我怎么能自信地知道用户没有更改文本框值?
[英]How can I know with confidence that a user hasn't changed a textbox value?
问题描述
I'm working on Wordpress and want to send the user id to the server for process with AJAX. 
我正在使用Wordpress,希望将用户ID发送到服务器以进行AJAX处理。 So I store this value ( user_id ) in an hidden input textbox, and every time I read this value, pass it to jQuery and send to server by AJAX. 因此,我将此值( user_id )存储在一个隐藏的输入文本框中,并且每次读取该值时,将其传递给jQuery并通过AJAX发送给服务器。 The problem is that users can change this value (by inspecting the page). 问题是用户可以更改此值(通过检查页面)。 The below code is one of my attempts: 以下代码是我的尝试之一:
<input hidden="true" type="text" id="userid" value="<?php echo get_current_user_id() ?>">
<script type="text/javascript">
$( document ).ready( function(){
var previousValue = $("#userid").val();
$("#userid").keyup(function(e){
var currentValue = $(this).val();
if(currentValue != previousValue){
$('#userid').val(previousValue);
}
});
}
</script>
But apparently it can't be executed when the user inspects the page (via Chrome, Firefox or anything else) and changes the value. 但是显然,当用户检查页面(通过Chrome,Firefox或其他任何方式)并更改值时,无法执行该页面。 How can I authenticate a user id? 如何验证用户标识?
2 个解决方案
解决方案1
1 已采纳 2015-12-12 18:05:03
This can not be done. 无法做到这一点。 You can never guarantee anything about what happens on the client. 您永远无法保证会在客户端上发生任何事情。 All the ways to prevent someone tampering with the user ID would rely on the browser somehoe enforcing it, but the client could run any piece of software on their machine . 防止他人篡改用户ID的所有方法都将依靠浏览器对它进行强制执行,但是客户端可以在其计算机上运行任何软件 。 Therefore all security arrangement must rest on the assumption that any data sent by the client can not be trusted. 因此,所有安全措施都必须基于以下假设:客户端发送的任何数据均不可信任。
I guess that what you are trying to do is to identify a user. 我猜您正在尝试做的是识别用户。 That can actually be achieved by using PHP session . 这实际上可以通过使用PHP session来实现。 Store the user id in the PHP session variable instead. 而是将用户ID存储在PHP会话变量中。 If you want, you can pass it to the client, but don't rely on that to enforce any authentication. 如果需要,可以将其传递给客户端,但不要依靠它来执行任何身份验证。 In other words, don't have the client pass it back to the server. 换句话说,不要让客户端将其传递回服务器。
So, what does this practically mean for you? 那么,这实际上对您意味着什么? Wordpress already uses PHP sessions to keep track of the user. WordPress已使用PHP会话来跟踪用户。 When you do an AJAX call, I asume it goes to some PHP page. 当您进行AJAX调用时,我假设它会转到一些PHP页面。 That PHP script should just get the user id from Wordpress (ie the server) using get_current_user_id() , instead of having it sent from the client. 该PHP脚本应该只使用get_current_user_id()从Wordpress(即服务器)获取用户ID,而不是从客户端发送它。
解决方案2
0 2015-12-12 18:01:12
Follow these steps: 跟着这些步骤:
- Use a hashing technique and hash your userid. 使用哈希技术并哈希您的用户ID。
- Send original userid and hash value to the client system (hidden field can be an option). 将原始用户标识和哈希值发送到客户端系统(可以选择“隐藏字段”)。
- Send back userid and hash value through ajax from client to server. 通过Ajax将userid和哈希值从客户端发送回服务器。
- Hash userid once again using same hashing technique in the server. 在服务器中再次使用相同的哈希技术哈希用户ID。
- If pervious hash value match with recent hash value, then nothing tampered. 如果先前的哈希值与最近的哈希值匹配,则没有任何篡改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.