堆栈内存溢出
  简体   繁体   English

我可以混淆PHP函数调用

[英]Can I obfuscate a PHP function call

 原文  2015-09-11 13:03:25       javascript/ php

问题描述

I have a JavaScript function like this: 我有这样的JavaScript函数: 

function delPhoto(thisPhotoID) {
  $("#php").load("delphoto.php?id=" + thisPhotoID);
}

This PHP function deletes the appropriate photo from a MySQL database, however anyone who looks at the source for the webpage could maliciously call the delphoto.php script with any number and delete random photos from the database. 这个PHP函数从MySQL数据库中删除适当的照片,但是任何查看网页源的人都可以恶意调用任意数量的delphoto.php脚本,并从数据库中删除随机照片。

Is there a way that I can obfuscate this function call so that this can't be done, or is there a way for the PHP function to refuse calls made to it from outside of the webpage? 有没有一种方法可以混淆此函数调用,使之无法完成,或者有没有办法让PHP函数拒绝从网页外部对其进行的调用?

3 个解决方案

解决方案1
 1  2015-09-11 13:33:31

I am wondering if I can implement some kind of checksum such that delphoto.php would know that it was a valid call, 我想知道我是否可以实现某种校验和,以便delphoto.php知道这是一个有效的调用,

Eg: 例如: 

delphoto.php?id=13&checksum=A4F8W9

where 13 equates to A4F8W9 and without the correct checksum it wouldn't be a valid call? 如果13等于A4F8W9,并且没有正确的校验和,那将不是有效的电话? So if someone wanted to try to delete image #14 they would need to figure out how to compute the correct checksum. 因此,如果有人想删除#14影像,他们将需要弄清楚如何计算正确的校验和。

解决方案2
 1  2015-09-11 13:52:40

Security Issue 1: 安全问题1:
Never expose your back-end in this way : build a contoller; 切勿以这种方式暴露您的后端:建造一个控制器。 Front-end must communicate only with controller, so all of your PHP scripts will be hidden for users 前端必须仅与控制器通信,因此所有PHP脚本将对用户隐藏

Security Issue 2: 安全问题2:
Use the system of token for this kind of operations 使用令牌系统进行此类操作

1- Generate a random number, ex: using uniqid() , store it in list or associative array (User, Token) and push it in Memcached , ANYEM or Redis Data Server 1-生成一个随机数,例如:使用uniqid() ,将其存储在列表或关联数组(用户,令牌)中,并将其推送到 MemcachedANYEMRedis数据服务器中
2- Generate your Link : 2-生成您的链接: 

"controller?action=delete&imageId=" . $photoID . "&token=" . $tokenId";

3- When method DELETE is executed, verify the received $tokenId , if action is allowed, delete the stored Token from Data Server (it must be used only once) 3-当执行方法DELETE时 ,验证收到的$tokenId ,如果允许操作,请从数据服务器中删除存储的令牌(必须仅使用一次)

解决方案3
 0  2015-09-11 13:49:25

however anyone who looks at the source for the webpage could maliciously call the delphoto.php script with any number and delete random photos from the database. 但是,任何查看网页来源的人都可以恶意调用任意数量的delphoto.php脚本,并从数据库中删除随机照片。

If I wanted to screw with your website, or even if I was just curious and poking around, having numeric ID's for your photos available to the world is a great place to start. 如果我想搞砸您的网站,或者即使我只是好奇并四处逛逛,那么为您的照片提供数字ID可以向全世界公开是一个不错的起点。 Especially with something like "delphoto". 特别是像“ delphoto”之类的东西。 If I wanted to place load on your server as well as mess with you in general, I would setup a script to hammer every single ID I could in parallel. 如果我想在服务器上加重负载,并且又想惹上你,那么我将设置一个脚本来锤打我可以并行处理的每个ID。 Not only would this cause massive headaches for the user from data loss, but depending on if this call is deleting the photo from disk it could tie up server resources as well. 这不仅会因数据丢失而使用户感到头疼,而且取决于此调用是否从磁盘删除照片,它也可能占用服务器资源。

Is there a way that I can obfuscate this function call so that this can't be done, or is there a way for the PHP function to refuse calls made to it from outside of the webpage? 有没有一种方法可以混淆此函数调用,使之无法完成,或者有没有办法让PHP函数拒绝从网页外部对其进行的调用?

It's good that you're conscious enough to understand that what you have currently is not secure. 足够有意识地了解您当前拥有的不安全是一件好事。 But obfuscation is no replacement for actual security. 但是混淆并不能替代实际的安全性。 Any administrative function on a website should be secured by both a user system, and by a role management scheme. 网站上的任何管理功能均应同时由用户系统和角色管理方案保护。 There should be a clear cut difference between a user and an admin as far as who can do what on a site. 就用户可以在网站上执行的操作而言,用户和管理员之间应该有明显的区别。

I don't know if you're using a framework, but obviously we can't tell you how to secure the endpoint without seeing any code on how your user system works. 我不知道您是否正在使用框架,但是很明显,如果看不到有关用户系统工作方式的任何代码,我们就无法告诉您如何保护端点。 But if you have one you need to look into the documentation and determine how to check if a user is: 但是,如果您有一个用户,则需要查看文档并确定如何检查用户是否为:

  1. Logged in 登录
  2. Has permission to run the action 有权执行操作

Depending on what your system does, this might need to change. 根据您系统的功能,可能需要更改。 For example, an admin should be able to delete anything. 例如,管理员应该能够删除任何内容。 But a user should only be able to delete their own photos. 但是用户只能删除自己的照片。 So part of the "permission to run the action" would have an ownership check. 因此,“执行该操作的权限”的一部分将进行所有权检查。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在JavaScript中混淆字符串? - How can I obfuscate a string in JavaScript? JavaScript可以直接调用PHP函数,还是需要单独的php文件来调用函数? - Can JavaScript call a PHP function directly, or do I need separate php file to call the function? 如何使用ajax从js调用php函数? - how can I call php function from js using ajax? 如何传递php include调用作为javascript函数的变量? - How can I pass a php include call as a variable for javascript function? 如何通过按按钮调用页面上的PHP函数? - How can I call an on page PHP function by pressing a button? 我如何使用表单提交调用php函数 - how can i call a php function using form submit 如何将PHP字符串传递给Javascript函数调用? - How can I pass a PHP string into a Javascript function call? 如何在wordpress中从ajax调用php函数? - How can I call a php function from ajax in wordpress? 我无法从PHP代码中调用javascript函数 - I can't call a javascript function from within PHP code 我可以在表单提交上调用php文件,并从中调用或回显JS函数吗? - Can I call a php file on form submit, and call or echo a JS function from that?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM