if ( html == "1" ) {
$('.tduzalani, .temayi-degistir-alani').animate({'opacity':'0'}, 300, 'linear', function(){
$('.tduzalani, .temayi-degistir-alani').css('display', 'none');});
swal({ title: "Theme was changing succuesfully!", text: ":)", timer: 5000 });
} else {
alert('There was an error saving this!')
}
}
});
PHP : PHP :
<?php
include_once 'includes.php';
$textcolors = array('#fa743e','#323949','#000000','#d8dbdf');
$bgcolors = array('#fa743e','#ffcc4d','#94d487','#4a913c','#89c9fa','#3b94d9','#abb8c2','#dd2e44','#f5abb5','#bfcfee','#be72ea','#ea729f','#000000','#0e1d40','#0e4034','#40310e','#451468','#ffffff','#006cff','#bb0707','#660202','#44404b','#422929','#323949');
//
if( isSet($_POST['change-text-color']) && in_array($_POST['change-text-color'], $textcolors) && isSet($_POST['change-change-background-color']) && in_array($_POST['change-background-color'], $bgcolors) )
{
$text-color=mysql_real_escape_string($_POST['change-text-color']);
$background-color=mysql_real_escape_string($_POST['change-background-color']);
$data=$Suavi->change_theme($uid,$text-color,$background-color);
echo 1;
}
else
{
echo 0;
}
exit;
?>
解决方案2
2 2015-02-17 12:40:09
There is no way you can prevent users from changing stuff in their console. 您无法阻止用户更改其控制台中的内容。 All the front-end code (HTML, JS, CSS) is sent to the browser, then anybody can view it and change it to their will. 所有前端代码(HTML,JS,CSS)都发送到浏览器,然后任何人都可以查看并将其更改为自己的意愿。 If you really want to limit the allowed colors, make a server-side check. 如果您确实想限制允许的颜色,请进行服务器端检查。
解决方案3
0 2015-02-17 12:59:01
In the server-side code change_theme.php you should have two seperate arrays for textcolors and background colors. 在服务器端代码change_theme.php中,您应该具有两个分别用于textcolors和background colors的数组。
<?php
include_once 'includes.php';
$bgcolors = array('#fa743e','#ffcc4d','#94d487','#4a913c','#89c9fa','#3b94d9','#abb8c2','#dd2e44','#f5abb5','#bfcfee','#be72ea','#ea729f','#000000','#0e1d40','#0e4034','#40310e','#451468','#ffffff','#006cff','#bb0707','#660202','#44404b','#422929','#323949');
$textcolors = array('#fa743e','#323949','#000000','#d8dbdf');
if((isSet($_POST['change-text-color']) && in_array($_POST['change-text-color'], $textcolors)) || (isSet($_POST['change-change-background-color']) && in_array($_POST['change-background-color'], $bgcolors)))
{
$text-color=mysql_real_escape_string($_POST['change-text-color']);
$background-color=mysql_real_escape_string($_POST['change-background-color']);
$data=$Suavi->change_theme($uid,$text-color,$background-color);
}
?>
Hope this helps you. 希望这对您有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.